Here's a draft PGP FAQ for alt.security.pgp. I'd better post this soon as I'm
getting buried in FAQ's via email...
PGP Frequently Asked Questions
==============================
(Draft version)
- What is PGP?
- Where can I get PGP?
- Where can I get/publish PGP keys?
What is PGP?
============
In brief:
PGP (Pretty Good Privacy) is a freeware RSA public-key encryption package for
Unix, MSDOS, OS/2, the Amiga, the Atari ST, and VMS. It protects E-mail and
files, letting you communicate securely with people you've never met, with no
secure channels needed for prior exchange of keys.
PGP has sophisticated key management, an RSA/conventional-key hybrid
encryption scheme, data authentication via digital signatures, and data
compression before encryption. The C source for PGP code is available for
free use by anyone.
In more detail:
This note assumes you are familiar with PGP (Pretty Good Privacy), the
freeware public key cryptographic software package.
Philip Zimmermann is under threat of lawsuit from the RSA patent holders,
Public Key Partners, if he distributes or updates PGP again. Zimmermann has
abided by that condition and has not distributed PGP since the threat was
made. So any enhancements for PGP have to be developed by other people,
preferably outside the reach of US patent law. The RSA patent does not apply
outside the USA. Accordingly, PGP Version 2.0 was developed by a team of
software engineers in Europe and New Zealand, with design guidance from
Philip Zimmermann. It was released September 3 by Branko Lankester in
Amsterdam and Peter Gutmann in New Zealand.
The new version has many ergonomic improvements, much better key management,
faster and better conventional cryptography, faster public key cryptography,
and faster and better data compression. It also has been ported to SPARC
Unix, Ultrix, VAX/VMS, Commodore Amiga, Atari ST, OS/2, and of course it
still runs on MSDOS.
The RSA math functions are about 2.28 times as fast (as measured on an MSDOS
system). The new signature hashing algorithm is MD5. The new compression
routines are similar in functionality to those used in PKZIP, and were
developed in C by a French team. The new faster conventional cipher, called
IDEA (International Data Encryption Algorithm), was developed at ETH in
Zurich by James L. Massey and Xuejia Lai. Preliminary evidence suggests that
IDEA may be more resistant than the DES to Biham & Shamir's highly successful
differential cryptanalysis attack. Biham and Shamir have tried
unsuccessfully to find any weaknesses in the IDEA cipher.
The keys on the public keyring retain their certifying signatures while on
the keyring, and can be automatically checked for tampering by PGP before
using the keys. They can be individually copied off the keyring along with
their attached signature certificates, in ASCII form suitable for emailing.
Each key may have several attached certifying signatures. User ID's and
passwords can be revised by the key owner. When a user ID is modified for a
key, new certifying signatures must be created for that key.
The ASCII transport armor changed from uuencoded form to another ASCII
radix-64 representation similar to that used by the Internet PEM standard.
This makes PGP messages more resistant to mutilation by strange email
gateways.
The new PGP is more usable in batch mode, returning error result codes to the
DOS shell. It can also be used to some extent in a pipeline filter mode for
Unix.
There are too many ergonomic improvements to list here. One example is a
built-in Unix-style "more" function, to optionally display deciphered
plaintext directly on your screen without writing any plaintext to disk.
Also, all the PGP user messages and prompts can be displayed in German,
Dutch, Spanish, French, Italian, and Russian.
There are other improvements in the area of key management. Zimmermann's new
key management is even more uniquely suited to socially decentralized
environments, rather than to monolithic corporate or government institutions.
Where can I get PGP?
====================
PGP is slowly becoming available on more and more sites worldwide. If you
can't find a copy locally, you could try the following:
PGP via FidoNet
---------------
Due to FidoNet's distributed nature, there isn't really one location where
everyone can get a copy. However it is being distributed extensively over
the net - if you can't get a copy locally, bug your sysop to bring one in!
PGP by ftp
----------
PGP is available for ftp from the following sites:
garbo.uwasa.fi (128.214.87.1) /pub/pc/encryption (DOS and OS/2)
/pub/unix/encryption
kauri.vuw.ac.nz (130.195.11.3) /pub/ms-dos/Encryption (all versions)
Note: NZ users only.
ghost.dsi.unimi.it (???) /pub/crypt
ftp.uni-kl.de /pub/atari/incoming
Remember to chose *binary* mode when retrieving the files!
PGP via Compuserve
------------------
PGP is available in the the Compuserve IBMSYS forum, just type "go ibmsys" t
get there. Then when you get the following:
IBM Sys/Utilities Forum Menu
1 INSTRUCTIONS
2 MESSAGES
3 LIBRARIES (Files)
4 CONFERENCING (0 participating)
5 ANNOUNCEMENTS from sysop
6 MEMBER directory
7 OPTIONS for this forum
Choose 3, the files area. This will give the following menu:
IBM Sys/Utilities ForumLibraries Menu
0 General [S]
1 DOS Utilities [S]
2 OS/2 Utilities [S]
3 General Utils [S]
4 Multitasking [S]
5 DOS Shells/Mgrs [S]
6 File Utilities [S] <- PGP is in here
7 Desktop Utils [S]
8 Demos [S]
9 Disk Library [S]
Choose 6, the file utlities area. This will bring up the following menu:
IBM Sys/Utilities Forum Library 6
File Utilities [S]
1 BROWSE Files
2 DIRECTORY of Files
3 UPLOAD a File (FREE)
4 DOWNLOAD a file to your Computer
5 LIBRARIES
>From here you can either browse the files (use the keyword 'PGP'), or
download them. The source code is PGP20S.ZIP, the MSDOS executable is
PGP20.ZIP.
PGP via BIX
-----------
PGP is available in the Security/listings area. If someone could provide
more details on this I'd be grateful.
Where can I get/publish PGP keys?
=================================
The following is the README file from a PGP keyserver run by Felipe
Rodriquez at utopia.hacktic.nl:
-----------------------------------------------------------------------------
Beware of unsigned keys, these could be forgeries from an attacker wanting
access to your information. Always be sure your keys are certified by several
people.
-----------------------------------------------------------------------------
PGP-SERVER POLICIES
You can send your PGP public-keys to pgp-keys@utopia.hacktic.nl
Your key will be added to our public keyring. In order to certify your key,
so that other people know that the key is actually yours, make sure it is
signed by other people before sending it in. It is advisable to have your
key signed by as many people as possible, before sending your key to our
key-server. Make sure that the people that sign your key are 100% sure of
the fact that the key is yours.
Keys will only be signed by me if I'm 100% sure about the sender of the key.
This requires a voice validation of your key's ASCII-armor. I will NOT sign
ANY keys that I don't trust 100%. E-Mail is subject to many types of forgery
and is not a secure channel for verification. Verification can only be done
by you reading to me some indicated characters in your keys ASCII armor,
either over the phone, or by visiting me personally.
For a pgp-server to work, it is absolutely crucial to keep the above stated
points in mind. Security is your responsability, if you want other persons
to trust your key, see to it that it is signed by a lot of people that are
competent in key-managment.
If you don't want your key to be signed then that's your responsibility.
You'd make it easy for any attacker to forge a key that is supposed to be
yours. All users of the hacktic-PGP server are advised _not_ to use any
unsigned keys.
Felipe Rodriquez, key-manager@utopia.hacktic.nl
nonsenso@utopia.hacktic.nl
--
pgut1@cs.aukuni.ac.nz || peterg@kcbbs.gen.nz || peter@nacjack.gen.nz
(In order of preference)
------------------------------------------------------------------------------