Reply With Quote
> > It is clear that you would be best served by an open-source solution.
> > If you believe everyone is best served by the same thing, you should
> > hear some horror stories of our users about trying to get encrypted
> > email to work when they used GPG and their broker used PGP. The short
> > version is that in the end, they gave up and used clear-text email -
> > far less than ideal.
>
> Oh I see so the alternative is to "trust you" and your Wizard of Oz
> act behind your curtain?
>
> Har.
>
> You could be a honeypot, a NSA/CIA front company, a terrorist node and
> a whole lot of other much nastier things than a clear text email
> provider.
Like my earlier post, clearly another apology is in order. My
intention was certainly not to offend (although, offending you is
likely impossible so I'll say my intetion was not to anger you). My
point was not that you can either trust us or go away. My point was
that any startup (I admit we are very new at only two years old) is
naturally protective of what they have. I know of firms who have had
Chinese hackers literally simply rebrand something which took a
significant amount of energy (and money) to produce. So, now there is
a competitor there with zero development costs (save the hacking
costs). That's tough (and a reminder to be cautious).
It is important to us that we don't end up down that road. Handing out
source code for everyone to see, rebrand, recompile, and redistribute
on a whim seems not to be the best way to ensure a company has a
future. That said, we do understand the need for others to see what we
are doing in order to be confident enough to trust out products.
We have chosen to err on the side of caution but if someone wants to
see, they are welcome.
My saying that we would expose key parts was not intended to convey
that we will keep some parts secret. The intention was that we will
expose whatever you want to see about the encryption, if you are
concerned about the encryption.
>
> >> If your implementation sucks, it doesn't matter if you have 400,096
> >> megabit keys.
>
While I, personally, don't have a background in cryptography, I do
understand software. Our software is built on components, like most
software today. Our TrulyMail client is built using Microsoft's .Net
and our encryption uses their cryptographic library using the Rijndael
algorithm (PROV_RSA_AES cryptographic service provider). We use a 4096-
bit key, as mentioned earlier.
Since we did not write the encryption algorithm, it didn't seem
relevant to give names and cryptographic backgrounds of everyone at
the company.
I don't believe you asked for my last name but if I misread your
question, here is the answer. My name is John Andre. I have two
decades experience in developing software using Microsoft technologies
for various companies around the world (including in the Chile, US,
Austria, Switzerland, and others).
I might be new to cryptography (and out of touch with the culture of
extreme openness) but I do understand the need for privacy in an easy-
to-use manner. I don't believe that only people who can configure
complex software have the right to privacy. I believe that everyone
deserves it and we're producing software to give that to them.
We're now getting into personal philosophies and that was clearly not
asked about so I will try to restrict this tangent.
Again, to summarize, I apologize for my erring on the side of secrecy.
TrulyMail was created because of the basic belief that freedom goes
hand in hand with privacy.
Now, feel free to rip into it.
Bookmarks