From: Reed Darsey Area: Public Key Encryption To: All 17 Aug 94 23:57:00 Subject: Re: PGP 2.6ui bugs Actually PGP 2.6ui's "-s" command *does* work. The CONFIG.TXT file in the archive has the "clearsig" line missing. In copying my 2.3a configuration over to 2.6, then 2.6ui and adding comments, I somehow didn't notice that that one line was missing, and thought that I was testing identical configurations. I wasn't. 201434369420143436942014343694201434369420143436942014343694718 From: Reed Darsey Area: Public Key Encryption To: All 17 Aug 94 06:39:40 Subject: Re: PGP 2.6ui bugs? }Quoting Reed Darsey to All on 08 Aug 94 21:57:25{ RD>> Are there any "new" bugs in 2.6ui that were not in 2.3a? RD>> RD>> The exectable I have is: pgp.exe 227288 05-27-94 14:16:26 Specifically, "PGP -s" does not work the same in both of them. (With idential CONFIG.TXT files.) Is this a bug, or do some parameters need to be twiddled? 201434369420143436942014343694201434369420143436942014343694718 From: Reed Darsey Area: Public Key Encryption To: All 18 Aug 94 19:15:18 Subject: PGP 2.6ui's CONFIG.TXT Watch out for PGP 2.6ui's CONFIG.TXT file. It is missing the "Clearsig" line, so unless it is edited in, or the command line equivalent is used it will appear that it won't clearsign correctly. If 2.3a's CONFIG.TXT file is used, rather than starting with 2.6ui's, everything will be OK, too. 201434369420143436942014343694201434369420143436942014343694718 From: Reed Darsey Area: Public Key Encryption To: All 18 Aug 94 19:18:16 Subject: Re: PGP 2.6ui bugs (I'm not sure if my original correction post made it, so I'm recapping it in this post.) PGP 2.6ui *will* clearsign correctly, once the "clearsig = on" line is put (back) in the CONFIG.TXT file. Some of us mistakenly thought that there was a bug. ... PGP 512/AE5BEFB5 [26 D3 A0 FB FB E2 D2 35 B5 26 4A E1 A1 FB CD B8] 201434369420143436942014343694201434369420143436942014343694718 From: Reed Darsey Area: Public Key Encryption To: All 23 Aug 94 18:16:08 Subject: signing our own keys The FAQ on PGP advises signing our own keys: 6.3. Should I sign my own key? Yes, you should sign each personal ID on your key. This will help to prevent anyone from placing a phony address in the ID field of the key and possibly having your mail diverted to them. Anyone changing a user id to your key will be unable to sign the entry, making it stand out like a sore thumb since all of the other entries are signed. Do this even if you are the only person signing your key. For example, my entry in the public key ring now appears as follows if you use the "-kvv" command: Type bits/keyID Date User ID pub 1024/90A9C9 1993/09/13 Gary Edstrom sig 90A9C9 Gary Edstrom Gary Edstrom <72677.564@compuserve.com> sig 90A9C9 Gary Edstrom And, I've seen discussion of other points, here, too. The example Gary gives is for two personal IDs. Suppose we have three? Is what I've done below adequate? Key ring: 'c:\pgp\pubring.pgp', looking for user ID "reed". Type bits/keyID Date User ID pub 512/AE5BEFB5 1993/07/15 Reed Darsey sig AE5BEFB5 Reed Darsey Reed Darsey <71450.3460@compuserve.com> sig AE5BEFB5 Reed Darsey Reed Darsey <1:3625/454@fidonet.org> sig AE5BEFB5 Reed Darsey 1 key(s) examined. 201434369420143436942014343694201434369420143436942014343694718 From: David Chessler Area: Public Key Encryption To: All 22 Aug 94 23:05:00 Subject: Pgp2.6a It was uploaded here as PGP26A.ZIP. I downloaded it with some surprise, because, while I had heard of it, I had just "visited" the MIT distribution site on August 15 and hadn't found it. It turned out to be an unofficial compilation, of which there are now many. While it claims to use the RSAREF software library, it's licensing status must be somewhat obscure. The compiler, "Rebellious Guerilla" includes his public key, which is endorsed by several people on the Fido PUBLICKEYS echo, but not by any of the regular programmers of PGP, such as Philip R. Zimmermann, Colin Plumb, et al. The program claims to be a bugfix for the official version 2.6. While it may have fixed some bugs, it did not run properly in my environment, misreading it's