[Comp.Sci.Dept, Utrecht] Note from archiver<at>cs.uu.nl: This page is part of a big collection of Usenet postings, archived here for your convenience. For matters concerning the content of this page, please contact its author(s); use the source, if all else fails. For matters concerning the archive as a whole, please refer to the archive description or contact the archiver.

Subject: Where to get the latest PGP (Pretty Good Privacy) FAQ

This article was archived around: 14 May 2006 04:18:49 GMT

All FAQs in Directory: pgp-faq
All FAQs posted in: alt.security.pgp
Source: Usenet Version

Archive-name: pgp-faq/where-is-PGP Posting-Frequency: monthly Last-modified: 23 August 2002 URL: http://cryptography.org/getpgp.htm URL: http://cryptography.org/getpgp.txt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WHERE TO GET PGP and GPG WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 23 August 2002 This FAQ applies to Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG), and some other OpenPGP implementations. Disclaimer: some of this information may be outdated or otherwise inaccurate. I don't update it very often, but you should by all means be able to find an appropriate copy of PGP and its documentation using the information contained herein. Use it at your own risk. The master copies of this FAQ are at http://cryptography.org/getpgp.htm and http://cryptography.org/getpgp.txt The official (much more complete) PGP FAQ is available at: http://www.pgp.net/pgpnet/pgp-faq/ WHERE ARE SOME OF THE BEST PLACES TO GET PGP ON THE WEB? PGP freeware - for personal, noncommercial use http://www.pgpi.com - The best source for the current versions. http://web.mit.edu/network/pgp.html - A trustworthy source for North Americans. http://cryptography.org - Archives of older versions and versions for various platforms for North Americans. Gnu Privacy Guard - free even for commercial use http://www.gnupg.org http://www.pgpi.com http://cryptography.org PGP Mail commercial version PGP Mail is now published and supported by PGP Corporation. See http://www.pgp.com for information on their current prices, versions, and support. For commercial applications where having a corporation to back up a product with support is important, or where maximum integration with Windows is also important, this is the preferable option. For commercial applications where low cost is the primary option and you want to use a command line interface, Gnu Privacy Guard (http://www.gnupg.org) is better. Note: you may need an unzip utility, such as the InfoZip unzip that you can get from http://www.info-zip.org to decompress the files you download. WHERE CAN I GET MORE PGP INFORMATION? The best source of PGP information is in the PGP documentation that comes with PGP. For additional information, you may want to read: http://www.cryptorights.org/pgp-help-team/hello.html http://www.pgp.net/pgpnet/pgp-faq/ http://www.mit.edu:8001/people/warlord/pgp-faq.html ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-01.txt http://cryptography.org/getpgp.htm http://web.cnam.fr/Network/Crypto/ (c'est en francais) http://www.freedomfighter.net/crypto/pgp-history.html http://www.paranoia.com/~vax/pgp_versions.html http://www.faqs.org/faqs/pgp-faq/ The PGP-Users Mailing List home page at http://pgp.rivertown.net contains many PGP related resources, including resources on privacy, anonymous remailers, and other related fields. The PGP-Users list archives are also linked to the page as is an HTML version of the PGP-FAQ (may not be the most recent), the PGP documentation, resources for MacPGP, links to another mailing list dedicated to PGPfone (which includes one of its authors, Will Price) and the one of a kind, PGPfone Registry, where PGPfone users who would like to test PGPfone with each other can leave messages in a browsable data base to let others find them to connect with each other. A good place to discuss PGP and ask questions about it is in the PGP news groups (i. e. comp.security.pgp). CAN I GET PGP DOCUMENTATION IN MY OWN LANGUAGE? Yes. You can get the official PGP documentation in several languages at http://www.pgpi.com. See also: German: http://www.geocities.com/Athens/1802/ French: http://www.geocities.com/SiliconValley/Bay/9648/ WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP AND GPG VERSIONS PGP 5.0 introduces some new algorithms for both public key and conventional encryption. These changes are good from both technical (security & efficiency) and political (patent) standpoints. With the death of the Diffie-Hellman key exchange patent, the freeware PGP new algorithms are 100% free of patent problems, and free of legalese such as come with the RSAREF toolkit. The Diffie-Hellman key exchange key size limit is also larger than the old RSA limit, so PGP encryption is actually more secure, now. The new SHA1 hash function is better than MD5, so signatures are more secure, now, too. The conventional encryption used is all sound, and definitely not the weak link in the chain. This much is good news. The bad news, of course, is that there will be some interoperability problems, since no earlier versions of PGP can handle these algorithm, and some PGP freeware issued before the RSA algorithm math patent expired doesn't support RSA signatures and encryption. Gnu Privacy Guard was written from the ground up to be free software under the Gnu Public License. That means that it cannot use the IDEA symmetric key algorithm, and also that some versions were issued before the RSA patent expired in the USA, and therefore some older versions of GPG didn't support RSA signatures or encryption. For more information on PGP and GPG compatibility, please see http://www.openpgp.org. WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail_Security, How To Keep Your Electronic Messages Private (covers PGP & PEM) by Bruce Schneier 365 pages 1995 pub: John Wiley & Sons, Inc. ISBN 0-471-05318-X $24.95 US The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by Andr=E9 Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmermann MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmermann April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Using and distributing Pretty Good Privacy is legal if you are careful to obey the intellectual property and export rules, as well as any local rules that may apply in the nation you are in. U. S. export regulations are not as bad as they were, but you may be required to give a notice to the U. S. Government to export or publicly post source code (and the executable compiled from it) under license exception TSU. You can't intentionally export PGP or GPG from the USA to certain forbidden destination (state sponsors of terrorism, etc.) Check the Department of Commerce web site at http://www.bxa.doc.gov/Encryption/Default.htm for current rules. The RSA patent caused considerable expense in the USA for PGP users, until the Diffie-Hellman patent expired and DSA was offered by the U. S. Government as not infringing. Some people still like to use older versions of PGP that use RSA, especially outside of the USA. Fortunately, the RSA patent is dead and anyone in the USA may use RSA for either business or personal use without restrictions, just like people in the rest of the world have been able to do for many years. If you want to use PGP for commercial use, the most legal approach is to use Gnu Privacy Guard (http://www.gnupg.org) for free, but you may also be able to buy a license for the commercial version of PGP, still. If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially, or avoid it by using Gnu Privacy Guard or a version of PGP that allows the use of alternate algorithms like CAST, instead. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Network Associates, Inc., has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK, as is building on older GPL versions of PGP or the new GPG.) If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. Within the U.S. there is no legal obstacle for use of strong encryption. Export regulations used to be quite draconian in the USA, and are still partially irrational, but they have greatly improved to the point where U. S. Citizens no longer need to hesitate to publish (even on the Internet) and use strong cryptography, as long as they send the required notices of export and/or posting on the Internet described by http://www.bxa.doc.gov/Encryption/Default.htm. In an ideal world every honest person would have the right to use encryption. Unfortunately, this isn't an ideal world. France used to be quite restrictive, but now that nation allows its citizens to use strong cryptography, recognizing its value in preventing some crimes and strengthening electronic commerce. Germany once considered banning the use and distribution of strong cryptographic software in the name of "national security," but now the German government has actually endorsed and helped fund the development of Gnu Privacy Guard. In Russia, you can be arrested for using cryptography and even be put in jail for using a GPS receiver. U. S. Citizens may want to view travel advisories at http://travel.state.gov before visiting another country. For a recent update on the legal situation see The Crypto Law Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. See: http://www.epic.org http://www.crypto.com http://www.eff.org HOW DO I SELECT A GOOD SECURE PASSPHRASE? See: http://world.std.com/~reinhold/diceware.page.html http://www.wepin.com/pgp/passfraz.html WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Atbash2 for DOS, DLOCK2 for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK2 is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: http://cryptography.org/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://idea.sec.dsi.unimi.it/pub/crypt/code/ HOW DO I SECURELY DELETE FILES? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del210.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. ftp://eBible.org/pub/del210.zip ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHERE DO I GET PGPfone(tm)? PGPfone is for private telephone calls over a modem or the Internet. http://web.mit.edu/network/pgpfone ftp://basement.replay.com/pub/replay/pub/voice/ WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See: ftp://sable.ox.ac.uk/pub/crypto/misc ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz http://www.cryptography.org ftp://basement.replay.com/pub/replay/pub/voice/ The official Nautilus home page is at: http://www.lila.com/nautilus/ WHERE IS PGP'S COMPETITION? Gnu Privacy Guard (GPG) is a serious OpenPGP standard competitor to PGP, but really it is more of a growth from the initial Gnu Public License versions of PGP itself, with some independently-written code added where necessary. It is a serious alternative, and quite secure. S/MIME is gaining a foothold on the secure email market, but my experience with it has been rather negative. Current implementations of S/MIME (1) don't always use secure key lengths, (2) often require payment of an annual fee to a central key certification authority, (3) have much more limited key management facilities than PGP, and (4) usually don't have source code open to inspection like GPG and most versions of PGP. On the positive side, S/MIME is integrated into email packages like Microsoft Outlook and Netscape Messenger. HOW DO I PUBLISH MY PGP PUBLIC KEY? The latest PGP and GPG versions will interact with key servers automatically if you are connected to the Internet and if you configure them to. For manual key publication, send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers synchronize keys with each other. There are other key servers, too. pgp-public-keys@keys.pgp.net pgp-public-keys@keys.de.pgp.net pgp-public-keys@keys.no.pgp.net pgp-public-keys@keys.uk.pgp.net pgp-public-keys@keys.us.pgp.net IS PGP REALLY SECURE? Yes and no. Yes, it is secure against most attackers when used on a physically secure system in accordance with its instructions. This includes using a good passphrase to protect your private keys and keeping your passphrase and private keys truly private. You must also never run or allow to be run any rogue software (including viruses, worms, and Trojan horses) that might send your passphrase keystrokes and your PGP key file back to some spy. If an adversary of yours has physical access to the computer that you use with PGP, it is not hard to install a hardware or software keystroke logger that can capture your passphrase, and to copy your private keyring. With that combination, any of your PGP-encrypted messages can be read. PGP is not secure if you don't understand what you are doing. It is also true that God knows your thoughts even before you encrypt them, so you can't hide anything from Him. http://ebible.org/bible/web/Psalms.htm#C139V1 MAY I COPY AND REDISTRIBUTE THIS FAQ? Yes. Please only do so in appropriate forums, and provide pointers to the home location of this FAQ. WHO MAINTAINS THIS FAQ? Michael Paul Johnson mpj@ebible.org maintains this FAQ. My PGP and Gnu Privacy Guard public keys can be downloaded from my contact page at http://eBible.org/mpj/, as well as from the public key servers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Cygwin32) iD8DBQE9ZcmuRI/gxxfXR7sRAju5AJ4/RkKcG291AGSTS/RtAbrjOjc/2wCg0uOR CjpPHBAD8FRffFrWev+SWyg=3D =3DDChL -----END PGP SIGNATURE-----