GOOD PRIVACY PROGRAM (PGP) FAQ Revised 23 August 2002 This FAQ applies to Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG), and some other OpenPGP implementations. Disclaimer: some of this information may be outdated or otherwise inaccurate. I don't update it very often, but you should by all means be able to find an appropriate copy of PGP and its documentation using the information contained herein. Use it at your own risk. The master copies of this FAQ are at http://cryptography.org/getpgp.htm and http://cryptography.org/getpgp.txt The official (much more complete) PGP FAQ is available at: http://www.pgp.net/pgpnet/pgp-faq/ WHERE ARE SOME OF THE BEST PLACES TO GET PGP ON THE WEB? PGP freeware - for personal, noncommercial use http://www.pgpi.com - The best source for the current versions. http://web.mit.edu/network/pgp.html - A trustworthy source for North Americans. http://cryptography.org - Archives of older versions and versions for various platforms for North Americans. Gnu Privacy Guard - free even for commercial use http://www.gnupg.org http://www.pgpi.com http://cryptography.org PGP Mail commercial version PGP Mail is now published and supported by PGP Corporation. See http://www.pgp.com for information on their current prices, versions, and support. For commercial applications where having a corporation to back up a product with support is important, or where maximum integration with Windows is also important, this is the preferable option. For commercial applications where low cost is the primary option and you want to use a command line interface, Gnu Privacy Guard (http://www.gnupg.org) is better. Note: you may need an unzip utility, such as the InfoZip unzip that you can get from http://www.info-zip.org to decompress the files you download. WHERE CAN I GET MORE PGP INFORMATION? The best source of PGP information is in the PGP documentation that comes with PGP. For additional information, you may want to read: http://www.cryptorights.org/pgp-help-team/hello.html http://www.pgp.net/pgpnet/pgp-faq/ http://www.mit.edu:8001/people/warlord/pgp-faq.html ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-01.txt http://cryptography.org/getpgp.htm

com/~vax/pgp_versions. e.net contains many PGP related resources. since no earlier versions of PGP can handle these algorithm. and definitely not the weak link in the chain. Will Price) and the one of a kind.fr/Network/Crypto/ (c'est en francais) http://www.freedomfighter. With the death of the Diffie-Hellman key exchange patent.net/crypto/pgp-history.security.com/SiliconValley/Bay/9648/ WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP AND GPG VERSIONS PGP 5. See also: German: http://www. links to another mailing list dedicated to PGPfone (which includes one of its authors. is that there will be some interoperability problems. please see http://www. Gnu Privacy Guard was written from the ground up to be free software under the Gnu Public License. resources for MacPGP. PGPfone Registry.html http://www. The new SHA1 hash function is better than MD5. so signatures are more secure. of course. the PGP documentation. too. For more information on PGP and GPG compatibility. the freeware PGP new algorithms are 100% free of patent problems.com/Athens/1802/ French: http://www.pgpi. and therefore some older versions of GPG didn't support RSA signatures or encryption. where PGPfone users who would like to test PGPfone with each other can leave messages in a browsable data base to let others find them to connect with each other. You can get the official PGP documentation in several languages at http://www.rivertown. and free of legalese such as come with the RSAREF toolkit.geocities. These changes are good from both technical (security & efficiency) and political (patent) standpoints. The Diffie-Hellman key exchange key size limit is also larger than the old RSA limit. A good place to discuss PGP and ask questions about it is in the PGP news groups (i. so PGP encryption is actually more secure.cnam. and other related fields. comp.openpgp. now.95 .http://web.org/faqs/pgp-faq/ The PGP-Users Mailing List home page at http://pgp.com. That means that it cannot use the IDEA symmetric key algorithm. and also that some versions were issued before the RSA patent expired in the USA.geocities.0 introduces some new algorithms for both public key and conventional encryption. WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19. CAN I GET PGP DOCUMENTATION IN MY OWN LANGUAGE? Yes. The conventional encryption used is all sound. now. and some PGP freeware issued before the RSA algorithm math patent expired doesn't support RSA signatures and encryption.html http://www.org. anonymous remailers.paranoia. This much is good news.faqs. The PGP-Users list archives are also linked to the page as is an HTML version of the PGP-FAQ (may not be the most recent). including resources on privacy. The bad news.pgp).

