-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


WHERE TO GET PGP and GPG
WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ

Revised 23 August 2002

This FAQ applies to Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG),
and some other OpenPGP implementations.

Disclaimer: some of this information may be outdated or otherwise
inaccurate. I don't update it very often, but you should by all means be
able to find an appropriate copy of PGP and its documentation using the
information contained herein. Use it at your own risk.

The master copies of this FAQ are at http://cryptography.org/getpgp.htm
and http://cryptography.org/getpgp.txt

The official (much more complete) PGP FAQ is available at:
http://www.pgp.net/pgpnet/pgp-faq/

WHERE ARE SOME OF THE BEST PLACES TO GET PGP ON THE WEB?

PGP freeware - for personal, noncommercial use
http://www.pgpi.com - The best source for the current versions.
http://web.mit.edu/network/pgp.html - A trustworthy source for North
Americans.
http://cryptography.org - Archives of older versions and versions for
various platforms for North Americans.

Gnu Privacy Guard - free even for commercial use
http://www.gnupg.org
http://www.pgpi.com
http://cryptography.org

PGP Mail commercial version
PGP Mail is now published and supported by PGP Corporation. See
http://www.pgp.com for information on their current prices, versions,
and support. For commercial applications where having a corporation to
back up a product with support is important, or where maximum
integration with Windows is also important, this is the preferable
option. For commercial applications where low cost is the primary option
and you want to use a command line interface, Gnu Privacy Guard
(http://www.gnupg.org) is better.

Note: you may need an unzip utility, such as the InfoZip unzip that you
can get from http://www.info-zip.org to decompress the files you
download.

WHERE CAN I GET MORE PGP INFORMATION?

The best source of PGP information is in the PGP documentation that
comes with PGP. For additional information, you may want to read:
http://www.cryptorights.org/pgp-help-team/hello.html
http://www.pgp.net/pgpnet/pgp-faq/
http://www.mit.edu:8001/people/warlord/pgp-faq.html
ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-01.txt
http://cryptography.org/getpgp.htm
http://web.cnam.fr/Network/Crypto/ (c'est en francais)
http://www.freedomfighter.net/crypto/pgp-history.html
http://www.paranoia.com/~vax/pgp_versions.html
http://www.faqs.org/faqs/pgp-faq/
The PGP-Users Mailing List home page at http://pgp.rivertown.net
contains many PGP related resources, including resources on privacy,
anonymous remailers, and other related fields. The PGP-Users list
archives are also linked to the page as is an HTML version of the
PGP-FAQ (may not be the most recent), the PGP documentation, resources
for MacPGP, links to another mailing list dedicated to PGPfone (which
includes one of its authors, Will Price) and the one of a kind, PGPfone
Registry, where PGPfone users who would like to test PGPfone with each
other can leave messages in a browsable data base to let others find
them to connect with each other.
A good place to discuss PGP and ask questions about it is in the PGP
news groups (i. e. comp.security.pgp).

CAN I GET PGP DOCUMENTATION IN MY OWN LANGUAGE?

Yes. You can get the official PGP documentation in several languages at
http://www.pgpi.com. See also:
German: http://www.geocities.com/Athens/1802/
French: http://www.geocities.com/SiliconValley/Bay/9648/

WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP AND GPG VERSIONS

PGP 5.0 introduces some new algorithms for both public key and
conventional encryption. These changes are good from both technical
(security & efficiency) and political (patent) standpoints. With the
death of the Diffie-Hellman key exchange patent, the freeware PGP new
algorithms are 100% free of patent problems, and free of legalese such
as come with the RSAREF toolkit. The Diffie-Hellman key exchange key
size limit is also larger than the old RSA limit, so PGP encryption is
actually more secure, now.

The new SHA1 hash function is better than MD5, so signatures are more
secure, now, too. The conventional encryption used is all sound, and
definitely not the weak link in the chain. This much is good news.

The bad news, of course, is that there will be some interoperability
problems, since no earlier versions of PGP can handle these algorithm,
and some PGP freeware issued before the RSA algorithm math patent
expired doesn't support RSA signatures and encryption.

Gnu Privacy Guard was written from the ground up to be free software
under the Gnu Public License. That means that it cannot use the IDEA
symmetric key algorithm, and also that some versions were issued before
the RSA patent expired in the USA, and therefore some older versions of
GPG didn't support RSA signatures or encryption.

For more information on PGP and GPG compatibility, please see
http://www.openpgp.org.

WHAT ARE SOME GOOD PGP BOOKS?

