home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!faqserv
- From: jalicqui@prairienet.org
- Newsgroups: alt.security.pgp,alt.answers,news.answers
- Subject: PGP Frequently Asked Questions with Answers, Part 1/3
- Supersedes: <pgp-faq/part1_801484722@rtfm.mit.edu>
- Followup-To: alt.security.pgp
- Date: 23 Jun 1995 12:33:07 GMT
- Organization: none
- Lines: 840
- Approved: news-answers-request@MIT.EDU
- Expires: 6 Aug 1995 12:32:08 GMT
- Message-ID: <pgp-faq/part1_803910728@rtfm.mit.edu>
- Reply-To: jalicqui@prairienet.org
- NNTP-Posting-Host: bloom-picayune.mit.edu
- Summary: This posting seeks to answer most of the common questions people
- ask about the Pretty Good Privacy (PGP) encryption program.
- X-Last-Updated: 1995/06/22
- Originator: faqserv@bloom-picayune.MIT.EDU
- Xref: senator-bedfellow.mit.edu alt.security.pgp:36814 alt.answers:10166 news.answers:46904
-
- Archive-name: pgp-faq/part1
- Posting-Frequency: monthly
- Last-modified: 22 June 1995
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- Frequently Asked Questions
- alt.security.pgp
- 25 May 1995
-
- ========================================================================
- IMPORTANT DISCLAIMER!
-
- The use of PGP raises a number of political and legal
- issues. I AM NOT a lawyer and AM NOT qualified to give
- any legal opinions. Nothing in this document should be
- interpreted as legal advice. If you have any legal
- questions concerning the use of PGP, you should consult
- an attorney who specializes in patent and/or export
- law. In any case, the law will vary from country to
- country.
- ========================================================================
-
- Introduction
-
- This is the list of Frequently Asked Questions for the Pretty Good
- Privacy (PGP) encryption program written by Phillip Zimmermann. It
- is one of two FAQ lists for the newsgroup alt.security.pgp.
-
- The other FAQ list is the "Where to Get PGP" FAQ, which is written and
- maintained by Michael Paul Johnson <mpj@netcom.com>. It covers many
- topics this one does not; in particular, it contains more complete
- information on sites that distribute PGP and the legal and technical
- questions surrounding its distribution. You may get a current copy
- from:
-
- ftp://ftp.csn.net/mpj/getpgp.asc
-
- This FAQ is slanted towards the DOS or Unix users of PGP and many of
- the examples given may only apply to them. For other systems, I would
- like to direct your attention to the following documents:
-
- MAC: "Here's How to MacPGP!" by Xenon <an48138@anon.penet.fi>
- Archimedes PGP comes with its own PGPhints file.
- Send e-mail to pgpinfo@mantis.co.uk for a list of PGP tips.
-
- It should be noted that most of the questions and answers concerning
- PGP apply equally well to the ViaCrypt(tm) version.
-
- Material for this FAQ has come from many different sources. It would
- be difficult to name each of the contributors individually, but I
- would like to thank them as a group for their assistance.
-
- A current copy of this FAQ can be retrieved from my WWW home page:
-
- http://www.prairienet.org/~jalicqui/pgpfaq.txt
-
- or via FTP:
-
- ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.?
-
- The ? indicates the file format: clearsigned text (txt), gzipped
- version of clearsigned text (txt.gz), PGP-signed-and-compressed binary
- (pgp), or ASCII armored PGP-signed-and-compressed file (asc).
-
- The PGP FAQ is also posted to news.answers and alt.answers, and can be
- found in any of the standard FAQ repositories in the three-part form
- it is posted in.
-
- Permission is granted to copy, archive, or otherwise make this FAQ
- available in any way you please, with only the following restriction:
- that in every place where this FAQ may be accessed, it must also be
- reasonably easy for a user to access a copy of the FAQ with its PGP
- signature(s) from me intact. This ensures that uncorrupted copies of
- the FAQ get propagated where those who care can check them, and also
- preserves attributions, etc. If you HTMLize this document, you can
- tag the two links mentioned above if you want to avoid storing
- multiple copies of the FAQ.
-
- Future plans for the FAQ:
-
- - Mac section!
- - hypertexting it and making it available in various forms (LaTeX,
- HTML, texinfo, or some such)
-
- Any corrections or suggestions should be sent to me.
