1994-09-07 - Where to Get the Latest PGP (Pretty Good Privacy) FAQ

Header Data

From: Michael Paul Johnson <mpj@netcom.com>
To: viacrypt@acm.org
Message Hash: b60afee5d792744e75d4600a036c614dcd6786d0781b9ac4c767cf4a276c7905
Message ID: <Pine.3.89.9409070831.A11766-0100000@netcom6>
Reply To: N/A
UTC Datetime: 1994-09-07 15:34:18 UTC
Raw Date: Wed, 7 Sep 94 08:34:18 PDT

Raw message

From: Michael Paul Johnson <mpj@netcom.com>
Date: Wed, 7 Sep 94 08:34:18 PDT
To: viacrypt@acm.org
Subject: Where to Get the Latest PGP (Pretty Good Privacy) FAQ
Message-ID: <Pine.3.89.9409070831.A11766-0100000@netcom6>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP)
(Last modified: 7 September 1994 by Mike Johnson)


WHAT IS THE LATEST VERSION?

There is more than one latest version.  Pick one or more of the following
that best suits your computer, patent restrictions, and export restrictions.
Some countries (like France) may also restrict import or even use of strong
cryptography like PGP.

 |-----------------+---------------------+---------------------------------|
 | Platform(s)     | Latest Version      | Distribution File Names         |
 |-----------------+---------------------+---------------------------------|
 | DOS, Unix,      | Viacrypt PGP 2.7    | disk sets                       |
 | or WinCIM/CSNav |                     |                                 |
 |-----------------+---------------------+---------------------------------|
 | DOS, Unix,      | MIT PGP 2.6.1       | pgp261.zip  (DOS + docs)        |
 | others          |                     | pgp261s.zip (source)            |
 |                 |                     | pg261s.zip source on CompuServe |
 |                 |                     | pgp261.tar.gz (source)          |
 |                 |                     | pgp261.gz (same as above on DOS)|
 |                 |                     | pgp261.tar.Z (source)           |
 |                 |                     | pgp261dc.zip (documentation)    |
 |                 |                     | pg261d.zip (docs on CompuServe) |
 |-----------------+---------------------+---------------------------------|
 | Macintosh       | MIT PGP 2.6         | MacPGP2.6.sea.hqx (binary+docs) |
 |                 |                     | macpgp26.hqx (same as above)    |
 |                 |                     | MacPGP2.6.src.sea.hqx (source)  |
 |                 |                     | macpgp26.src (same as above)    |
 |                 |                     | MacPGP2.6-68000.sea.hqx (binary)|
 |                 |                     | mcpgp268.hqx (same as above)    |
 |-----------------+---------------------+---------------------------------|
 | Mac Applescript | MacPGP 2.6ui v 1.2  | MacPGP-2.6ui-v1.2.sit.hqx       |
 |                 |                     | MacPGP2.6ui_V1.2_sources.cpt.hqx|
 |                 |                     | MacPGP2.6uiV1.2en.cpt.hqx       |
 |                 |                     | MacPGP2.6uiV1.2src.cpt.hqx      |
 |                 |                     | MacPGP2.6uiV1.2.68000.hqx       |
 |-----------------+---------------------+---------------------------------|
 | Amiga           | Amiga PGP 2.3a.4    | PGPAmi23a_4.lha                 |
 |-----------------+---------------------+---------------------------------|
 | Atari           | Atari PGP 2.6ui     | pgp26uib.lzh (binary, docs)     |
 |                 |                     | pgp26uis.lzh                    |
 |-----------------+---------------------+---------------------------------|
 | Archimedes      | Archimedes 2.3a     | ArcPGP23a                       |
 |-----------------+---------------------+---------------------------------|

Note:  there are other versions available, but these are either old, or
outside of the mainstream PGP project.  Look for signatures from one of three
sources:  Viacrypt (Commercial), jis@mit.edu (North American freeware), or
mathew@mantis.co.uk (the unofficial international version source).  The
"unofficial international" versions are really just PGP 2.3a, modified just
enough to make it compatible with MIT PGP 2.6, but do not include all of the
fixes in MIT PGP 2.6 and MIT PGP 2.6.1.  They are named pgp26ui* or have a
"ui" somewhere in their file names.  I recommend the use of the "ui" versions
only if:

        (1) You are using a Macintosh;
        (2) You are using a platform for which there is no Viacrypt or MIT
            PGP;
        (3) You are outside of North America, and can't obtain Viacrypt or
            MIT PGP; or
        (4) You need to use a key longer than 1024 bits (i. e. a 1264 bit
            key generated with PGP 2.3a or PGP 2.6ui).