environment variable, so it was unable to read a file. While I can't say it won't work in some situations, and even fix some bugs, I do urge you to keep PGP 2.6 MIT on the board (here as PGP26.ZIP), since I know that one works (If it's already been deleted, let me know, and I'll upload again, no problem). I've also gotten PGP2.6 for the Mac direct from the MIT site, and will upload it here soon. ___ __ David.Chessler@f459.n109.z1.fidonet.org d_)--/d chessler@cap.gwu.edu chessler@trinitydc.edu CC: ALL on Fido PUBLICKEYS echo * SLMR 2.1b * E-mail: ->132 1:109/459 david.chessler@neteast.com 201434369420143436942014343694201434369420143436942014343694718 From: Scott Mills Area: Public Key Encryption To: Jason Carr 23 Aug 94 19:19:50 Subject: Double-Key ENCRYPTION -----BEGIN PGP SIGNED MESSAGE----- Saturday August 20 1994, Jason Carr writes to Tom Keller: TK>> freeware implementation of a public key encryption system. Commonly TK>> available version is 2.3a (pgp23a.[exe|zip]). SUPPOSEDLY, PGP 2.6 is TK>> available, but I haven't been able to locate it as yet. It also TK>> suffers from a *MAJOR* weakness, as a result of MIT caving in to TK>> pressure from the greedy bastards at PKP. JC> What's the real deal. Is 2.6 unsafe? Has anybody talked to Phil about JC> it? JC> Anybody out there know enough about the source to check it out? I think the weakness he means is the 9-1 deadline. After that it will generate files that can't be read by earlier versions. Also 2.6 does not like keys over 1k in size. I keep the 2.6u version around for proccessing keys and any out of zone one mail. Scott Gun Control = Job Safety For The Criminal. Scott Mills 1024/26CD5D03 PGP fingerprint = 13 D6 FF 43 53 3D 54 7B 94 D0 6B F4 24 13 E5 BD sm@f119.n265.z1.fidonet.org -----BEGIN PGP SIGNATURE----- Version: 2.6a iQCVAgUBLlpaWSP6qSQmzV0DAQGpxQP8CM2VtDY/KskxMRYxyY3G4IgkgZUeif90 SxVDrHHSNtLjewW0UN/l0IiGD3Nf+KSe8RcXhlBAXf1opaUHUSgDfUxO0FF/2DK4 sfsmSVhXU//wV6FOLGmSkgITp5LrHJjiYAitRc0xLIn4yffrNfr4490XQeIYw/iJ t90PRuTi0vs= =W2MR -----END PGP SIGNATURE----- --- 201434369420143436942014343694201434369420143436942014343694718 From: Tim Devore Area: Public Key Encryption To: Wes Landaker 22 Aug 94 21:39:30 Subject: Key Key In a message of 20 Aug 94 Wes Landaker wrote to me: WL> Hello Tim! Hello back! TD>> I have two keys and would like to know how to get both keys TD>> extracted into one file instead of extracting them sperately into TD>> their own files. WL> The easiest way to do that would be to extract them seperately into two WL> files (armored or not, no difference) then add them to a different WL> keyfile than pubring.pgp. If I were going to do this with my key and WL> your key, I'd do something like: WL> PGP -KXA "Wes Landaker" key1 (makes key1.asc) WL> PGP -KXA "Tom Devore" key2 (makes key2.asc) WL> PGP -KA key1.asc myring (makes myring.pgp) WL> PGP -KA key2.asc myring (adds to myring.pgp) Didn't try this one but I know that it will work. WL> PGP -KX "Wes Landaker" myring (makes myring.pgp) WL> PGP -KX "Tom Devore" key1 (makes key1.pgp) WL> PGP -KA key1 myring (adds to myring.pgp) WL> PGP -A myring (makes myring.asc) Got this to work and Thanks for the info you explained it real good. I know that if I can follow it without any troubles somebody that's just starting out using PGP will be able to follow it also. Somebody should come up with a doc of different combinations of commands and what the input and results would be the examples in the docs that came with the program are not as informative as your example(s) were. WL> If you want to post it. =) If I had your Key I would. :) I haven't been taking any Keys from the PKey_Drop echo yet until I get to know more people. TD>> This is a test to see if the clearsig stuff works for me so you TD>> won't be able to verify my sig until I post my key, sorry still TD>> testing things out. WL> It _looks_ like it works, but I don't have your key so I can't tell. :) I sent a signed note to a friend of mine who I sent my key(s) in a different message to see if I was getting it out right. Looks like I am so I will have my Key in the PKey_Drop here