home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!dreaderd!not-for-mail
- Message-ID: <pgp-faq/where-is-PGP_1084363323@rtfm.mit.edu>
- Supersedes: <pgp-faq/where-is-PGP_1081853942@rtfm.mit.edu>
- Expires: 24 Jun 2004 12:02:03 GMT
- X-Last-Updated: 2002/08/23
- From: Michael Paul Johnson <mpj@ebible.org>
- Newsgroups: alt.security.pgp,alt.answers,news.answers
- Subject: Where to get the latest PGP (Pretty Good Privacy) FAQ
- Followup-To: poster
- Summary: Where to get the latest version of Pretty Good Privacy (PGP)
- Approved: news-answers-request@MIT.EDU
- Keywords: pgp, privacy, security, encryption, cryptology
- Distribution: world
- Organization: http://cryptography.org
- Originator: faqserv@penguin-lust.MIT.EDU
- Date: 12 May 2004 12:04:00 GMT
- Lines: 386
- NNTP-Posting-Host: penguin-lust.mit.edu
- X-Trace: 1084363440 senator-bedfellow.mit.edu 564 18.181.0.29
- Xref: senator-bedfellow.mit.edu alt.security.pgp:171648 alt.answers:72863 news.answers:271209
-
- Archive-name: pgp-faq/where-is-PGP
- Posting-Frequency: monthly
- Last-modified: 23 August 2002
- URL: http://cryptography.org/getpgp.htm
- URL: http://cryptography.org/getpgp.txt
-
- -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA1
-
-
- WHERE TO GET PGP and GPG
- WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ
-
- Revised 23 August 2002
-
- This FAQ applies to Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG),
- and some other OpenPGP implementations.
-
- Disclaimer: some of this information may be outdated or otherwise
- inaccurate. I don't update it very often, but you should by all means be
- able to find an appropriate copy of PGP and its documentation using the
- information contained herein. Use it at your own risk.
-
- The master copies of this FAQ are at http://cryptography.org/getpgp.htm
- and http://cryptography.org/getpgp.txt
-
- The official (much more complete) PGP FAQ is available at:
- http://www.pgp.net/pgpnet/pgp-faq/
-
- WHERE ARE SOME OF THE BEST PLACES TO GET PGP ON THE WEB?
-
- PGP freeware - for personal, noncommercial use
- http://www.pgpi.com - The best source for the current versions.
- http://web.mit.edu/network/pgp.html - A trustworthy source for North
- Americans.
- http://cryptography.org - Archives of older versions and versions for
- various platforms for North Americans.
-
- Gnu Privacy Guard - free even for commercial use
- http://www.gnupg.org
- http://www.pgpi.com
- http://cryptography.org
-
- PGP Mail commercial version
- PGP Mail is now published and supported by PGP Corporation. See
- http://www.pgp.com for information on their current prices, versions,
- and support. For commercial applications where having a corporation to
- back up a product with support is important, or where maximum
- integration with Windows is also important, this is the preferable
- option. For commercial applications where low cost is the primary option
- and you want to use a command line interface, Gnu Privacy Guard
- (http://www.gnupg.org) is better.
-
- Note: you may need an unzip utility, such as the InfoZip unzip that you
- can get from http://www.info-zip.org to decompress the files you
- download.
-
- WHERE CAN I GET MORE PGP INFORMATION?
-
- The best source of PGP information is in the PGP documentation that
- comes with PGP. For additional information, you may want to read:
- http://www.cryptorights.org/pgp-help-team/hello.html
- http://www.pgp.net/pgpnet/pgp-faq/
- http://www.mit.edu:8001/people/warlord/pgp-faq.html
- ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-01.txt
- http://cryptography.org/getpgp.htm
- http://web.cnam.fr/Network/Crypto/ (c'est en francais)
- http://www.freedomfighter.net/crypto/pgp-history.html
- http://www.paranoia.com/~vax/pgp_versions.html
- http://www.faqs.org/faqs/pgp-faq/
- The PGP-Users Mailing List home page at http://pgp.rivertown.net
- contains many PGP related resources, including resources on privacy,
- anonymous remailers, and other related fields. The PGP-Users list
- archives are also linked to the page as is an HTML version of the
- PGP-FAQ (may not be the most recent), the PGP documentation, resources
- for MacPGP, links to another mailing list dedicated to PGPfone (which
- includes one of its authors, Will Price) and the one of a kind, PGPfone
- Registry, where PGPfone users who would like to test PGPfone with each
- other can leave messages in a browsable data base to let others find
- them to connect with each other.
