Sorry, I didn't bother reading the first message, and I won't bother reading any of the messages further in this thread either. Kong lacks critical functionality, and is fatally insecure for a wide variety of uses, in short it is beyond worthless, ranging into being a substantial risk to the security of anyone/group that makes use of it.
----- Original Message ----- From: "James A. Donald" <[EMAIL PROTECTED]> Subject: Clarification of challenge to Joseph Ashwood: > Joseph Ashwood: > > > So it's going to be broken by design. These are critical > > > errors that will eliminate any semblance of security in > > > your program. > > James A. Donald: > > I challenge you to fool my canonicalization algorithm by > > modifying a message to as to change the apparent meaning > > while preserving the signature, or by producing a message > > that verifies as signed by me, while in fact a meaningfully > > different message to any that was genuinely signed by me. That's easy, remember that you didn't limit the challenge to text files. It should be a fairly simple matter to create a JPEG file with a number of 0xA0 and 0x20 bytes, by simply swapping the value of those byte one can create a file that will pass your verification, but will obviously be corrupt. Your canonicalization is clearly and fatally flawed. > Three quarters of the user hostility of other programs comes > from their attempt to support "true" names, and the rest comes > from the cleartext signature problem. Kong fixes both > problems. Actually Kong pretends the first problem doesn't exist, and "corrects" the second one in such a way as to make it fatally broken. > Joseph Ashwood must produce a message that is meaningfully > different from any of the numerous messages that I have sent > to cypherpunks, but which verifies as sent by the same person > who sent past messages. > > Thus for Kong to be "broken" one must store a past message from > that proflic poster supposed called James Donald, in the Kong > database, and bring up a new message hacked up by Joseph > Ashwood, and have Kong display in the signature verification > screen To verify that I would of course have to download and install Kong, something that I will never do, I don't install software I already know is broken, and fails to address even the most basic of problems. Joe