shortly. TD>> Version: 2.6 TD>> Comment: If you don't know the contents then don't claim responsibility TD>> for it WL> You might want to cut this comment down, though. It goes farther than WL> the 64 characters that the PGP radix-64 armor does, which isn't a good WL> thing, as far as reformating goes. =) I've seen some others that were as long but I was going to change what it said anyways, I was also seeing how that worked and what the limits were. Now I know and I have a nice little set of 'Aliases' setup for different commands and what they do, so if I want to clearsign the message I would use 'pgpcs' (which is my alias) and it does the rest. Thank you very much for your help and good explinations. Tim Devore, Amiga Library-Op, Co-Sysop of Realm of Thought 201434369420143436942014343694201434369420143436942014343694718 From: Rick Munday Area: Public Key Encryption To: Christopher Baker 23 Aug 94 18:00:00 Subject: Signature Test -----BEGIN PGP SIGNED MESSAGE----- While moving through Cyberspace Christopher Baker was heard to say: RM> PID: WILDMAIL!/WC v4.00 93-0963 RM> -----BEGIN PGP SIGNED MESSAGE----- RM> -----BEGIN PGP SIGNATURE----- RM> -----END PGP SIGNATURE----- CB> perfectly normal. YES! Thank you! I had a problem with the mail system on this board stripping my -'s before. The SysOp and I worked at it forever and no matter what we did the -'s were stripped. Looks like the *new* system does not do it! Thanks for the reply Christopher. Now I'm running in high gear.=] Rick -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLlp/hgRh3UW/7wZFAQH2fQQAivQMn5gqL/v5OPmZ9eNBMAmZjX3X8CCn k0l6mWjyKwZII/iwbTuCM0yusWyCNjLP5Xjy7Lqn+u3vIaEskHqvCZVXvt4UfViD /nc2+03f9U4s3q7r1sgYQ8/JKTUDUrB2oL9TPxoBLkACfA36urhuY6ZTd5if43zh N1FIVDMuHDw= =Z3Pe -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.0 ... -(o ) (o )- Look left -( o) ( o)- Look right (Good! Nobody here!) ___ Blue Wave/QWK v2.12 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: Scott Miller 23 Aug 94 10:20:22 Subject: my old key revocation and new key --> Note: Reply to a message in PKEY_DROP. JL>block like the above. When I try to post my key all I get is JL>the smaller JL>block like below. Am I doing something wrong? SM> No, the reason his block is longer is because he has more SM> signatures on his key. The more sigs, the larger the SM> keyblock. I was wondering about that, myself... :) Thanks! jason ... "I've lost my flower," said Tom lackadaisically. 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: Ryan Watson 23 Aug 94 10:22:54 Subject: My PGP Key --> Note: Reply to a message in PKEY_DROP. Ryan Watson wrote in a message to ALL: RW> Two keys. One for my handle. RW> R. Matthew Watson (BVFD Unit #1821) Hmmm. Did you want to have a totally seperate key for the handle? I mean, You can have multiple user IDs on the same key. More info available under _Editing_Your_User_ID_or_Pass_Phrase in PGPDOC2.TXT. jason ... Another day.. Another job hopelessly botched... 201434369420143436942014343694201434369420143436942014343694718 From: Jim Cannell Area: Public Key Encryption To: All 23 Aug 94 05:48:44 Subject: SecureMail -----BEGIN PGP SIGNED MESSAGE----- I wrote an article on SecureMail which has been published in this week's FidoNews (1134). I've also posted the article in the next message. If any of you are interested in becoming a SecureMail host, or know anyone else that might be interested, please let me know. We'd like to expand SecureMail into every net. Give this article all the publicity that you can. Post it in your local sysop Echo or any other place that you think my be appropriate. Permission is granted for translation into other languages where it would be useful. Thanks in advance for the help. Jim - International SecureMail Hub (ISMH) PGP key 1024/B7822B3D fingerprint = 0F F4 79 06 3B 33 99 D1 07 36 66 66 80 85 76 B3 Protect your right to privacy. Say no to GAK. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLlnxeCWTIMO3gis9AQF9hwP9FnJ/tdmjRAkPjFcvyhDFKyKDXbJ8wtUw oPQWSQBPEiSU1x2bgTHhnrbowwPY8NCgk1WU+W0ZkPDlbb5rRvA74saZZ7KJBu5a P9PFuUN2hPW8UYpJvDnnX0OGFBVoMoSajD01giIni8+s+UJguRU5EgNBeO/ObwjG Zd4QRpvRj9w= =dT6A -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Zorch Frezberg Area: Public Key Encryption To: Scott Mills 23 Aug 94 06:04:42 Subject: Net 106 still at it? In a msg on , Scott Mills of 1:265/119 writes: SM>> 6) Every criminal in the area will know you can't legally SM>> own a firearm, nor can your wife have one in the house. SM>> They'll come rob you, because they know you're a safe SM>> target. SM> Not true Shawn. There is a prominent talk show host sydicated in SM> over a hundred markets who openly states that even though he SM> has 9 felony convictions and can't possess a firearm his SM> wife owns several dozen. Some of which she keeps on his side SM> of the bed. Also you can be given that right back if you SM> talk the right politicians into it. Same with the right to SM> vote I believe. Of course most of us don't have the kind of SM> connections it would take to get them back. Partially correct. If the guns are registered in _her_ name, some states will allow it. However, most courts would recognize any possession within 'arm's reach' is a violation, depending on the jurisdiction. You can be given the 'right to bear arms' back _if_ you are able to gain a pardon; it will _NOT_ restore Federal Firearms License, as the ATF won't give it back. A pardon is generally a four step process, taking upwards of seven years to achieve. You can actually get your right to vote back before you can get a firearm legally. No connections, no bribes...just a long and tedious process. I can give you the full routine for CA, but other states vary from state to state, and county to county in some spots. What this boils down to is that you have spotty and less than uniform enforcement and control, much the same as how police investigators decide to check out tales of 'kiddie porn' or 'hacking'. When my systems were confiscated under warrant, I was advised that I would be charged with making pornography available to minors, credit card fraud, and 'hacking' since I had a 'known hacking' program on my system. The pornography was in the user upload area, which was inaccessible to users for download. The credit card fraud went totally over my head, since the only place there were any credit card numbers were in a personal property inventory in a word processor program...and were my own. The 'known hacking program' was one of two things: Either the mnemonic program which converts phone numbers into the letters (2=ABC, 3=DEF, etc.), or the four or five comm programs (TeleMate, ProComm, Lync, FidoTerm, and others) that were on the hard drive. This from a police officer who "went to the FBI Training Center" for study and "passed with commendations" in computer crime. The same officer also speaks of the dreaded "Modem Virus", a virus which activates -=*> during <*=- a file transfer...a virus that engineers for modem manufacturers state is totally impossible. So, because you run into one person who claims to get away with something, don't expect that to happen in another jurisdiction, let alone your own...it all depends on how stupid, ignorant, efficent, or well-trained the law enforcement agency is in your area... And no, I haven't gotten my equipment back yet; it's been almost a year. -zf- 201434369420143436942014343694201434369420143436942014343694718 From: Jim Grubs Area: Public Key Encryption To: Jason Carr 23 Aug 94 11:35:00 Subject: Double-Key ENCRYPTION > * Reply to msg originally in Fido: INTERNET: For discussion of the > Internet fr > TK> freeware implementation of a public key encryption system. Commonly > TK> available version is 2.3a (pgp23a.