-
- Jeff Licquia
- jalicqui@prairienet.org
-
- ========================================================================
-
- Table of Contents
-
- 1. Introductory Questions
- 1.1. What is PGP?
- 1.2. Why should I encrypt my mail? I'm not doing anything illegal!
- 1.3. What are public keys and private keys?
- 1.4. How much does PGP cost?
- 1.5. Is encryption legal?
- 1.6. Is PGP legal?
- 1.7. What's the current version of PGP?
- 1.8. Is there an archive site for alt.security.pgp?
- 1.9. Is there a commercial version of PGP available?
- 1.10. Is PGP available as a programming library, so I can write
- programs that use it?
- 1.11. What platforms has PGP been ported to?
- 1.12. Where can I obtain PGP?
- 1.13. I want to find out more!
-
- 2. Very Common Questions and Problems
- 2.1. Why can't a person using version 2.2 read my version 2.3 message?
- 2.2. Why can't a person using version 2.3 read my version 2.6 message?
- 2.3. Why does PGP complain about checking signatures every so often?
- 2.4. Why does it take so long to encrypt/decrypt messages?
- 2.5. How do I create a secondary key file?
- 2.6. How does PGP handle multiple addresses?
- 2.7. Where can I obtain scripts to integrate pgp with my email or news
- reading system?
- 2.8. How can I decrypt messages I've encrypted to others?
- 2.9. Why can't I generate a key with PGP for Unix?
- 2.10. When I clearsign a document in PGP, it adds a "dash-space" to
- several of my lines. What gives?
-
- 3. Security Questions
- 3.1. How secure is PGP?
- 3.2. Can't you break PGP by trying all of the possible keys?
- 3.3. How secure is the conventional cryptography (-c) option?
- 3.4. Can the NSA crack RSA?
- 3.5. Has RSA ever been cracked publicly? What is RSA-129?
- 3.6. How secure is the "for your eyes only" option (-m)?
- 3.7. What if I forget my pass phrase?
- 3.8. Why do you use the term "pass phrase" instead of "password"?
- 3.9. What is the best way to crack PGP?
- 3.10. If my secret key ring is stolen, can my messages be read?
- 3.11. How do I choose a pass phrase?
- 3.12. How do I remember my pass phrase?
- 3.13. How do I verify that my copy of PGP has not been tampered with?
- 3.14. I can't verify the signature on my new copy of MIT PGP with my
- old PGP 2.3a!
- 3.15. How do I know that there is no trap door in the program?
- 3.16. I heard that the NSA put a back door in MIT PGP, and that they
- only allowed it to be legal with the back door.
- 3.17. Can I put PGP on a multi-user system like a network or a mainframe?
- 3.18. Can I use PGP under a "swapping" operating system like Windows
- or OS/2?
- 3.19. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, & RSA?
- 3.20. Aren't all of these security procedures a little paranoid?
- 3.21. Can I be forced to reveal my pass phrase in any legal proceedings?
-
- 4. Keys
- 4.1. Which key size should I use?
- 4.2. Why does PGP take so long to add new keys to my key ring?
- 4.3. How can I extract multiple keys into a single armored file?
- 4.4. I tried encrypting the same message to the same address two different
- times and got completely different outputs. Why is this?
- 4.5. How do I specify which key to use when an individual has 2 or more
- public keys and the very same user ID on each, or when 2 different
- users have the same name?
- 4.6. What does the message "Unknown signator, can't be checked" mean?
- 4.7. How do I get PGP to display the trust parameters on a key?
- 4.8. How can I make my key available via finger?
-
- 5. Message Signatures
- 5.1. What is message signing?
- 5.2. How do I sign a message while still leaving it readable?
- 5.3. Can't you just forge a signature by copying the signature
- block to another message?
- 5.4. Are PGP signatures legally binding?
-
- 6. Key Signatures
- 6.1. What is key signing?
- 6.2. How do I sign a key?
- 6.3. Should I sign my own key?
- 6.4. Should I sign X's key?
- 6.5. How do I verify someone's identity?
- 6.6. How do I know someone hasn't sent me a bogus key to sign?
- 6.7. What's a key signing party?
- 6.8. How do I organize a key signing party?
-
- 7. Revoking a key
- 7.1. My secret key ring has been stolen or lost, what do I do?