WHERE CAN I GET VIACRYPT PGP?

If you are a commercial user of PGP in the USA or Canada, contact Viacrypt in
Phoenix, Arizona, USA.  The commecial version of PGP is fully licensed to use
the patented RSA and IDEA encryption algorithms in commercial applications,
and may be used in corporate environments in the USA and Canada.  It is fully
compatible with, functionally the same as, and just as strong as the freeware
version of PGP. Due to limitations on ViaCrypt's RSA distribution license,
ViaCrypt only distributes executable code and documentation for it, but they
are working on making PGP available for a variety of platforms.  Call or
write to them for the latest information.  The latest version number for
their version of PGP is 2.7.

The Windows version is anticipated to ship by (or before) September 15, 1994;
the Macintosh version is expected to ship in early October.  The formal
announcements will go out about one week prior to first ship dates.  The
Windows version is a high grade Visual Basic front end with the DOS program
in the back end. It is a point-and-click, drag-and-drop operation.

Here is a brief summary of Viacrypt's currently-available products:

1. ViaCrypt PGP for MS-DOS.  Prices start at $99.98

2. ViaCrypt PGP for UNIX.  Includes executables for the following
   platforms:

     SunOS 4.1.x (SPARC)
     IBM RS/6000 AIX
     HP 9000 Series 700/800 UX
     SCO 386/486 UNIX
     SGI IRIX
     AViiON DG-UX(88/OPEN)

   Prices start at $149.98

     Executables for the following additional platforms are
     available upon request for an additional $30.00 charge.

     BSD 386
     Ultrix MIPS DECstation 4.x


3. ViaCrypt PGP for WinCIM/CSNav.  A special package for users of
   CompuServe.  Prices start at $119.98

In September, 1994, ViaCrypt intends to announce two new major
product additions:

     ViaCrypt PGP for Windows
     ViaCrypt PGP for Macintosh

   Prices start at $124.98

Viacrypt's licensing and price information is as follows:

  ViaCrypt PGP Version 2.7 for Windows  (Single User  $ 124.98
  ViaCrypt PGP Version 2.7 for Windows  (Five User)   $ 374.98

  ViaCrypt PGP Version 2.7 for Macintosh(Single User) $ 124.98
  ViaCrypt PGP Version 2.7 for Macintosh(Five User)   $ 374.98

  ViaCrypt PGP Version 2.7 for MS-DOS   (Single User) $  99.98
  ViaCrypt PGP Version 2.7 for MS-DOS   (Five User)   $ 299.98

  ViaCrypt PGP Version 2.7 for UNIX     (Single User) $ 149.98
  ViaCrypt PGP Version 2.7 for UNIX     (Five User)   $ 449.98

  ViaCrypt PGP for WinCIM/CSNav         (Single User) $ 119.98
  ViaCrypt PGP for WinCIM/CSNav         (Five User)   $ 359.98


UNIX platforms of Ultrix and BSD 386 have an additional $30.00
charge per platform.

Please contact ViaCrypt for pricing of 20 users and above.

Orders may be placed by calling 800-536-2664 during the hours of
8:30am to 5:00pm MST, Monday - Friday.  We accept VISA,
MasterCard, AMEX and Discover credit cards.

If you have further questions, please feel free to contact:

Paul E. Uhlhorn
Director of Marketing, ViaCrypt Products
Mail:          9033 N. 24th Avenue
               Suite 7
               Phoenix AZ 85021-2847
Phone:         (602) 944-0773
Fax:           (602) 943-2601
Internet:      viacrypt@acm.org
Compuserve:    70304.41


WHERE CAN I GET THE FREEWARE PGP?