[exe|zip]). SUPPOSEDLY, PGP 2.6 is > TK> available, but I haven't been able to locate it as yet. It also > TK> suffers from a *MAJOR* weakness, as a result of MIT caving in to > TK> pressure from the greedy bastards at PKP. > What's the real deal. Is 2.6 unsafe? Has anybody talked to Phil about > it? > Anybody out there know enough about the source to check it out? This is all paranoid nonsense. First, Phil has repeatedly said to all who will listen that he was consulted in the release of 2.6 and approves it. Second, MIT itself is a member of PKP and always has been. Sincerely, Jim Grubs 201434369420143436942014343694201434369420143436942014343694718 From: Lloyd Warren Area: Public Key Encryption To: Rapier 24 Aug 94 00:31:00 Subject: Re: Pkey_drop -----BEGIN PGP SIGNED MESSAGE----- Rapier, In a message on 20 August, you wrote to me : RA> -=> Quoting Lloyd Warren to Christopher Baker <=- RA> LW> Do you echo to and/or retrieve from any Internet sites RA> LW> reachable RA> LW> via anonymous ftp? [...] RA> Why not simply send a request on Internet to one of the public key RA> servers on the 'Net. You can send a message for example to RA> pgp-public-keys@kub.nl with the message body containing the words; RA> GET John Smith RA> and the public key will then be e-mailed to you of the user john Smith. Absolutely correct! However, the key server can't return a key that isn't there. The point of the original question was whether Chris directly "exchanges" new keys between FIDO and INTERNET. His response indicated that he does not, although some others do. Therefore, one can expect to find FIDO PKey_Drop keys on the INTERNET key servers, even if they might be delayed a bit getting there. RA> ___--BEGIN PGP SIGNATURE----- ^^^ RA> Version: 2.6 RA> iQCVAgUBLlZKkkyJS+ItHb8JAQHyxQP+KfNaBT+sJv2nUbPt7cuwhkEsgfG1y1HU RA> dL1fljHC+Al2TxZiShYb4/E6eQP/83SGIrASVOmor9hKPGWH1EcT7xKYU9qGINNW RA> vlPNPUAkk94VpQVR6VnuDOnzR32CSoc6uX6LzCuyY6++nNh7sN0G4yu9B9G8ah+Y RA> rTZNikNtOdg= RA> =J0Yj RA> ___--END PGP SIGNATURE----- ^^^ BTW, something is modifying your signature block. lcw -----BEGIN PGP SIGNATURE----- Version: 2.6 Comment: lwarren@novalink.com or lloyd.warren@genie.geis.com iQCVAgUBLlrE+SWzIF/D4+xVAQGT5AP/e+CEjU7HSeYfMwirXhErnQPrqUoYWois 69otzqKuPEm21v7FVQ/2AEhPyB9Q4NBd4Fj74t+lAySW1VkRh0fK0PY1KMEhDRU+ HJ+p4cHg66fXFRFqIs7giT21sHpzey93qeIdi40zlPglgmSDDxuOFYsT9EeeW2aA 9azdwTrg+Bs= =67rA -----END PGP SIGNATURE----- --- ATP/DJgcc 1.42 201434369420143436942014343694201434369420143436942014343694718 From: Jerome Greene Area: Public Key Encryption To: Rick Munday 22 Aug 94 23:54:06 Subject: Signature Test -----BEGIN PGP SIGNED MESSAGE----- - -=> Rick Munday wrote in a message to All<=- Hello All, RM> Hope the -'s are all intact this time! Will someone let RM> me know how this comes out???? RM> RM> TTFN & Thanks, Everything looks good here. Jerome ... All humans are subject to decay. -----BEGIN PGP SIGNATURE----- Version: 2.6 Comment: JLG 1:282/76.1@fidonet.org iQCVAgUBLlmBYnF52VfebiBFAQFhggQAjA0HNIxIR+MK9A0q1KVCJp2owi2vpuUZ 9L8qF/jaVBMRNMieyTDGqnpT24Wi4df53haZIgZS7aLCl/Mx+42Ee9qQnMrwmUmm YFedzz3XFYEss1/FZXOuhCBzhcG8RTFdWYiwEAx5Wj6oNsXtMlwmpMaMgGZFMG+I WQof0YCKC1U= =mY6f -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Michael Pierson Area: Public Key Encryption To: ALL 23 Aug 94 17:40:00 Subject: Philip Zimmermann on PGP 2.6 On (20 Aug 94) Jason Carr wrote to Tom Keller... TK> available version is 2.3a (pgp23a.[exe|zip]). SUPPOSEDLY, PGP 2.6 is TK> available, but I haven't been able to locate it as yet. It also TK> suffers from a *MAJOR* weakness, as a result of MIT caving in to TK> pressure from the greedy bastards at PKP. JC> What's the real deal. Is 2.6 unsafe? Has anybody talked to Phil about it? JC> Anybody out there know enough about the source to check it out? Here's what Phil Zimmermann recently had to say on this subject: (Signature integrity was good when it left here) *****_RE-FORWARDED_MESSAGE_BEGINS_BELOW_***** -----BEGIN PGP SIGNED MESSAGE----- To: All Users of PGP From: Philip Zimmermann, creator of PGP Re: Misconceptions about PGP 2.6 from MIT Date: 18 Aug 94 I'd like to clear up some widely held misconceptions about PGP version 2.6 from MIT. I get a lot of email and phone calls from people who report a lot of misinformation on many Internet newsgroups about this MIT version of PGP. (For those of you who need an introduction to Pretty Good Privacy (PGP), it is a free software package that encrypts email. PGP is the worldwide defacto standard for email encryption. It's available via FTP from net-dist.mit.edu, in the pub/PGP directory. But then, if