- A good place to discuss PGP and ask questions about it is in the PGP
- news groups (i. e. comp.security.pgp).
-
- CAN I GET PGP DOCUMENTATION IN MY OWN LANGUAGE?
-
- Yes. You can get the official PGP documentation in several languages at
- http://www.pgpi.com. See also:
- German: http://www.geocities.com/Athens/1802/
- French: http://www.geocities.com/SiliconValley/Bay/9648/
-
- WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP AND GPG VERSIONS
-
- PGP 5.0 introduces some new algorithms for both public key and
- conventional encryption. These changes are good from both technical
- (security & efficiency) and political (patent) standpoints. With the
- death of the Diffie-Hellman key exchange patent, the freeware PGP new
- algorithms are 100% free of patent problems, and free of legalese such
- as come with the RSAREF toolkit. The Diffie-Hellman key exchange key
- size limit is also larger than the old RSA limit, so PGP encryption is
- actually more secure, now.
-
- The new SHA1 hash function is better than MD5, so signatures are more
- secure, now, too. The conventional encryption used is all sound, and
- definitely not the weak link in the chain. This much is good news.
-
- The bad news, of course, is that there will be some interoperability
- problems, since no earlier versions of PGP can handle these algorithm,
- and some PGP freeware issued before the RSA algorithm math patent
- expired doesn't support RSA signatures and encryption.
-
- Gnu Privacy Guard was written from the ground up to be free software
- under the Gnu Public License. That means that it cannot use the IDEA
- symmetric key algorithm, and also that some versions were issued before
- the RSA patent expired in the USA, and therefore some older versions of
- GPG didn't support RSA signatures or encryption.
-
- For more information on PGP and GPG compatibility, please see
- http://www.openpgp.org.
-
- WHAT ARE SOME GOOD PGP BOOKS?
-
- Protect Your Privacy: A Guide for PGP Users
- by William Stallings
- Prentice Hall PTR
- ISBN 0-13-185596-4
- US $19.95
-
- PGP: Pretty Good Privacy
- by Simson Garfinkel
- O'Reilly & Associates, Inc.
- ISBN 1-56592-098-8
- US $24.95
-
- E-Mail_Security,
- How To Keep Your Electronic Messages Private (covers PGP & PEM)
- by Bruce Schneier
- 365 pages
- 1995
- pub: John Wiley & Sons, Inc.
- ISBN 0-471-05318-X
- $24.95 US
-
- The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data
- Protection, and PGP PRivacy Software
- by Andr=E9 Bacard
- Peachpit Press
- ISBN 1-56609-171-3
- US $24.95
- 800-283-9444 or 510-548-4393
-
- THE OFFICIAL PGP USER'S GUIDE
- by Philip R. Zimmermann
- MIT Press
- April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
- Standard PGP documentation neatly typeset and bound.
-
- PGP SOURCE CODE AND INTERNALS
- by Philip R. Zimmermann
- April 1995 - 804 pp. -
- US $55.00 - 0-262-24039-4 ZIMPH
-
- How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting
- Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801
- (about US $10-$13).
-
- IS PGP LEGAL?
-
- Using and distributing Pretty Good Privacy is legal if you are careful
- to obey the intellectual property and export rules, as well as any local
- rules that may apply in the nation you are in.
-
- U. S. export regulations are not as bad as they were, but you may be
- required to give a notice to the U. S. Government to export or publicly
- post source code (and the executable compiled from it) under license
- exception TSU. You can't intentionally export PGP or GPG from the USA to
- certain forbidden destination (state sponsors of terrorism, etc.) Check
- the Department of Commerce web site at
- http://www.bxa.doc.gov/Encryption/Default.htm for current rules.
-
- The RSA patent caused considerable expense in the USA for PGP users,
- until the Diffie-Hellman patent expired and DSA was offered by the U. S.
- Government as not infringing. Some people still like to use older
- versions of PGP that use RSA, especially outside of the USA.