These listings are subject to change without notice.  If you find that PGP has
been removed from any of these sites, please let me know so that I can update
this list.  Likewise, if you find PGP on a good site elsewhere (especially on
any BBS that allows first time callers to access PGP for free), please let me
know so that I can update this list.  Because this list changes frequently, I
have not attempted to keep it complete, but there should be enough pointers
to let you easily find PGP.

There are several ways to get the freeware PGP:  ftp, WWW, BBS, CompuServe,
America Online (maybe), email ftp server, and sneakernet (ask a friend for a
copy).  Just don't ask the author directly for a copy.


FTP SITES IN NORTH AMERICA

These sites generally have some mechanism to (1) discourage export of PGP and
violation of the ITAR, (2) protect the site operators from harrassment by the
Federal Government, and (3) still allow automated distribution of PGP as far
as is allowed under all applicable laws.

Telnet to net-dist.mit.edu, log in as getpgp, answer the questions, then ftp
to net-dist.mit.edu and change to the hidden directory named in the telnet
session to get your own copy.

MIT-PGP is for U. S. and Canadian use only, but MIT is only distributing it
within the USA (due to some archaic export control laws).

1.  Read ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt and agree to it.
2.  Read ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt and agree to it.
3.  Telnet to net-dist.mit.edu and log in as getpgp.
4.  Answer the questions and write down the directory name listed.
5.  QUICKLY end the telnet session with ^C and ftp to the indicated directory
    on net-dist.mit.edu (something like /pub/PGP/dist/U.S.-only-????) and get
    the distribution files (see the above chart for names).
    If the hidden directory name is invalid, start over at step 3, above.

You can also get PGP from:

ftp.csn.net/mpj
    ftp://ftp.csn.net/mpj/I_will_not_export/crypto_???????/pgp/
    See ftp://ftp.csn.net/mpj/README.MPJ for the ???????
    See ftp://ftp.csn.net/mpj/help for more help on negotiating this site's
    export control methods (open to USA and Canada).

ftp.netcom.com/pub/mpj
    ftp://ftp.netcom.com/mpj/I_will_not_export/crypto_???????/pgp/
    See ftp://ftp.netcom.com/pub/mpj/README.MPJ for the ???????
    See ftp://ftp.netcom.com/pub/mpj/help for more help on negotiating this
    site's export control methods.
    TO GET THESE FILES BY EMAIL, send mail to ftp-request@netcom.com
    containing the word HELP in the body of the message for instructions.
    You will have to work quickly to get README.MPJ then the files before
    the ??????? part of the path name changes again (several times a day).

ftp.eff.org
    Follow the instructions found in README.Dist that you get from one of:
    ftp://ftp.eff.org/pub/Net_info/Tools/Crypto/README.Dist
    gopher.eff.org, 1/Net_info/Tools/Crypto
    gopher://gopher.eff.org/11/Net_info/Tools/Crypto
    http://www.eff.org/pub/Net_info/Tools/Crypto/

ftp.wimsey.bc.ca
    /pub/crypto/software/dist/US_or_Canada_only_XXXXXXX/PGP
    (U. S. and Canadian users only)
    See /pub/crypto/software/README for the characters for XXXXXXXX
    This site has all public releases of the freeware PGP.


WORLD WIDE WEB ACCESS

    http://www.matnis.co.uk/pgp/pgp.html
    http://rschp2.anu.edu.au:8080/crypt.html


COMPUSERVE

The NCSA Forum sysops have a library (Library 12: Export Controlled) that is
available only to people who send them a message asserting that they are
within the U. S. A.  This library contains PGP.  I have also seen PGP in some
other places on Compuserve.  Try searching for PGP261.ZIP in the IBMFF forum
for up-to-date information on PGP in selected other areas.  The last time I
tried a search like this, PGP 2.6 was found in the PC World Online forum (GO
PWOFORUM) new uploads area, along with several PGP shells and accessories.
I've also heard that EUROFORUM caries PGP 2.6ui, but have not confirmed this.