you haven't heard of PGP, you don't need to read this letter.) Here is a list of misconceptions: Myth #1: PGP 2.6 is incompatible with previous versions. Myth #2: PGP 2.6 is weaker than previous versions, with a back door. Myth #3: PGP 2.6 was released without Zimmermann's cooperation. All of these misconceptions would be cleared up if you read the PGP User's Guide that comes with PGP 2.6, but a lot of people seem to be spreading and believing these myths without looking into the matter empirically and getting the new PGP and reading the manual. Let's go over these myths in detail. - --------------------------------------------------------- Myth #1: PGP 2.6 is incompatible with previous versions. - --------------------------------------------------------- This is untrue. PGP 2.6 will ALWAYS be able to read stuff from earlier versions. PGP version 2.6 can read anything produced by versions 2.3, 2.3a, 2.4, or 2.5. However, because of a negotiated agreement between MIT and RSA Data Security, PGP 2.6 will change its behavior slightly on 1 September 1994, triggered by a built-in software timer. On that date, version 2.6 will start producing a new and slightly different data format for messages, signatures and keys. PGP 2.6 will still be able to read and process messages, signatures, and keys produced under the old format, but it will generate the new format. This change is intended to discourage people from continuing to use the older (2.3a and earlier) versions of PGP, which Public Key Partners contends infringes its RSA patent (see the section on Legal Issues). PGP 2.4, distributed by Viacrypt (see the section Where to Get a Commercial Version of PGP) avoids infringement through Viacrypt's license arrangement with Public Key Partners. PGP 2.5 and 2.6 avoid infringement by using the RSAREF(TM) Cryptographic Toolkit, under license from RSA Data Security, Inc. According to ViaCrypt, which sells a commercial version of PGP, ViaCrypt PGP will evolve to maintain interoperability with new freeware versions of PGP, beginning with ViaCrypt PGP 2.7. It appears that PGP 2.6 has spread to Europe, despite the best efforts of MIT and myself to prevent its export. Since Europeans now seem to be using version 2.6 in Europe, they will have no problems maintaining compatability with the Americans. Outside the United States, the RSA patent is not in force, so PGP users there are free to use implementations of PGP that do not rely on RSAREF and its restrictions. Canadians may use PGP without using RSAREF, and there are legal ways to export PGP to Canada. In environments where RSAREF is not required, it is possible to recompile the same PGP source code to perform the RSA calculations without using the RSAREF library, and re-release it under the identical licensing terms as the current standard freeware PGP release, but without the RSAREF-specific restrictions. The licensing restrictions imposed by my agreement with ViaCrypt apply only inside the USA and Canada. It seems likely that any versions of PGP prepared outside the US will follow the new format, whose detailed description is available from MIT. If everyone upgrades before September 1994, no one will experience any discontinuity in interoperability. Some people are attracted to PGP because it appeals to their rebellious nature, and this also makes them resent anything that smacks of "giving in" to authority. So they want to somehow circumvent this change in PGP. Even though the change doesn't hurt them at all. I'd like to urge them to think this one through, and see that there is absolutely no good reason to try to get around it. This new version is not "crippled" -- in fact, it is the old versions that are now crippled. I hope that PGP's "legalization" does not undermine its popularity. This format change beginning with 2.6 is similar to the process that naturally happens when new features are added, causing older versions of PGP to be unable to read stuff from the newer PGP, while the newer version can still read the old stuff. All software evolves this way. The only difference is that this is a "legal upgrade", instead