- 7.2. I forgot my pass phrase. Can I create a key revocation certificate?
-
- 8. Public Key Servers
- 8.1. What are the Public Key Servers?
- 8.2. What public key servers are available?
- 8.3. What is the syntax of the key server commands?
-
- 9. Bugs
-
- 10. Recommended Reading
-
- 11. General Tips
-
- Appendix I - PGP add-ons and Related Products
- Appendix II - Glossary of Cryptographic Terms
- Appendix III - Cypherpunks
- Appendix IV - Testimony of Philip Zimmermann to Congress
- Appendix V - Announcement of Philip Zimmermann Defense Fund
- Appendix VI - A Statement from ViaCrypt Concerning ITAR
-
- ========
-
- 1. Introductory Questions
-
- ========
-
- 1.1. What is PGP?
-
- PGP is a program that gives your electronic mail something that it
- otherwise doesn't have: Privacy. It does this by encrypting your mail
- so that nobody but the intended person can read it. When encrypted,
- the message looks like a meaningless jumble of random characters. PGP
- has proven itself quite capable of resisting even the most
- sophisticated forms of analysis aimed at reading the encrypted text.
-
- PGP can also be used to apply a digital signature to a message without
- encrypting it. This is normally used in public postings where you
- don't want to hide what you are saying, but rather want to allow
- others to confirm that the message actually came from you. Once a
- digital signature is created, it is impossible for anyone to modify
- either the message or the signature without the modification being
- detected by PGP.
-
- While PGP is easy to use, it does give you enough rope so that you can
- hang yourself. You should become thoroughly familiar with the various
- options in PGP before using it to send serious messages. For example,
- giving the command "PGP -sat <filename>" will only sign a message, it
- will not encrypt it. Even though the output looks like it is
- encrypted, it really isn't. Anybody in the world would be able to
- recover the original text.
-
- ========
-
- 1.2. Why should I encrypt my mail? I'm not doing anything illegal!
-
- You should encrypt your e-mail for the same reason that you don't
- write all of your correspondence on the back of a post card. E-mail is
- actually far less secure than the postal system. With the post office,
- you at least put your letter inside an envelope to hide it from casual
- snooping. Take a look at the header area of any e-mail message that
- you receive and you will see that it has passed through a number of
- nodes on its way to you. Every one of these nodes presents the
- opportunity for snooping. Encryption in no way should imply illegal
- activity. It is simply intended to keep personal thoughts personal.
-
- Xenon <an48138@anon.penet.fi> puts it like this:
-
- Crime? If you are not a politician, research scientist, investor, CEO,
- lawyer, celebrity, libertarian in a repressive society, investor, or
- person having too much fun, and you do not send e-mail about your
- private sex life, financial/political/legal/scientific plans, or
- gossip then maybe you don't need PGP, but at least realize that
- privacy has nothing to do with crime and is in fact what keeps the
- world from falling apart. Besides, PGP is FUN. You never had a secret
- decoder ring? Boo! -Xenon (Copyright 1993, Xenon)
-
- ========
-
- 1.3. What are public keys and private keys?
-
- With conventional encryption schemes, keys must be exchanged with
- everyone you wish to talk to by some other secure method such as face
- to face meetings, or via a trusted courier. The problem is that you
- need a secure channel before you can establish a secure channel! With
- conventional encryption, either the same key is used for both
- encryption and decryption or it is easy to convert either key to the
- other. With public key encryption, the encryption and decryption keys
- are different and it is impossible for anyone to convert one to the
- other. Therefore, the encryption key can be made public knowledge, and
- posted in a database somewhere. Anyone wanting to send you a message
- would obtain your encryption key from this database or some other
- source and encrypt his message to you. This message can't be decrypted
- with the encryption key. Therefore nobody other than the intended
- receiver can decrypt the message. Even the person who encrypted it can
- not reverse the process. When you receive a message, you use your
- secret decryption key to decrypt the message. This secret key never
- leaves your computer. In fact, your secret key is itself encrypted to
- protect it from anyone snooping around your computer.
-
- ========
-
- 1.4. How much does PGP cost?
-
- Nothing! (Compare to ViaCrypt PGP at $98!)