0-262-24039-4 ZIMPH How to Use PGP.PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates. (Pub #121) from the Superior Broadcasting Company. MIT Press April 1995 Standard PGP PGP USER'S GUIDE Zimmermann 216 pp. ISBN 1-56592-098-8 US $24. The RSA patent caused considerable expense in the USA for PGP users. Oil City. IS PGP LEGAL? Using and distributing Pretty Good Privacy is legal if you are careful to obey the intellectual property and export rules. the RSA patent is dead and anyone in the USA may use RSA for either business or personal use without restrictions. Zimmermann April 1995 . as well as any local rules that may apply in the nation you are in. Government as not infringing. export regulations are not as bad as they were. until the Diffie-Hellman patent expired and DSA was offered by the U.) Check the Department of Commerce web site at http://www. Inc. etc.bxa. Fortunately.US $14. Data Protection.htm for current rules.00 . US $55. S. How To Keep Your Electronic Messages Private (covers PGP & PEM) by Bruce Schneier 365 pages 1995 pub: John Wiley & Sons.paper . . just like people in the rest of the world have been able to do for many years.95 US The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption. You can't intentionally export PGP or GPG from the USA to certain forbidden destination (state sponsors of terrorism.95 800-283-9444 or 510-548-4393 THE OFFICIAL by Philip R. 61 pages.95 . U. ISBN 0-471-05318-X $24. especially outside of the USA. .gov/Encryption/Default. phone: (814) 678-8801 (about US $10-$13).804 pp. PA 16301. S. Box 1533-N. but you may be required to give a notice to the U.ISBN 0-262-74017-6 ZIMPP documentation neatly typeset and bound.doc. Some people still like to use older versions of PGP that use RSA. Government to export or publicly post source code (and the executable compiled from it) under license exception TSU.95 E-Mail_Security. S. Inc. and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24. PGP SOURCE CODE AND INTERNALS by Philip R.

Inc. but they have greatly improved to the point where U. you can be arrested for using cryptography and even be put in jail for using a GPS receiver. noncommercial use). For direct IDEA licensing.htm. Dep't.state. has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. but now that nation allows its citizens to use strong cryptography. France used to be quite restrictive. Export regulations used to be quite draconian in the USA. as is building on older GPL versions of PGP or the new GPG. Ascom Systec AG.gov before visiting another country.) If you modify PGP (other than porting it to another platform.bxa. (No separate license is required to use the freeware PGP for personal. Unfortunately. make sure you are licensed to use the IDEA cipher commercially before using PGP commercially.org) for free. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom. Dep't. S. contact Ascom Systec: Erhard Widmer. If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe). CH-5506 Maegenwil (Switzerland) Network Associates. Citizens no longer need to hesitate to publish (even on the Internet) and use strong cryptography. still.gov/Encryption/Default.doc. Citizens may want to view travel advisories at http://travel.. there is no legal obstacle for use of strong encryption. don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. or adapting it to another compiler). the most legal approach is to use Gnu Privacy Guard (http://www. In Russia. Within the U. recognizing its value in preventing some crimes and strengthening electronic commerce.htm WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? .kub. and are still partially irrational. but you may also be able to buy a license for the commercial version of PGP.gnupg. or avoid it by using Gnu Privacy Guard or a version of PGP that allows the use of alternate algorithms like CAST. For a recent update on the legal situation see The Crypto Law Survey http://cwis.ch Mail address: Gewerbepark. (Selling shareware/freeware disks or connect time is OK.nl/~frw/people/koops/lawsurvy. as long as they send the required notices of export and/or posting on the Internet described by http://www. this isn't an ideal world. Germany once considered banning the use and distribution of strong cryptographic software in the name of "national security. U." but now the German government has actually endorsed and helped fund the development of Gnu Privacy Guard. instead. In an ideal world every honest person would have the right to use encryption. Ascom Systec AG. S. fixing a bug.S. CMVV Phone +41 64 56 59 83 Peter Hartmann.If you want to use PGP for commercial use.