of a technical one. It's a worthwhile change, if it can achieve peace in our time. Future versions of PGP now under development will have really cool new features, some of which can only be implemented if there are new data format changes to support them. Like 2.6, the newer versions will still read the older stuff, but will generate new stuff that the old versions can't read. Anyone who clings to the old versions, just to be rebellious, will miss out on these cool new features. There is a another change that effects interoperability with earlier versions of PGP. Unfortunately, due to data format limitations imposed by RSAREF, PGP 2.5 and 2.6 cannot interpret any messages or signatures made with PGP version 2.2 or earlier. Since we had no choice but to use the new data formats, because of the legal requirement to switch to RSAREF, we can't do anything about this problem for now. Not many people are still using version 2.2 or older, so it won't hurt much. Beginning with version 2.4 (which was ViaCrypt's first version) through at least 2.6, PGP does not allow you to generate RSA keys bigger than 1024 bits. The upper limit was always intended to be 1024 bits -- there had to be some kind of upper limit, for performance and interoperability reasons. But because of a bug in earlier versions of PGP, it was possible to generate keys larger than 1024 bits. These larger keys caused interoperability problems between different older versions of PGP that used different arithmetic algorithms with different native word sizes. On some platforms, PGP choked on the larger keys. In addition to these older key size problems, the 1024-bit limit is now enforced by RSAREF. A 1024-bit key is very likely to be well out of reach of attacks by major governments. In some future version, PGP will support bigger keys. This will require a carefully phased software release approach, with a new release that accepts larger keys, but still only generates 1024-bit keys, then a later release that generates larger keys. - --------------------------------------------------------------------- Myth #2: PGP 2.6 is weaker than previous versions, with a back door. - --------------------------------------------------------------------- This is not true. I would not allow MIT or anyone else to weaken PGP or put a back door in. Anyone who knows me will tell you that. This is not to say that PGP doesn't have any bugs. All versions have had bugs. But PGP 2.6 has no known bugs that have any net effect on security. And MIT should be releasing a bug-fixed version of PGP 2.6 Real Soon Now. - ---------------------------------------------------------------- Myth #3: PGP 2.6 was released without Zimmermann's cooperation. - ---------------------------------------------------------------- Well, that's not true, either. Or I wouldn't be telling you all this. MIT did not steal PGP from me. This was a joint venture by MIT and myself, to solve PGP's legal problems. It took a lot of manuevering by me and my lawyers and by my friends at MIT and MIT's lawyers to pull this off. It worked. We should all be glad this came off the way it did. This is a major advance in our efforts to chip away at the formidable legal and political obstacles placed in front of PGP; we will continue to chip away at the remaining obstacles. I hope this clears up the myths about PGP 2.6. I urge all PGP users to upgrade to the new version before September. And I urge you all to use the official 2.6 release, not anyone else's incompatible bastardized mutant strain of PGP. Please pass the word around, and help dispel these misguided rumors. This letter may be (and should be) quickly reposted to BBS's and all appropriate newsgroups. --Philip Zimmermann -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLlL/iWV5hLjHqWbdAQFV7AP/VBSa9BiRfTuoBonJdkwTVC8fNGW8aI7n QctOh+GrDaGl26rqtRjxtYTabAo+4B+sw6Dqz5o1OipKF/NuK7PFMzITdGMh940+ MXqOPCSLfDIwNzRzIHYQV/93jeJsixFZu/6j76mMxB6xrETXmswxIRicwm/QUxC1 0jbZEBrb/ug= =u7IY -----END PGP SIGNATURE----- *****_RE-FORWARDED_MESSAGE_ENDS_ABOVE_***** 201434369420143436942014343694201434369420143436942014343694718