 Protect Your Privacy: A Guide for PGP Users
 by William Stallings
 Prentice Hall PTR
 ISBN 0-13-185596-4
 US $19.95

 PGP: Pretty Good Privacy
 by Simson Garfinkel
 O'Reilly & Associates, Inc.
 ISBN 1-56592-098-8
 US $24.95

 E-Mail_Security,
 How To Keep Your Electronic Messages Private (covers PGP & PEM)
 by Bruce Schneier
 365 pages
 1995
 pub: John Wiley & Sons, Inc.
 ISBN 0-471-05318-X
 $24.95 US

 The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data
 Protection, and PGP PRivacy Software
 by André Bacard
 Peachpit Press
 ISBN 1-56609-171-3
 US $24.95
 800-283-9444 or 510-548-4393

 THE OFFICIAL PGP USER'S GUIDE
 by Philip R. Zimmermann
 MIT Press
 April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
 Standard PGP documentation neatly typeset and bound.

 PGP SOURCE CODE AND INTERNALS
 by Philip R. Zimmermann
 April 1995 - 804 pp. -
 US $55.00 - 0-262-24039-4 ZIMPH

 How to Use PGP, 61 pages,  (Pub #121) from the Superior Broadcasting
 Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801
 (about US $10-$13).

IS PGP LEGAL?

Using and distributing Pretty Good Privacy is legal if you are careful
to obey the intellectual property and export rules, as well as any local
rules that may apply in the nation you are in.

U. S. export regulations are not as bad as they were, but you may be
required to give a notice to the U. S. Government to export or publicly
post source code (and the executable compiled from it) under license
exception TSU. You can't intentionally export PGP or GPG from the USA to
certain forbidden destination (state sponsors of terrorism, etc.) Check
the Department of Commerce web site at
http://www.bxa.doc.gov/Encryption/Default.htm for current rules.

The RSA patent caused considerable expense in the USA for PGP users,
until the Diffie-Hellman patent expired and DSA was offered by the U. S.
Government as not infringing. Some people still like to use older
versions of PGP that use RSA, especially outside of the USA.
Fortunately, the RSA patent is dead and anyone in the USA may use RSA
for either business or personal use without restrictions, just like
people in the rest of the world have been able to do for many years.

If you want to use PGP for commercial use, the most legal approach is to
use Gnu Privacy Guard (http://www.gnupg.org) for free, but you may also
be able to buy a license for the commercial version of PGP, still.

If you are in a country where the IDEA cipher patent holds in software
(including the USA and some countries in Europe), make sure you are
licensed to use the IDEA cipher commercially before using PGP
commercially, or avoid it by using Gnu Privacy Guard or a version of PGP
that allows the use of alternate algorithms like CAST, instead. (No
separate license is required to use the freeware PGP for personal,
noncommercial use). For direct IDEA licensing, contact Ascom Systec:

Erhard Widmer, Ascom Systec AG, Dep't. CMVV
Phone +41 64 56 59 83
Peter Hartmann, Ascom Systec AG, Dep't. CMN
Phone +41 64 56 59 45
Fax: +41 64 56 59 90
e-mail: IDEA@ascom.ch
Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)

Network Associates, Inc., has an exclusive marketing agreement for
commercial distribution of Philip Zimmermann's copyrighted code.
(Selling shareware/freeware disks or connect time is OK, as is building
on older GPL versions of PGP or the new GPG.)

If you modify PGP (other than porting it to another platform, fixing a
bug, or adapting it to another compiler), don't call it PGP (TM) or
Pretty Good Privacy (TM) without Philip Zimmermann's permission.

Within the U.S. there is no legal obstacle for use of strong encryption.
Export regulations used to be quite draconian in the USA, and are still
partially irrational, but they have greatly improved to the point where
U. S. Citizens no longer need to hesitate to publish (even on the
Internet) and use strong cryptography, as long as they send the required
notices of export and/or posting on the Internet described by
http://www.bxa.doc.gov/Encryption/Default.htm.

In an ideal world every honest person would have the right to use
encryption. Unfortunately, this isn't an ideal world.

France used to be quite restrictive, but now that nation allows its
citizens to use strong cryptography, recognizing its value in preventing
some crimes and strengthening electronic commerce.

Germany once considered banning the use and distribution of strong
cryptographic software in the name of "national security," but now the
German government has actually endorsed and helped fund the development
of Gnu Privacy Guard.

In Russia, you can be arrested for using cryptography and even be put in
jail for using a GPS receiver.

U. S. Citizens may want to view travel advisories at
http://travel.state.gov before visiting another country.

For a recent update on the legal situation see The Crypto Law
Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm

WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS?

Philip Zimmermann was under investigation for alleged violation of
export regulations, with a grand jury hearing evidence for about 28
months, ending 11 January 1996. The Federal Government chose not to
comment on why it decided to not prosecute, nor is it likely to. The
Commerce Secretary stated that he would seek relaxed export controls for
cryptographic products, since studies show that U. S. industry is being
harmed by current regulations. Philip endured some serious threats to
his livelihood and freedom, as well as some very real legal expenses,
for the sake of your right to electronic privacy.