co.crypto.de/pub/virus/crypt/file/ ftp://idea. with a grand jury hearing evidence for about 28 months.page. I use DELETE. but doesn't wipe "unused" space. DLOCK2 is a no-frills strong encryption program with complete source code. Norton WipeInfo is pretty good.com/pub/replay/pub/voice/ WHERE DO I GET NAUTILUS? Bill Dorsey.wepin. which is really good at deleting existing files.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES? If you have the Norton Utilities. DLOCK2 for DOS & UNIX.zip WHERE DO I GET PGPfone(tm)? PGPfone is for private telephone calls over a modem or the Internet. ftp://eBible. See: http://www. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option.informatik.dsi.org http://www.com/~reinhold/diceware. The Federal Government chose not to comment on why it decided to not prosecute.html http://www. Curve Encrypt (for the Mac).com http://www. HPACK is an archiver (like ZIP or ARC). since studies show that U. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom. but with strong encryption.EXE in del210. Pat Mullarky.org HOW DO I SELECT A GOOD SECURE PASSPHRASE? See: http://world. as well as some very real legal expenses. http://web.Philip Zimmermann was under investigation for alleged violation of export regulations. HPACK (many platforms).eff.sec.zip.edu/network/pgpfone ftp://basement. for the sake of your right to electronic privacy.org/ ftp://ftp.demon.std. S.uni-hamburg. A couple of starting points for your search are: http://cryptography. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products.org/pub/del210.epic.replay. nor is it likely to.unimi.com/pgp/passfraz.zip ftp://ftp.html WHAT OTHER FILE ENCRYPTION (DOS. and a few others.uk/pub/ibmpc/security/realdeal. ending 11 January 1996. Curve Encrypt has certain user-friendliness advantages. but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Atbash2 for DOS.mit. and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations .

HOW DO I PUBLISH MY PGP PUBLIC KEY? The latest PGP and GPG versions will interact with key servers automatically if you are connected to the Internet and if you configure them to. it is secure against most attackers when used on a physically secure system in accordance with its instructions. Current implementations of S/MIME (1) don't always use secure key lengths. but really it is more of a growth from the initial Gnu Public License versions of PGP itself. There are other key servers.org/bible/web/Psalms.edu/pub/crypt/other/nautilus-phone-0. On the positive side. It is also true that God knows your thoughts even before you encrypt them. If an adversary of yours has physical access to the computer that you use with PGP. pgp-public-keys@keys.msu.pgp. (3) have much more limited key management facilities than PGP.pgp.pgp.net pgp-public-keys@keys.uk/pub/crypto/misc ftp://ripem.org ftp://basement.uk. Yes. You must also never run or allow to be run any rogue software (including viruses. S/MIME is integrated into email packages like Microsoft Outlook and Netscape Messenger. (2) often require payment of an annual fee to a central key certification authority. with some independently-written code added where necessary. With that combination. it is not hard to install a hardware or software keystroke logger that can capture your passphrase.tar. http://ebible.htm#C139V1 .net pgp-public-keys@keys. and quite secure. but my experience with it has been rather negative.replay.gz http://www. It is a serious alternative.2-source.com/nautilus/ WHERE IS PGP'S COMPETITION? Gnu Privacy Guard (GPG) is a serious OpenPGP standard competitor to PGP.msu.lila.9. For manual key publication. PGP is not secure if you don't understand what you are doing.pgp.cryptography.between people with multimedia PCs and modems capable of at least 7200 bps (but 14.ox. worms.edu/pub/crypt/GETTING_ACCESS ftp://ripem. These servers synchronize keys with each other. This includes using a good passphrase to protect your private keys and keeping your passphrase and private keys truly private. any of your PGP-encrypted messages can be read. S/MIME is gaining a foothold on the secure email market.net IS PGP REALLY SECURE? Yes and no.net pgp-public-keys@keys. and to copy your private keyring. See: ftp://sable. and Trojan horses) that might send your passphrase keystrokes and your PGP key file back to some spy. too.de.net pgp-public-keys@keys.no. and (4) usually don't have source code open to inspection like GPG and most versions of PGP.com/pub/replay/pub/voice/ The official Nautilus home page is at: http://www. so you can't hide anything from Him.us.pgp. send mail to one of these addresses with the single word "help" in the subject line to find out how to use them.4 kbps is better).ac.

My PGP and Gnu Privacy Guard public keys can be downloaded from my contact page at http://eBible. Please only do so in appropriate forums. and provide pointers to the home location of this FAQ.7 (Cygwin32) iD8DBQE9ZcmuRI/gxxfXR7sRAju5AJ4/RkKcG291AGSTS/RtAbrjOjc/2wCg0uOR CjpPHBAD8FRffFrWev+SWyg= =DChL -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNATURE----Version: GnuPG v1.org/mpj/. WHO MAINTAINS THIS FAQ? Michael Paul Johnson mpj@ebible.org maintains this FAQ.0.MAY I COPY AND REDISTRIBUTE THIS FAQ? Yes. as well as from the public key servers.

Sign up to vote on this title
UsefulNot useful