Sorry, I didn't bother reading the first message, and I won't bother reading
any of the messages further in this thread either. Kong lacks critical
functionality, and is fatally insecure for a wide variety of uses, in short
it is beyond worthless, ranging into being a substantial risk to the
security of anyone/group that makes use of it.
----- Original Message -----
From: "James A. Donald" <[EMAIL PROTECTED]>
Subject: Clarification of challenge to Joseph Ashwood:
> Joseph Ashwood:
> > > So it's going to be broken by design. These are critical
> > > errors that will eliminate any semblance of security in
> > > your program.
>
> James A. Donald:
> > I challenge you to fool my canonicalization algorithm by
> > modifying a message to as to change the apparent meaning
> > while preserving the signature, or by producing a message
> > that verifies as signed by me, while in fact a meaningfully
> > different message to any that was genuinely signed by me.
That's easy, remember that you didn't limit the challenge to text files. It
should be a fairly simple matter to create a JPEG file with a number of 0xA0
and 0x20 bytes, by simply swapping the value of those byte one can create a
file that will pass your verification, but will obviously be corrupt. Your
canonicalization is clearly and fatally flawed.
> Three quarters of the user hostility of other programs comes
> from their attempt to support "true" names, and the rest comes
> from the cleartext signature problem. Kong fixes both
> problems.
Actually Kong pretends the first problem doesn't exist, and "corrects" the
second one in such a way as to make it fatally broken.
> Joseph Ashwood must produce a message that is meaningfully
> different from any of the numerous messages that I have sent
> to cypherpunks, but which verifies as sent by the same person
> who sent past messages.
>
> Thus for Kong to be "broken" one must store a past message from
> that proflic poster supposed called James Donald, in the Kong
> database, and bring up a new message hacked up by Joseph
> Ashwood, and have Kong display in the signature verification
> screen
To verify that I would of course have to download and install Kong,
something that I will never do, I don't install software I already know is
broken, and fails to address even the most basic of problems.
Joe