Compuserve file names are even more limited than DOS (6.3 instead of the
already lame 8.3), so the file names to look for are PGP26.ZIP, PG261S.ZIP
(source code), PGP261.GZ (Unix source code) and PG261D.ZIP (documentation
only).


BULLETIN BOARD SYSTEMS

Colorado Catacombs BBS
    Mike Johnson, sysop
    Mac and DOS versions of PGP, PGP shells, and some other crypto stuff.
    Also the home of some good Bible search files and some shareware written
    by Mike Johnson, including DLOCK, CRYPTA, CRYPTE, CRYPTMPJ, MCP, MDIR,
    DELETE, PROVERB, SPLIT, ONEPAD, etc.
    v.FAST/v.32bis/v.42bis, speeds up to 28,800 bps
    8 data bits, 1 stop, no parity, as fast as your modem will go.
    Use ANSI terminal emulation, of if you can't, try VT-100.
    Free access to PGP.  If busy or no answer, try again later.
    Log in with your own name, or if someone else already used that, try
    a variation on your name or pseudonym.  You can request access to
    crypto software on line, and if you qualify legally under the ITAR,
    you can download on the first call.
    For free access: log in with your own name, answer the questions, then
    select [Q]uestionaire 3 from the [M]ain menu.
    (303) 772-1062  Longmont, Colorado number - 2 lines.
    (303) 938-9654  Boulder, Colorado number forwarded to Longmont number
                    intended for use by people in the Denver, Colorado area.

Hieroglyphics Voodoo Machine (Colorado)
    Jim Still (aka Johannes Keppler), sysop.
    DOS, OS2, and Mac versions.
    (303) 443-2457
    For free access for PGP, DLOCK, Secure Drive, etc., log in as "VOO DOO"
    with the password "NEW" (good for 30 minutes access to free files).

Exec-Net (New York)
    Host BBS for the ILink net.
    (914) 667-4567

The Ferret BBS (North Little Rock, Arkansas)
    (501) 791-0124   also   (501) 791-0125
    Special PGP users account:
    login name: PGP USER
    password:   PGP
    This information from: Jim Wenzel <jim.wenzel@grapevine.lrk.ar.us>

Other BBS -- check your local BBS.  Chances are good that it has any release
that is at least a month old if it has much of a file area at all.


AMERICA ONLINE:

Try PC WORLD soft/lib. (key word PGP).  Make sure you get ALL of the files,
including the documentation.  Somebody apparently split up the .ZIP file just
to make life more difficult.


OTHER FTP SITES

These other ftp sites don't have the "export control" hoops to jump through
that most North American sites have in deference to archaic laws.

    ftp.informatik.uni-hamburg.de
      /pub/virus/crypt/pgp
      This site has most, if not all, of the current PGP files.

    black.ox.ac.uk  (129.67.1.165)

    ftp.netcom.com
      /pub/dcosenza -- Some crypto stuff, sometimes includes PGP.
      /pub/gbe/pgpfaq.asc -- frequently asked questions answered.
      /pub/qwerty -- How to MacPGP Guide, largest steganography ftp site as
                     well.  PGP FAQ, crypto FAQ, US Crypto Policy FAQ,
                     Steganograpy software list. MacUtilites for use with
                     MacPGP.  Stealth1.1 + other steganography programs.
                     Send mail to qwerty@netcom.com with the subject
                     "Bomb me!" to get the PGP FAQ and MacPGP guide if you
                     don't have ftp access.