-
- It should be noted, however, that in the United States, some freeware
- versions of PGP *MAY* be a violation of a patent held by Public Key
- Partners (PKP). The MIT and ViaCrypt versions specifically are not in
- violation; if you use anything else, it's your risk. See below
- (question 1.6) for more information on the patent situation.
-
- Also, the free versions of PGP are free only for noncommercial use.
- If you need to use PGP in a commercial setting (and you live in the
- United States or Canada), you should buy a copy of ViaCrypt PGP.
- ViaCrypt PGP has other advantages as well, most notably a limited
- license to export it to foreign branch offices. See below, under
- question 1.10, for information on how to contact ViaCrypt.
-
- If you need to use PGP for commercial use outside the United States or
- Canada, you should contact Ascom Systec AG, the patent holders for IDEA.
- They have sold individual licenses for using the IDEA encryption in
- PGP. Contact:
-
- Erhard Widmer
- Ascom Systec AG
- Dep't. CMVV
- Gewerbepark
- CH-5506 Maegenwil
- Switzerland
- IDEA@ascom.ch
-
- ++41 64 56 59 83 (Fax ++41 64 56 59 90)
-
- ========
-
- 1.5. Is encryption legal?
-
- In much of the civilized world, encryption is either legal, or at
- least tolerated. However, there are a some countries where such
- activities could put you in front of a firing squad! Check with the
- laws in your own country before using PGP or any other encryption
- product. A couple of the countries where encryption is illegal are
- France, Iran, and Iraq.
-
- *** NEWS FLASH ***
-
- On April 3, 1995, Boris Yeltsin issued a decree formally banning
- encryption with methods not approved by the state. This would,
- presumably, include PGP. Thus, Russia must be added to the short list
- above.
-
- *** END NEWS FLASH ***
-
- The legal status of encryption in many countries has been placed on
- the World Wide Web. You can access it from:
-
- http://web.cnam.fr/Network/Crypto/
-
- ========
-
- 1.6. Is PGP legal?
-
- In addition to the comments about encryption listed above, there are a
- couple of additional issues of importance to those individuals
- residing in the United States or Canada.
-
- First, there is a question as to whether or not PGP falls under ITAR
- regulations which govern the exporting of cryptographic technology
- from the United States and Canada. This despite the fact that
- technical articles on the subject of public key encryption have been
- available legally worldwide for a number of years. Any competent
- programmer would have been able to translate those articles into a
- workable encryption program. A lawsuit has recently been filed by the
- EFF challenging the ITAR regulations; thus, they may be relaxed to
- allow encryption technology to be exported.
-
- Second, older versions of PGP (up to 2.3a) were thought to be
- violating the patent on the RSA encryption algorithm held by Public
- Key Partners (PKP), a patent that is only valid in the United States.
- This was never tested in court, however, and recent versions of PGP
- have been made with various agreements and licenses in force which
- effectively settle the patent issue. So-called "international"
- versions and older versions (previous to ViaCrypt PGP 2.4), however,
- are still considered in violation by PKP; if you're in the USA, use
- them at your own risk!
-
- ========
-
- 1.7. What's the current version of PGP?
-
- You would think that's an easy question to answer!
-
- At the moment, there are four different "current" versions of PGP.
- All of these are derived, more or less, from a common source base: PGP
- 2.3a, the last "guerillaware" version of PGP. Negotiations to make
- PGP legal and "legitimate" have resulted in the differing versions
- available; all of them, for the most part, are approximately
- equivalent in functionality, and they can all work with each other in
- most respects.
-
- MIT PGP 2.6.2 is the current "official" freeware version. It has been
- developed both with Phil Zimmermann's approval and active involvement.
- It contains several bug fixes and enhancements over 2.3a, and it
- avoids the patent question surrounding other versions of PGP by using
- the RSAREF library for some of its functions. This library was
- developed by RSA Data Security, Inc., and is (basically) free for
- noncommercial use. As part of MIT's agreement with RSADSI, all
- versions of MIT PGP generate encrypted messages that cannot be
- decrypted with PGP 2.3a or previous versions.
-
- ViaCrypt PGP 2.7.1 is the current "official" commercial version. It
- is available from ViaCrypt, a company out of Arizona, and also has
- Phil's approval and involvement. See below for details on this
- version.