- Fortunately, the RSA patent is dead and anyone in the USA may use RSA
- for either business or personal use without restrictions, just like
- people in the rest of the world have been able to do for many years.
-
- If you want to use PGP for commercial use, the most legal approach is to
- use Gnu Privacy Guard (http://www.gnupg.org) for free, but you may also
- be able to buy a license for the commercial version of PGP, still.
-
- If you are in a country where the IDEA cipher patent holds in software
- (including the USA and some countries in Europe), make sure you are
- licensed to use the IDEA cipher commercially before using PGP
- commercially, or avoid it by using Gnu Privacy Guard or a version of PGP
- that allows the use of alternate algorithms like CAST, instead. (No
- separate license is required to use the freeware PGP for personal,
- noncommercial use). For direct IDEA licensing, contact Ascom Systec:
-
- Erhard Widmer, Ascom Systec AG, Dep't. CMVV
- Phone +41 64 56 59 83
- Peter Hartmann, Ascom Systec AG, Dep't. CMN
- Phone +41 64 56 59 45
- Fax: +41 64 56 59 90
- e-mail: IDEA@ascom.ch
- Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)
-
- Network Associates, Inc., has an exclusive marketing agreement for
- commercial distribution of Philip Zimmermann's copyrighted code.
- (Selling shareware/freeware disks or connect time is OK, as is building
- on older GPL versions of PGP or the new GPG.)
-
- If you modify PGP (other than porting it to another platform, fixing a
- bug, or adapting it to another compiler), don't call it PGP (TM) or
- Pretty Good Privacy (TM) without Philip Zimmermann's permission.
-
- Within the U.S. there is no legal obstacle for use of strong encryption.
- Export regulations used to be quite draconian in the USA, and are still
- partially irrational, but they have greatly improved to the point where
- U. S. Citizens no longer need to hesitate to publish (even on the
- Internet) and use strong cryptography, as long as they send the required
- notices of export and/or posting on the Internet described by
- http://www.bxa.doc.gov/Encryption/Default.htm.
-
- In an ideal world every honest person would have the right to use
- encryption. Unfortunately, this isn't an ideal world.
-
- France used to be quite restrictive, but now that nation allows its
- citizens to use strong cryptography, recognizing its value in preventing
- some crimes and strengthening electronic commerce.
-
- Germany once considered banning the use and distribution of strong
- cryptographic software in the name of "national security," but now the
- German government has actually endorsed and helped fund the development
- of Gnu Privacy Guard.
-
- In Russia, you can be arrested for using cryptography and even be put in
- jail for using a GPS receiver.
-
- U. S. Citizens may want to view travel advisories at
- http://travel.state.gov before visiting another country.
-
- For a recent update on the legal situation see The Crypto Law
- Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
-
- WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS?
-
- Philip Zimmermann was under investigation for alleged violation of
- export regulations, with a grand jury hearing evidence for about 28
- months, ending 11 January 1996. The Federal Government chose not to
- comment on why it decided to not prosecute, nor is it likely to. The
- Commerce Secretary stated that he would seek relaxed export controls for
- cryptographic products, since studies show that U. S. industry is being
- harmed by current regulations. Philip endured some serious threats to
- his livelihood and freedom, as well as some very real legal expenses,
- for the sake of your right to electronic privacy.
-
- See:
- http://www.epic.org
- http://www.crypto.com
- http://www.eff.org
-
- HOW DO I SELECT A GOOD SECURE PASSPHRASE?
-
- See:
- http://world.std.com/~reinhold/diceware.page.html
- http://www.wepin.com/pgp/passfraz.html
-
- WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE?
-
- PGP can do conventional encryption only of a file (-c) option, but you
- might want to investigate some of the other alternatives if you do this
- a lot.
-
- Alternatives include Atbash2 for DOS, DLOCK2 for DOS & UNIX, Curve
- Encrypt (for the Mac), HPACK (many platforms), and a few others.
-
- Atbash2 is interesting in that it generates ciphertext that can be read
- over the telephone or sent by Morse code. DLOCK2 is a no-frills strong
- encryption program with complete source code. Curve Encrypt has certain
- user-friendliness advantages. HPACK is an archiver (like ZIP or ARC),
- but with strong encryption. A couple of starting points for your search
- are:
- http://cryptography.org/
- ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/
- ftp://idea.sec.dsi.unimi.it/pub/crypt/code/
-
- HOW DO I SECURELY DELETE FILES?