    ftp.ee.und.ac.za
      /pub/crypto/pgp

    soda.berkeley.edu
      /pub/cypherpunks/pgp (DOS, MAC)

    ftp.demon.co.uk
      /pub/amiga/pgp
      /pub/archimedes
      /pub/pgp
      /pub/mac/MacPGP

    ftp.informatik.tu-muenchen.de

    ftp.funet.fi

    ftp.dsi.unimi.it
      /pub/security/crypt/PGP

    ftp.tu-clausthal.de (139.174.2.10) (Atari ST/E,TT,Falcon)
      /pub/atari/misc/pgp/pgp26uib.lzh (2.6ui ttp, 2.3a docs)
      /pub/atari/misc/pgp/pgp26uis.lzh (2.6ui sources)
      /pub/atari/misc/pgp/pgp26ui.diffs (Atari diffs for 2.6 sources)

    wuarchive.wustl.edu
      /pub/aminet/util/crypt

    src.doc.ic.ac.uk (Amiga)
      /aminet
      /amiga-boing

    ftp.informatik.tu-muenchen.de
      /pub/comp/os/os2/crypt/pgp23os2A.zip (OS/2)

    iswuarchive.wustl.edu
      pub/aminet/util/crypt (Amiga)

    nic.funet.fi  (128.214.6.100)
      /pub/crypt

    ftp.uni-kl.de (131.246.9.95)
      /pub/aminet/util/crypt

    qiclab.scn.rain.com (147.28.0.97)

    pc.usl.edu (130.70.40.3)

    leif.thep.lu.se (130.235.92.55)

    goya.dit.upm.es (138.4.2.2)

    tupac-amaru.informatik.rwth-aachen.de (137.226.112.31)

    ftp.etsu.edu (192.43.199.20)

    princeton.edu (128.112.228.1)

    pencil.cs.missouri.edu (128.206.100.207)

    soda.csua.berkeley.edu

    nctuccca.edu.tw
      /PC/wuarchive/pgp/

Also, try an archie search for PGP using the command:

    archie -s pgp26  (DOS & Unix Versions)
    archie -s pgp2.6 (MAC Versions)


FTPMAIL

For those individuals who do not have access to FTP, but do have access
to e-mail, you can get FTP files mailed to you.  For information on
this service, send a message saying "Help" to ftpmail@decwrl.dec.com.
You will be sent an instruction sheet on how to use the ftpmail
service.

Another e-mail service is from nic.funet.fi. Send the following mail message
to mailserv@nic.funet.fi:

    ENCODER uuencode
    SEND pub/crypt/pgp23srcA.zip
    SEND pub/crypt/pgp23A.zip

This will deposit the two zipfiles, as 15 batched messages, in your mailbox
with about 24 hours.  Save and uudecode.

For the ftp sites on netcom, send mail to ftp-request@netcom.com containing
the word HELP in the body of the message.


IS MY COPY OF PGP GOOD?

If you find a version of the PGP package that does not include the PGP User's
Guide, something is wrong.  The manual should always be included in the
package.  PGP should be signed by one of the developers (Philip Zimmermann,
Jeff Schiller, Viacrypt, etc.).  If it isn't, the package is suspect and
should not be used or distributed.  The site you found it on should remove it
so that it does no further harm to others.  To be really sure, you should get
PGP directly from MIT or check the signatures with a version of PGP that you
trust.  The copies of PGP on ftp.csn.net/mpj, ftp.netcom.com/pub/mpj, and the
Colorado Catacombs BBS are direct copies of the ones on MIT, except that the
ones on the BBS include a BBS advertisement (automatically added by the
system when it virus scans new files) in the outer .zip files.


OTHER PGP DOCUMENTATION

   PGP is rather counter-intuitive to a Mac user. Luckily, there's a
   guide to using MacPGP in
   ftp://ftp.netcom.com/pub/qwerty/Here.is.How.to.MacPGP.

   There is a Frequently Asked Questions document in
   ftp://ftp.netcom.com/pub/gbe/pgpfaq.asc

   For more information on the "time bomb" in PGP, see
   ftp://ftp/netcom.com/pub/mpj/pgpbomb.asc


LANGUAGE MODULES

   These are suitable for most PGP versions.  I am not aware of any
   export/import restrictions on these files.