-
- PGP 2.6.2i ("international") is a version of PGP developed from the
- source code of MIT PGP, which was exported illegally from the United
- States at some point. Basically, it is MIT PGP 2.6.2, but it uses the
- old encryption routines from PGP 2.3a; these routines perform better
- than RSAREF and in addition do not have the usage restrictions in the
- RSAREF copyright license. It also contains some fixes for bugs
- discovered since the release of MIT PGP 2.6.2.
-
- PGP 2.6ui ("unofficial international") is PGP 2.3a with minor
- modifications made so it can decrypt files encrypted with MIT PGP. It
- does not contain any of the MIT fixes and improvements; it does,
- however, have other improvements, most notably in the Macintosh
- version.
-
- ========
-
- 1.8. Is there an archive site for alt.security.pgp?
-
- laszlo@instrlab.kth.se (Laszlo Baranyi) says:
-
- "My memory says that ripem.msu.edu stores a backlog of both
- alt.security.pgp, and sci.crypt. But that site is ONLY open for ftp
- for those that are inside US."
-
- ========
-
- 1.9. Is there a commercial version of PGP available?
-
- Yes; by arrangement with the author of PGP, a company called ViaCrypt
- is marketing a version of PGP that is almost identical to the freeware
- version. Each can read or write messages which the other can
- understand.
-
- ViaCrypt reports:
-
- - -----
- If you are a commercial user of PGP in the USA or Canada, contact
- Viacrypt in Phoenix, Arizona, USA. The commercial version of PGP
- is fully licensed to use the patented RSA and IDEA encryption
- algorithms in commercial applications, and may be used in
- corporate and government environments in the USA and Canada. It
- is fully compatible with, functionally the same as, and just as
- strong as the freeware version of PGP. Due to limitations on
- ViaCrypt's RSA distribution license, ViaCrypt only distributes
- executable code and documentation for it, but they are working on
- making PGP available for a variety of platforms. Call or write
- to them for the latest information. The latest version number
- for Viacrypt PGP is 2.7. [Note: Since this statement was issued,
- ViaCrypt has updated ViaCrypt PGP to 2.7.1.]
-
- Here is a brief summary of Viacrypt's currently-available
- products:
-
- 1. ViaCrypt PGP for Windows (3.1). Prices start at $124.98
-
- 2. ViaCrypt PGP for Macintosh, 680x0 or PowerPC, System 6.04 or
- later. Prices start at $124.98
-
- 3. ViaCrypt PGP for MS-DOS. Prices start at $99.98
-
- 4. ViaCrypt PGP for UNIX. Includes executables for the following
- platforms:
-
- SunOS 4.1.x (SPARC)
- Solaris 2.3
- IBM RS/6000 AIX
- HP 9000 Series 700/800 UX
- SCO 386/486 UNIX
- SGI IRIX
- AViiON DG-UX(88/OPEN)
-
- Prices start at $149.98
-
- Executables for the following additional platforms are
- available upon request for an additional $30.00 charge.
-
- BSD 386
- Ultrix MIPS DECstation 4.x
- DEC Alpha OSF/1
- NeXTSTEP
-
- 5. ViaCrypt PGP for WinCIM/CSNav. A special package for users of
- CompuServe. Prices start at $119.98
-
- If you wish to place an order please call 800-536-2664 during the
- hours of 8:30am to 5:00pm MST, Monday - Friday. We accept VISA,
- MasterCard, AMEX and Discover credit cards.
-
- If you have further questions, please feel free to contact me.
-
- Best Regards,
- Paul E. Uhlhorn
- Director of Marketing, ViaCrypt Products
- Mail: 9033 N. 24th Avenue
- Suite 7
- Phoenix, AZ 85021-2847
- Phone: (602) 944-0773
- Fax: (602) 943-2601
- Internet: viacrypt@acm.org
- Compuserve: 70304,41
- - -----
-
- They have also reported recently that they have gained a general
- export license for exporting ViaCrypt PGP to foreign subsidiaries of
- USA-based companies. Contact ViaCrypt for details.
-
- ========
-
- 1.10. Is PGP available as a programming library, so I can write
- programs that use it?
