Here's a draft PGP FAQ for alt.security.pgp. I'd better post this soon as I'm getting buried in FAQ's via email... PGP Frequently Asked Questions ============================== (Draft version) - What is PGP? - Where can I get PGP? - Where can I get/publish PGP keys? What is PGP? ============ In brief: PGP (Pretty Good Privacy) is a freeware RSA public-key encryption package for Unix, MSDOS, OS/2, the Amiga, the Atari ST, and VMS. It protects E-mail and files, letting you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. PGP has sophisticated key management, an RSA/conventional-key hybrid encryption scheme, data authentication via digital signatures, and data compression before encryption. The C source for PGP code is available for free use by anyone. In more detail: This note assumes you are familiar with PGP (Pretty Good Privacy), the freeware public key cryptographic software package. Philip Zimmermann is under threat of lawsuit from the RSA patent holders, Public Key Partners, if he distributes or updates PGP again. Zimmermann has abided by that condition and has not distributed PGP since the threat was made. So any enhancements for PGP have to be developed by other people, preferably outside the reach of US patent law. The RSA patent does not apply outside the USA. Accordingly, PGP Version 2.0 was developed by a team of software engineers in Europe and New Zealand, with design guidance from Philip Zimmermann. It was released September 3 by Branko Lankester in Amsterdam and Peter Gutmann in New Zealand. The new version has many ergonomic improvements, much better key management, faster and better conventional cryptography, faster public key cryptography, and faster and better data compression. It also has been ported to SPARC Unix, Ultrix, VAX/VMS, Commodore Amiga, Atari ST, OS/2, and of course it still runs on MSDOS. The RSA math functions are about 2.28 times as fast (as measured on an MSDOS system). The new signature hashing algorithm is MD5. The new compression routines are similar in functionality to those used in PKZIP, and were developed in C by a French team. The new faster conventional cipher, called IDEA (International Data Encryption Algorithm), was developed at ETH in Zurich by James L. Massey and Xuejia Lai. Preliminary evidence suggests that IDEA may be more resistant than the DES to Biham & Shamir's highly successful differential cryptanalysis attack. Biham and Shamir have tried unsuccessfully to find any weaknesses in the IDEA cipher. The keys on the public keyring retain their certifying signatures while on the keyring, and can be automatically checked for tampering by PGP before using the keys. They can be individually copied off the keyring along with their attached signature certificates, in ASCII form suitable for emailing. Each key may have several attached certifying signatures. User ID's and passwords can be revised by the key owner. When a user ID is modified for a key, new certifying signatures must be created for that key. The ASCII transport armor changed from uuencoded form to another ASCII radix-64 representation similar to that used by the Internet PEM standard. This makes PGP messages more resistant to mutilation by strange email gateways. The new PGP is more usable in batch mode, returning error result codes to the DOS shell. It can also be used to some extent in a pipeline filter mode for Unix. There are too many ergonomic improvements to list here. One example is a built-in Unix-style "more" function, to optionally display deciphered plaintext directly on your screen without writing any plaintext to disk. Also, all the PGP user messages and prompts can be displayed in German, Dutch, Spanish, French, Italian, and Russian. There are other improvements in the area of key management. Zimmermann's new key management is even more uniquely suited to socially decentralized environments, rather than to monolithic corporate or government institutions. Where can I get PGP? ==================== PGP is slowly becoming available on more and more sites worldwide. If you can't find a copy locally, you could try the following: PGP via FidoNet --------------- Due to FidoNet's distributed nature, there isn't really one location where everyone can get a copy. However it is being distributed extensively over the net - if you can't get a copy locally, bug your sysop to bring one in! PGP by ftp ---------- PGP is available for ftp from the following sites: garbo.uwasa.fi (128.214.87.1) /pub/pc/encryption (DOS and OS/2) /pub/unix/encryption kauri.vuw.ac.nz (130.195.11.3) /pub/ms-dos/Encryption (all versions) Note: NZ users only. ghost.dsi.unimi.it (???) /pub/crypt ftp.uni-kl.de /pub/atari/incoming Remember to chose *binary* mode when retrieving the files! PGP via Compuserve ------------------ PGP is available in the the Compuserve IBMSYS forum, just type "go ibmsys" t get there. Then when you get the following: IBM Sys/Utilities Forum Menu 1 INSTRUCTIONS 2 MESSAGES 3 LIBRARIES (Files) 4 CONFERENCING (0 participating) 5 ANNOUNCEMENTS from sysop 6 MEMBER directory 7 OPTIONS for this forum Choose 3, the files area. This will give the following menu: IBM Sys/Utilities ForumLibraries Menu 0 General [S] 1 DOS Utilities [S] 2 OS/2 Utilities [S] 3 General Utils [S] 4 Multitasking [S] 5 DOS Shells/Mgrs [S] 6 File Utilities [S] <- PGP is in here 7 Desktop Utils [S] 8 Demos [S] 9 Disk Library [S] Choose 6, the file utlities area. This will bring up the following menu: IBM Sys/Utilities Forum Library 6 File Utilities [S] 1 BROWSE Files 2 DIRECTORY of Files 3 UPLOAD a File (FREE) 4 DOWNLOAD a file to your Computer 5 LIBRARIES >From here you can either browse the files (use the keyword 'PGP'), or download them. The source code is PGP20S.ZIP, the MSDOS executable is PGP20.ZIP. PGP via BIX ----------- PGP is available in the Security/listings area. If someone could provide more details on this I'd be grateful. Where can I get/publish PGP keys? ================================= The following is the README file from a PGP keyserver run by Felipe Rodriquez at utopia.hacktic.nl: ----------------------------------------------------------------------------- Beware of unsigned keys, these could be forgeries from an attacker wanting access to your information. Always be sure your keys are certified by several people. ----------------------------------------------------------------------------- PGP-SERVER POLICIES You can send your PGP public-keys to pgp-keys@utopia.hacktic.nl Your key will be added to our public keyring. In order to certify your key, so that other people know that the key is actually yours, make sure it is signed by other people before sending it in. It is advisable to have your key signed by as many people as possible, before sending your key to our key-server. Make sure that the people that sign your key are 100% sure of the fact that the key is yours. Keys will only be signed by me if I'm 100% sure about the sender of the key. This requires a voice validation of your key's ASCII-armor. I will NOT sign ANY keys that I don't trust 100%. E-Mail is subject to many types of forgery and is not a secure channel for verification. Verification can only be done by you reading to me some indicated characters in your keys ASCII armor, either over the phone, or by visiting me personally. For a pgp-server to work, it is absolutely crucial to keep the above stated points in mind. Security is your responsability, if you want other persons to trust your key, see to it that it is signed by a lot of people that are competent in key-managment. If you don't want your key to be signed then that's your responsibility. You'd make it easy for any attacker to forge a key that is supposed to be yours. All users of the hacktic-PGP server are advised _not_ to use any unsigned keys. Felipe Rodriquez, key-manager@utopia.hacktic.nl nonsenso@utopia.hacktic.nl -- pgut1@cs.aukuni.ac.nz || peterg@kcbbs.gen.nz || peter@nacjack.gen.nz (In order of preference) ------------------------------------------------------------------------------