    German
     * _UK:_ ftp://black.ox.ac.uk/src/security/pgp_german.txt
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha

    Italian
     * _IT:_
     ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.italian.tar.gz
     * _FI:_
     ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/PGP/pgp-lang.italian.tar.gz
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.italian.tar.gz

    Japanese
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz

    Lithuanian
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip

    Russian
     * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip (MIT version)
     * _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26uir.zip (ui version)
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp26ru.zip

    Spanish
     * _IT:_
     ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/pgp-lang.spanish.tar.gz
     * _FI:_
       ftp://ftp.funet.fi/pub/crypt/ghost.dsi.unimi.it/pgp-lang.spanish.tar.gz
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz

    Swedish
     * _UK:_ ftp://black.ox.ac.uk/src/security/pgp_swedish.txt
     * _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_swedish.txt


ARCHIE WHO?

There are many more sites.  You can use archie and/or other "net-surfing"
tools to find a more up-to-date listing, if desired.


WHAT IS ALL THIS NONSENSE ABOUT EXPORT CONTROLS?

For a detailed rant, get ftp://ftp.csn.net/mpj/cryptusa.zip

The practical meaning, until the law is corrected to make sense, is that you
are requested to get PGP from sites outside of the USA and Canada if you are
outside of the USA and Canada.  If you are in France, I understand that you
aren't even supposed import it.  Other countries may be worse.

It is illegal to export PGP from the USA to any country except Canada, even
if that version of PGP originated outside of the USA.  Don't do it.  Don't
ask me to do it.  The law is not rational, but it exists, and the Federal
Government has no sense of humor.  On the other hand, if you should discover
a copy of PGP in some place other than the USA, then you are bound by the
laws of both that country and your own country with respect to what you can
do with it, not necessarily by U. S. Law.  Your laws may be more or less
restrictive, and may possibly refer to U. S. Law through some sort of treaty.
If you live in a place where you can freely distribute and use PGP, then I
applaud your government.

In spite of the best efforts of MIT and the other primary developers and
distributors of PGP not to violate the International Traffic in Arms
Regulations, MIT PGP has been observed to migrate to many foreign sites.
Whoever is responsible for this export is responsible for their own actions
and is not encouraged or endorsed by myself, Philip Zimmermann, or MIT.  This
doesn't necessarily mean that we agree with the law, or even that the law
itself is Constitutional.  It just means that becoming a test case is not
fun.


WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN THE USA?

MIT PGP is only for noncommercial use because of restrictions on the
licensing of both the RSA algorithm (attached to RSAREF) and the IDEA
algorithm.  PKP/RSADSI insist that we use RSAREF instead of the mpi library
for reasons that make sense to them.

For commercial use, use Viacrypt PGP, which is fully licensed to use both the
RSA and IDEA algorithms in commercial and corporate environments.


WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN CANADA?

MIT PGP is only for noncommercial use because of restrictions on the
licensing of the IDEA algorithm.  Because the RSA algorithm isn't patented in
Canada, you are free to use the mpi library instead of RSAREF, if you want
to, thus freeing yourself of the RSAREF license.

For commercial use, use Viacrypt PGP, which is fully licensed to use the IDEA
algorithm in commercial and corporate environments.


WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST OUTSIDE NORTH AMERICA?

MIT PGP is only for noncommercial in areas where there is a patent on
software implementations of the IDEA algorithm.  Because the RSA algorithm
isn't patented outside of the USA, you are free to use the mpi library
instead of RSAREF, if you want to, thus freeing yourself of the RSAREF
license.

For commercial use, you cannot buy Viacrypt PGP, but you can arrange to
license your use of IDEA directly from ETH Zurich.  If software
implementations of IDEA are not covered by a patent in your country, then you
can use the freeware versions of PGP, provided that you compile it with the
mpi library instead of RSAREF.


WHAT IS THE "TIME BOMB" IN MIT PGP 2.6?

As a concession to the RSA patent holders (in return for endorsement of the
legality of the freeware MIT PGP 2.6), MIT placed an inducement in MIT PGP
2.6 to encourage upgrade from the alledgedly patent-infringing PGP 2.3a to
the MIT version.  The nature of this inducement is a change in a packet ID
byte that causes PGP 2.3a and earlier to reject messages created by MIT PGP
2.6 after 1 September 1994.  Altering MIT PGP 2.6 to bypass this annoyance
(though technically an easy change to the LEGAL_KLUDGE), invalidates the
blessing of Public Key Partners on the licence of MIT PGP 2.6.  Therefore, it
is a bad idea.  On the other hand, it is trivial to hack PGP 2.3a to accept
these packets, and that (plus a few other bug fixes) is essentially what PGP
2.6ui is.  None of the versions of PGP greater than 2.3 have problems reading
the old packet ID values, so for maximum compatibility, the ideal is to write
the old value and accept either value.