-
- Not yet. PGP 3.0, when it is released, is supposed to have support
- for doing this. The PGP development team has even released a
- preliminary API for the library; you can get it from:
-
- ftp://ftp.netcom.com/pub/dd/ddt/crypto/crypto_info/950212_pgp3spec.txt
-
- The development team has expressed that this is not a definitive spec;
- some of it is already out of date. It's good for getting the general
- idea, though. Send comments concerning the spec to pgp@lsd.com.
-
- In the meantime, you can write your programs to call the PGP program
- when necessary. In C, for example, you would likely use the system()
- or spawn...() functions to do this.
-
- ========
-
- 1.11. What platforms has PGP been ported to?
-
- PGP has been ported successfully to many different platforms,
- including DOS, the Macintosh, OS/2, Unix (just about all flavors),
- VMS, the Atari ST, Archimedes, and the Commodore Amiga. A Windows NT
- port is reportably in the works as well.
-
- If you don't see your favorite platform above, don't despair! It's
- likely that porting PGP to your platform won't be too terribly
- difficult, considering all the platforms it has been ported to. Just
- ask around to see if there might in fact be a port to your system, and
- if not, try it!
-
- PGP's VMS port, by the way, has its own Web page:
-
- http://www.tditx.com/~d_north/pgp.html
-
- ========
-
- 1.12. Where can I obtain PGP?
-
- PGP is very widely available, so much so that a separate FAQ has been
- written for answering this question. It is called, "WHERE TO GET THE
- PRETTY GOOD PRIVACY PROGRAM (PGP)"; it is posted in alt.security.pgp
- regularly, is in the various FAQ archive sites, and is also available
- from:
-
- ftp://ftp.csn.net/mpj/getpgp.asc
-
- However, I will describe below the ways to get the differing versions
- of PGP from their source sites. Please refer to the above document
- for more information.
-
- MIT PGP 2.6.2:
-
- Due to the ITAR regulations (described above), MIT has found it
- necessary to place PGP in an export-controlled directory to prevent
- people outside the United States from downloading it. If you are in
- the USA, you may follow these directions:
-
- Telnet to net-dist.mit.edu and log in as "getpgp". You will then be
- given a short statement about the regulations concerning the export of
- cryptographic software, and be given a series of yes/no questions to
- answer. If you answer correctly to the questions (they consist mostly
- of agreements to the RSADSI and MIT licenses and questions about
- whether you intend to export PGP), you will be given a special
- directory name in which to find the PGP code. At that point, you can
- FTP to net-dist.mit.edu, change to that directory, and access the
- software. You may be denied access to the directories even if you
- answer the questions correctly if the MIT site cannot verify that your
- site does in fact reside in the USA.
-
- Further directions, copies of the MIT and RSAREF licenses, notes, and
- the full documentation are freely available from:
-
- ftp://net-dist.mit.edu/pub/PGP/
-
- An easier method of getting to the PGP software is now available on
- the World Wide Web at the following location:
-
- http://bs.mit.edu:8001/pgp-form.html
-
- ViaCrypt PGP 2.7.1:
-
- ViaCrypt PGP is not generally available for FTP; it is commercial
- software. It is, furthermore, not available outside the United States
- or Canada except under special circumstances. See above (question
- 1.9) for contact information.
-
- PGP 2.6.2i:
-
- As Norway is not limited by ITAR, no hoops are needed to get this
- version:
-
- http://www.ifi.uio.no/~staalesc/PGP/home.html
- ftp://ftp.ox.ac.uk/pub/crypto/pgp/
-
- You may also get it via mail by sending a message to
- hypnotech-request@ifi.uio.no with your request in the subject:
-
- GET pgp262i[s].[zip | tar.gz]
-
- Specify the "s" if you want the source code. Putting ".zip" at the
- end gets you the files in the PKZIP/Info-ZIP archive format, while
- putting "tar.gz" at the end gets the files in a gzipped tar file.
-
- PGP 2.6ui:
-
- ftp://ftp.mantis.co.uk/pub/cryptography/
- http://www.mantis.co.uk/pgp/pgp.html
-
- This link is also an excellent resource for other information about PGP.
-
- A note on ftpmail:
-
- For those individuals who do not have access to FTP, but do have access
- to e-mail, you can get FTP files mailed to you. For information on
- this service, send a message saying "Help" to ftpmail@decwrl.dec.com.
- You will be sent an instruction sheet on how to use the ftpmail
- service.
-
- ========
-
- 1.13. I want to find out more!