See:
http://www.epic.org
http://www.crypto.com
http://www.eff.org

HOW DO I SELECT A GOOD SECURE PASSPHRASE?

See:
http://world.std.com/~reinhold/diceware.page.html
http://www.wepin.com/pgp/passfraz.html

WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE?

PGP can do conventional encryption only of a file (-c) option, but you
might want to investigate some of the other alternatives if you do this
a lot.

Alternatives include Atbash2 for DOS, DLOCK2 for DOS & UNIX, Curve
Encrypt (for the Mac), HPACK (many platforms), and a few others.

Atbash2 is interesting in that it generates ciphertext that can be read
over the telephone or sent by Morse code. DLOCK2 is a no-frills strong
encryption program with complete source code. Curve Encrypt has certain
user-friendliness advantages. HPACK is an archiver (like ZIP or ARC),
but with strong encryption. A couple of starting points for your search
are:
http://cryptography.org/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/
ftp://idea.sec.dsi.unimi.it/pub/crypt/code/

HOW DO I SECURELY DELETE FILES?

If you have the Norton Utilities, Norton WipeInfo is pretty good. I use
DELETE.EXE in del210.zip, which is really good at deleting existing
files, but doesn't wipe "unused" space.

ftp://eBible.org/pub/del210.zip
ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip

WHERE DO I GET PGPfone(tm)?

PGPfone is for private telephone calls over a modem or the Internet.
http://web.mit.edu/network/pgpfone
ftp://basement.replay.com/pub/replay/pub/voice/

WHERE DO I GET NAUTILUS?

Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program
called Nautilus that enables you to engage in secure voice conversations
between people with multimedia PCs and modems capable of at least 7200
bps (but 14.4 kbps is better). See:
ftp://sable.ox.ac.uk/pub/crypto/misc
ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS
ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz
http://www.cryptography.org
ftp://basement.replay.com/pub/replay/pub/voice/
The official Nautilus home page is at: http://www.lila.com/nautilus/


WHERE IS PGP'S COMPETITION?

Gnu Privacy Guard (GPG) is a serious OpenPGP standard competitor to PGP,
but really it is more of a growth from the initial Gnu Public License
versions of PGP itself, with some independently-written code added where
necessary. It is a serious alternative, and quite secure.

S/MIME is gaining a foothold on the secure email market, but my
experience with it has been rather negative. Current implementations of
S/MIME (1) don't always use secure key lengths, (2) often require
payment of an annual fee to a central key certification authority, (3)
have much more limited key management facilities than PGP, and (4)
usually don't have source code open to inspection like GPG and most
versions of PGP. On the positive side, S/MIME is integrated into email
packages like Microsoft Outlook and Netscape Messenger.

HOW DO I PUBLISH MY PGP PUBLIC KEY?

The latest PGP and GPG versions will interact with key servers
automatically if you are connected to the Internet and if you configure
them to. For manual key publication, send mail to one of these addresses
with the single word "help" in the subject line to find out how to use
them. These servers synchronize keys with each other. There are other
key servers, too.

pgp-public-keys@keys.pgp.net
pgp-public-keys@keys.de.pgp.net
pgp-public-keys@keys.no.pgp.net
pgp-public-keys@keys.uk.pgp.net
pgp-public-keys@keys.us.pgp.net

IS PGP REALLY SECURE?

Yes and no. Yes, it is secure against most attackers when used on a
physically secure system in accordance with its instructions. This
includes using a good passphrase to protect your private keys and
keeping your passphrase and private keys truly private. You must also
never run or allow to be run any rogue software (including viruses,
worms, and Trojan horses) that might send your passphrase keystrokes and
your PGP key file back to some spy.

If an adversary of yours has physical access to the computer that you
use with PGP, it is not hard to install a hardware or software keystroke
logger that can capture your passphrase, and to copy your private
keyring. With that combination, any of your PGP-encrypted messages can
be read. PGP is not secure if you don't understand what you are doing.
It is also true that God knows your thoughts even before you encrypt
them, so you can't hide anything from Him.
http://ebible.org/bible/web/Psalms.htm#C139V1

MAY I COPY AND REDISTRIBUTE THIS FAQ?

Yes. Please only do so in appropriate forums, and provide pointers to
the home location of this FAQ.

WHO MAINTAINS THIS FAQ?

Michael Paul Johnson mpj@ebible.org maintains this FAQ. My PGP and Gnu
Privacy Guard public keys can be downloaded from my contact page at
http://eBible.org/mpj/, as well as from the public key servers.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Cygwin32)

iD8DBQE9ZcmuRI/gxxfXR7sRAju5AJ4/RkKcG291AGSTS/RtAbrjOjc/2wCg0uOR
CjpPHBAD8FRffFrWev+SWyg=
=DChL
-----END PGP SIGNATURE-----