Unfortunately, this time bomb has a negative effect on Viacrypt PGP 2.4, as
well, which never infringed on anyone's patents.  Viacrypt's solution was to
issue PGP 2.7, which, by default acts just like MIT PGP 2.6, but has a
config.txt option (explained in the release) that allows compatibility with
both PGP 2.4 and PGP 2.6.  Naturally, this also allows compatibility with PGP
2.3a.

The time bomb is annoying for those who still wish to use PGP 2.3a, and for
those who use Viacrypt PGP 2.4 and don't want to spend US$10 to upgrade to
Viacrypt PGP 2.7, but considering the magnitude of the concession made by
Public Key Partners in legitimizing the freeware PGP for use in the USA, it
was worth it.

For more information on the time bomb, see ftp://ftp.csn.net/mpj/pgpbomb.asc


ARE MY KEYS COMPATIBLE WITH THE OTHER PGP VERSIONS?

If your RSA key modulus length is less than or equal to 1024 bits (I don't
recommend less, unless you have a really slow computer and little patience),
and if your key was generated in the PKCS format, then it will work with any
of the current PGP versions (MIT PGP 2.6, PGP 2.6ui, or Viacrypt PGP 2.7). If
this is not the case, you really should generate a new key that qualifies.

Philip Zimmermann is aware of the desire for longer keys in PGP by some PGP
fans (like me), but wants to migrate towards that goal in an orderly way, by
first releasing versions of PGP in for all platforms and for both commercial
(Viacrypt) and freeware (MIT) flavors that ACCEPT long keys, then releasing
versions that can also GENERATE long keys.  He also has some other neat key
management ideas that he plans to implement in future versions.


BUGS

These are the most annoying:

MIT PGP 2.6 -- the function xorbytes doesn't.  Replace the = with ^= to fix
               it.  The effect of this bug is that RSA keys aren't quite as
               random as they should be -- probably not a practical problem,
               but worth fixing if you are going to compile the code
               yourself.  Fixed in 2.6.1.

MIT PGP 2.6 -- DON'T SET PGPPASS when editing your keys, because if you do,
               and if you don't change your pass phrase, the key is lost.
               (If this happens, rename your backup keyring files to the
               primary files before you do anything else).  Fixed in 2.6.1.

PGP 2.6ui --   Conventional encryption -c option doesn't use a different IV
               every time, like it is supposed to.  (PGP 2.3a had this
               problem, too).  Fixed in 2.6 and 2.6.1.


HOW DO I PUBLISH MY PGP PUBLIC KEY?

There are lots of ways.  One way is to use a key server.  Send mail to one of
these addresses with the single word "help" in the subject line to find out
how to use a key server.

        pgp-public-keys@pgp.iastate.edu
        public-key-server@pgp.ai.mit.edu
        pgp-public-keys@demon.co.uk
                FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp (Updated daily)
        pgp-public-keys@cs.tamu.edu
        pgp-public-keys@chao.sw.oz.au
        pgp-public-keys@jpunix.com
        pgp-public-keys@dsi.unimi.it
        pgp-public-keys@kiae.su
        pgp-public-keys@fbihh.informatik.uni-hamburg.de

        There is also an experimental public key server at
        http://ibd.ar.com/PublicKeys.html

Another way is to upload it to the PGP public keys area of the Colorado
Catacombs BBS (303-772-1062).  Another way is to just send it to your
correspondents.  You could add it to your .plan file so that finger returns
your key.  You could add it to some of your postings.  No matter which way you
do it, you should have your key signed by someone who verifies that your key
belongs to you, so that you don't have someone else generating a key that has
your name on it, but that isn't yours.