-
- If this FAQ doesn't answer your question, there are several places for
- finding out information about PGP.
-
- Web/Mosaic/Lynx:
-
- Fran Litterio's Crypto Page (from the Virtual Library)
- http://draco.centerline.com:8080/~franl/crypto.html
- Using Microsoft Windows with PGP
- http://www.lcs.com/winpgp.html
- Derek Atkins' Official Bug List for MIT PGP
- http://www.mit.edu:8001/people/warlord/pgp-faq.html
- The Phil Zimmermann Legal Defense Fund Page
- http://www.netresponse.com/zldf
- The MCIP/Macintosh Cryptography Page
- http://uts.cc.utexas.edu/~grgcombs/htmls/crypto.html
- Jeff Licquia's Home Page
- http://www.prairienet.org/~jalicqui
-
- FTP Sites:
-
- ftp://ripem.msu.edu/pub/crypt/
- ftp://ftp.dsi.unimi.it/pub/security/crypt/
- ftp://ftp.csua.berkeley.edu/pub/cypherpunks/
-
- News Groups:
-
- alt.anonymous Discussion of anonymity and anon remailers
- alt.anonymous.messages For anonymous encrypted message transfer
- alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow
- alt.security general security discussions
- alt.security.index index to alt.security
- alt.security.pgp discussion of PGP
- alt.security.ripem discussion of RIPEM
- alt.security.keydist key distribution via Usenet
- alt.society.civil-liberty general civil liberties, including privacy
- comp.compression discussion of compression algorithms
- comp.org.eff.news News reports from EFF
- comp.org.eff.talk discussion of EFF related issues
- comp.patents discussion of S/W patents, including RSA
- comp.risks some mention of crypto and wiretapping
- comp.society.privacy general privacy issues
- comp.security.announce announcements of security holes
- misc.legal.computing software patents, copyrights, computer laws
- sci.crypt methods of data encryption/decryption
- sci.math general math discussion
- talk.politics.crypto general talk on crypto politics
-
- ========
-
- 2. Very Common Questions and Problems
-
- ========
-
- 2.1. Why can't a person using version 2.2 read my version 2.3 message?
-
- You might try adding "+pkcs_compat=0" to your command line as follows:
- "pgp -seat +pkcs_compat=0 <filename>" By default, versions 2.3 and
- later of PGP uses a different header format that is not compatible
- with earlier versions of PGP. Inserting this option into the command
- will force PGP to use the older header format. You can also set this
- option in your config.txt file, but this is not recommended, as the
- newer versions of PGP cannot understand the old signature format.
-
- ========
-
- 2.2. Why can't a person using version 2.x read my version 2.6 message?
-
- You are probably using MIT PGP, or possibly some other version of PGP
- with the "legal_kludge" option turned off.
-
- As part of the agreement made to settle PGP's patent problems, MIT PGP
- changed its format slightly to prevent PGP 2.4 and older versions
- from decrypting its messages. This format change was written into MIT
- PGP to happen on September 1, 1994. Thus, all messages encrypted with
- MIT PGP after that date are unreadable by 2.4 (and earlier).
-
- The best route here is for your friend to upgrade to a newer version
- of PGP. Alternatively, if you are using a non-MIT version, look up
- the "legal_kludge" option in your documentation; you should be able to
- configure your copy of PGP to generate old-style messages.
-
- ========
-
- 2.3. Why does PGP complain about checking signatures every so often?
-
- Version 2.3a introduced the "pkcs_compat" option, allowing the format
- of signatures to change slightly to make them more compatible with
- industry standards. (See question 2.1.) MIT PGP, because it uses the
- RSAREF library, is unable to understand the old signature format, so
- it therefore ignores the signature and warns you that it is doing so.
-
- This problem comes up mostly with old key signatures. If your key
- contains such old signatures, try to get those people who signed your
- key to resign it.
-
- If an old signature is still vitally important to check, get a non-MIT
- version of PGP to check it with, such as ViaCrypt's.
-
- ========
-
- 2.4. Why does it take so long to encrypt/decrypt messages?
-
- This problem can arise when you have placed the entire public key ring
- from one of the servers into the pubring.pgp file. PGP may have to
- search through several thousand keys to find the one that it is after.