-
- If you have the Norton Utilities, Norton WipeInfo is pretty good. I use
- DELETE.EXE in del210.zip, which is really good at deleting existing
- files, but doesn't wipe "unused" space.
-
- ftp://eBible.org/pub/del210.zip
- ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip
-
- WHERE DO I GET PGPfone(tm)?
-
- PGPfone is for private telephone calls over a modem or the Internet.
- http://web.mit.edu/network/pgpfone
- ftp://basement.replay.com/pub/replay/pub/voice/
-
- WHERE DO I GET NAUTILUS?
-
- Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program
- called Nautilus that enables you to engage in secure voice conversations
- between people with multimedia PCs and modems capable of at least 7200
- bps (but 14.4 kbps is better). See:
- ftp://sable.ox.ac.uk/pub/crypto/misc
- ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS
- ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz
- http://www.cryptography.org
- ftp://basement.replay.com/pub/replay/pub/voice/
- The official Nautilus home page is at: http://www.lila.com/nautilus/
-
-
- WHERE IS PGP'S COMPETITION?
-
- Gnu Privacy Guard (GPG) is a serious OpenPGP standard competitor to PGP,
- but really it is more of a growth from the initial Gnu Public License
- versions of PGP itself, with some independently-written code added where
- necessary. It is a serious alternative, and quite secure.
-
- S/MIME is gaining a foothold on the secure email market, but my
- experience with it has been rather negative. Current implementations of
- S/MIME (1) don't always use secure key lengths, (2) often require
- payment of an annual fee to a central key certification authority, (3)
- have much more limited key management facilities than PGP, and (4)
- usually don't have source code open to inspection like GPG and most
- versions of PGP. On the positive side, S/MIME is integrated into email
- packages like Microsoft Outlook and Netscape Messenger.
-
- HOW DO I PUBLISH MY PGP PUBLIC KEY?
-
- The latest PGP and GPG versions will interact with key servers
- automatically if you are connected to the Internet and if you configure
- them to. For manual key publication, send mail to one of these addresses
- with the single word "help" in the subject line to find out how to use
- them. These servers synchronize keys with each other. There are other
- key servers, too.
-
- pgp-public-keys@keys.pgp.net
- pgp-public-keys@keys.de.pgp.net
- pgp-public-keys@keys.no.pgp.net
- pgp-public-keys@keys.uk.pgp.net
- pgp-public-keys@keys.us.pgp.net
-
- IS PGP REALLY SECURE?
-
- Yes and no. Yes, it is secure against most attackers when used on a
- physically secure system in accordance with its instructions. This
- includes using a good passphrase to protect your private keys and
- keeping your passphrase and private keys truly private. You must also
- never run or allow to be run any rogue software (including viruses,
- worms, and Trojan horses) that might send your passphrase keystrokes and
- your PGP key file back to some spy.
-
- If an adversary of yours has physical access to the computer that you
- use with PGP, it is not hard to install a hardware or software keystroke
- logger that can capture your passphrase, and to copy your private
- keyring. With that combination, any of your PGP-encrypted messages can
- be read. PGP is not secure if you don't understand what you are doing.
- It is also true that God knows your thoughts even before you encrypt
- them, so you can't hide anything from Him.
- http://ebible.org/bible/web/Psalms.htm#C139V1
-
- MAY I COPY AND REDISTRIBUTE THIS FAQ?
-
- Yes. Please only do so in appropriate forums, and provide pointers to
- the home location of this FAQ.
-
- WHO MAINTAINS THIS FAQ?
-
- Michael Paul Johnson mpj@ebible.org maintains this FAQ. My PGP and Gnu
- Privacy Guard public keys can be downloaded from my contact page at
- http://eBible.org/mpj/, as well as from the public key servers.
-
- -----BEGIN PGP SIGNATURE-----
- Version: GnuPG v1.0.7 (Cygwin32)
-
- iD8DBQE9ZcmuRI/gxxfXR7sRAju5AJ4/RkKcG291AGSTS/RtAbrjOjc/2wCg0uOR
- CjpPHBAD8FRffFrWev+SWyg=3D
- =3DDChL
- -----END PGP SIGNATURE-----
-
-
-