> third party -- your mailserver administrator

The "third party" you don't trust is your own sysadmin. That person already has 
access to the plain text messages right now. So does everyone tapping your 
connections. We suggest that you limit that risk to the sysadmin you already 
trust.

  > telling people that your product will keep their communications secure

Yes, we are. We suggest that GPG crypto is more secure than no crypto, and 
better when it works for everyone in the group.

Experts can still encrypt their own messages. That approach has had 20 years to 
work. Most people still don't encrypt mail at all.

Good encryption that is used is much better than encryption only used by an 
elite.

  > Made false claims that DSA is compromised

I said "was certainly compromised in the past". As you know, one source for DSA 
flaws is the current ssh-keygen man page:

    "DSA keys must be exactly 1024 bits as specified by FIPS 186-2."

You apparently feel there is some explanation for "exactly 1024 bits" other 
than the obvious one, that keys of that length are compromised. NIST changed 
this spec later, but always kept DSA.

If you want another source, NSA themselves consider DSA, specifically ECDSA, to 
be only Grade B security. With their usual misdirection, NSA calls it "Suite 
B". Red Hat explicitly says the NSA's Suite B is only good enough for "most" 
classified information. See 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.5_Release_Notes/bh-chap-security.html

  > Made false claims that NIST . . .

NIST has often changed specs as each compromise is discovered. Examples are 
DES, DSA, and Elliptic Curve. A very recent discussion is from "Keeping Secrets 
-- STANFORD magazine" 
(https://medium.com/stanford-select/keeping-secrets-84a7697bf89f):

  "The agency has a second tactic to prevent the spread of cryptographic 
techniques: keeping high-grade cryptography out of the national standards. To 
make it easier for different commercial computer systems to interoperate, the 
National Bureau of Standards (now called NIST) coordinates a semipublic process 
to design standard cryptographic algorithms. ... The NSA's influence over the 
standards process has been particularly effective at mitigating what it 
perceived as the risks of nongovernmental cryptography. By keeping certain 
cryptosystems out of the NBS/NIST standards, the NSA facilitated its mission of 
eavesdropping on communications traffic."

I suggest you are more careful about your accuracy before you make accusations 
of false claims, or use the nasty slur "snake oil".

GoodCrypto warning: Anyone could have read this message. Use encryption, it 
works.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to