- The solution to this dilemma is to maintain 2 public key rings. The
- first ring, the normal pubring.pgp file, should contain only those
- individuals that you send messages to quite often. The second key ring
- can contain ALL of the keys for those occasions when the key you need
- isn't in your short ring. You will, of course, need to specify the key
- file name whenever encrypting messages using keys in your secondary
- key ring. Now, when encrypting or decrypting messages to individuals
- in your short key ring, the process will be a LOT faster.
-
- ========
-
- 2.5. How do I create a secondary key file?
-
- First, let's assume that you have all of the mammoth public key ring
- in your default pubring.pgp file. First, you will need to extract all
- of your commonly used keys into separate key files using the -kx
- option. Next, rename pubring.pgp to some other name. For this example,
- I will use the name "pubring.big". Next, add each of the individual
- key files that you previously created to a new pubring.pgp using the
- - -ka option. To encrypt a message to someone in the short default file,
- use the command "pgp -e <file> <userid>". To encrypt a message to
- someone in the long ring, use the command "pgp -e
- +pubring=c:\pgp\pubring.big <file> <userid>". Note that you need to
- specify the complete path and file name for the secondary key ring. It
- will not be found if you only specify the file name.
-
- ========
-
- 2.6. How does PGP handle multiple addreses?
-
- When encrypting a message to multiple addresses, you will notice that
- the length of the encrypted file only increases by a small amount for
- each additional address. The reason that the message only grows by a
- small amount for each additional key is that the body of the message
- is only encrypted once using a random session key and IDEA. It is only
- necessary then to encrypt this session key once for each address and
- place it in the header of the message. Therefore, the total length of
- a message only increases by the size of a header segment for each
- additional address. (To avoid a known weakness in RSA when encrypting
- the same message to multiple recipients, the IDEA session key is
- padded with different random data each time it is RSA- encrypted.)
-
- ========
-
- 2.7. Where can I obtain scripts to integrate pgp with my email or news
- reading system?
-
- There are many scripts and programs available for making PGP easier to
- use. See below, in Appendix I, for a list of such programs.
-
- A set of scripts was distributed with PGP for doing this. Since these
- scripts were considered out of date, they have been removed from the
- MIT distribution.
-
- ========
-
- 2.8. How can I decrypt messages I've encrypted to others?
-
- With conventional encryption, you can read the message by running PGP
- on the encrypted file and giving the pass phrase you used to encrypt.
-
- With regular encryption, it's impossible unless you encrypted to
- yourself as well. Sorry!
-
- There is an undocumented setting, EncryptToSelf, which you can set in
- your CONFIG.TXT or on the command line to "on" if you want PGP to
- always encrypt your messages to yourself. Be warned, though; if your
- key is compromised, this means that the "cracker" will be able to read
- all the message you sent as well as the ones you've received.
-
- ========
-
- 2.9. Why can't I generate a key with PGP for Unix?
-
- Most likely this is caused because PGP can't create the public and
- private key ring files. If PGPPATH isn't defined, PGP will try to put
- those files in the subdirectory ".pgp" off your home directory. It
- will not create the directory if needed, so if the directory's not
- there already, PGP will crash after generating the key.
-
- There are two solutions: set the PGPPASS environment variable to point
- to the location of your key rings, or run a "mkdir $HOME/.pgp" before
- generating your key.
-
- ========
-
- 2.10. When I clearsign a document in PGP, it adds a "dash-space" to
- several of my lines. What gives?
-
- PGP does this because of the "-----BEGIN PGP MESSAGE-----" (and
- related) headers it uses to mark the beginning of PGP messages. To
- keep it from getting confused, it tacks a "- " to the beginning of
- every line in the regular text which has a dash at the start. It
- strips the extra dash and space when you check the message's
- signature, and writes the original text to the output.
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBL+kAVLnwkw8DU+OFAQGTaQP/am6VQIXoSRvYsxw9ncyPmZDN+t/0r1+0
- osArYuWC167qo+hIBUcEwabRiLt2TvbTG91qjqTOUwkU+qB/eAj96ozHlN22AmmR
- 7ufvJAR4HjJFB+QBv5aFVB3/FTPoupDCnA6L79O4xXFHoBhxukYSJ5zswAZdVSbZ
- bY8ALveqhpY=
- =9GgA
- -----END PGP SIGNATURE-----
-