Here is my public key:

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7

mQCNAi4PT2QAAAEEAPPCZnrshEJ9PSnV+mXEwjM4kzJF0kyg2MnLMzo83vWI40ei
jogncqdkXT0c2TQWg+Bsu9ckFoXdId0utumYv0aqd8yI/oU/DwJ1zJrqRL2PFbxe
ZLofHoKFjvq1TiNiJq9ps3jW6iYS4IU1SzyKhjmyE+K0+WyrPPX0zg8FAL9FAAUR
tCdNaWNoYWVsIFBhdWwgSm9obnNvbiA8bXBqQGNzbi5vcmc+IG1wajiJAJUCBRAu
G3chZXmEuMepZt0BAZtAA/0Rw5mintlUDgHycNbeoyIiMHoLu8jWaCSaiGSt+dDU
1A/bUCo+gorv5TYxOClRf3XHjD6zSooWyUz3ehotrzPYLunhVOE2YBxPU+OvKFOc
37mcZrnXGBlF5NblnSYxp0186tGaTm7WMWx7NDlHT4GvhzHJQSOoo48ykDkKm/mk
LIkAlQIFEC4PWbs/ZwY8hTPrxQEBKyMD/A7kv91C1ZZIRtkbC9k9lsWOgOnO8wG8
bGMajaco465Z5llWD+Y8QCMdSWcowtOBGfW0Wv1bZ1uebeCpg1L66pJ7C+BOExrk
gPqRVCstLLiVerKGeSOZo3yXtxYKYX7mHQPrHp98ef7fUG4IiKS+S+znmGxpJwrV
sHZRlhJ3hXUsiQCVAgUQLg9ZefX0zg8FAL9FAQFBTAQAh4u4Vun7WhPuL6fsXiXm
paaGfeLtd3biRj/aOMAG1eHuhVdWejx71ormyKTdNB2YV56bpsE3JQ/KhBuYDo0N
SkRnqeM2S+Ef7aZEg6Q44uXG52pqCZUldtCeYfOs3aLCR9SMlc6Y3zmpSwB1wKP0
5+tN9zruNYVKKBLWEIFAY7W0K01pY2hhZWwgUGF1bCBKb2huc29uIDxtLnAuam9o
bnNvbkBpZWVlLm9yZz60IE1pY2hhZWwgSm9obnNvbiA8bXBqQG5ldGNvbS5jb20+
tChNaWtlIEpvaG5zb24gPDcxMzMxLjIzMzJAY29tcHVzZXJ2ZS5jb20+tCtNaWNo
YWVsIFAuIEpvaG5zb24gPG1wam9obnNvQG55eC5jcy5kdS5lZHU+tC1EbyBub3Qg
dXNlIGZvciBlbmNyeXB0aW9uIGFmdGVyIDI3IEp1bmUgMTk5Ni4=
=rR4q
- -----END PGP PUBLIC KEY BLOCK-----

                  ___________________________________________________________
 |\  /| |        |                                                           |
 | \/ |o|        | Michael Paul Johnson  Colorado Catacombs BBS 303-772-1062 |
 |    | | /  _   | mpj@csn.org aka mpj@netcom.com m.p.johnson@ieee.org       |
 |    |||/  /_\  | ftp://ftp.csn.net/mpj/README.MPJ          CIS: 71331,2332 |
 |    |||\  (    | ftp://ftp.netcom.com/pub/mpj/README.MPJ  -. --- ----- ....|
 |    ||| \ \_/  |___________________________________________________________|


-----BEGIN PGP SIGNATURE-----
Version: 2.7

iQCVAgUBLm3RD/X0zg8FAL9FAQGqnwQA5R8PVpgT0tHG7GSY2jjNM9EKnQAngOdy
ByZYVhh9lm/7WywiiBsY5XWDwFUEwIC79e+UeCY+8lAhiUEEWQdCAvYO7b/LCtSn
D9TL3teei4sH6Z4kpDFFn8peWVwoEc/2l9nWrtUlT1cFvBDKn1KRK8MlZgH0Gld4
J+vPYYYrDMg=
=u06H
-----END PGP SIGNATURE-----





Thread