From: Shawn McMahon Area: Public Key Encryption To: Scott Mills 23 Aug 94 23:09:16 Subject: Net 106 still at it? Despite the stern warnings of the tribal elders, Scott Mills said this to Shawn McMahon: SM> Not true Shawn. There is a prominent talk show host sydicated in SM> over a hundred markets who openly states that even though he SM> has 9 felony convictions and can't possess a firearm his SM> wife owns several dozen. Only because the relevant DA doesn't give a crap. He'll have BATF knocking down (not on) his door if he pisses off the right people. SM> Some of which she keeps on his side of the bed. Also you SM> can be given that right back if you talk the right SM> politicians into it. Same with the right to vote I believe. Individual states do have laws under which you can get back the right to vote. However, the Supreme Court has ruled that they can *NOT* give you back the right to own a firearm. Give it up, Scott; you can't beat me on legal issues. 'side's, we'll be off-topic if we continue. 201434369420143436942014343694201434369420143436942014343694718 From: Shawn McMahon Area: Public Key Encryption To: Ron Pritchett 23 Aug 94 23:08:20 Subject: Pres/Vice Pres Despite the stern warnings of the tribal elders, Ron Pritchett said this to Shawn McMahon: RP> key William J Clinton (384/23BDC6F9 1980/01/01) RP> sig Albert Gore (DE09D78D 1994/05/23) RP> key Albert Gore (384/DE09D78D 1980/01/01) RP> sig Albert Gore (DE09D78D 1994/08/12) RP> sig William J Clinton (23BDC6F9 1993/05/23) RP> notice the dates! Forget the dates; notice the key sizes. NSA wouldn't let 'em get a 384-bit key out. That'd be very bad; even if it was real, it'd be worth somebody's while to crack it. That shoulda been yer first clue they were fake, even before the lack of Clinton's third initial. Besides, the Pres wouldn't circulate a PGP key while he's pushing for a digital sig standard. It'd be a politically dumb thing to do. 201434369420143436942014343694201434369420143436942014343694718 From: Kevin Lo Area: Public Key Encryption To: Tony Belding 21 Aug 94 11:30:06 Subject: Re: -- Help -- Greetings Tony, -=-= On 17 Aug 94 at 21:38, you wrote to Kevin Lo =-=- TB> I would suggest you avoid high ASCII if at all possible. Believe it or TB> not, there are computers out here in the wide world that don't use the IBM TB> PC character set! For example, your "box" looks rather ugly on my Amiga. Well, I've already changed my box several times, and I ended up with this. :> Thanks for your input! Kevin |o|---------------------------------------------------------------------|o| |o|Kevin Lo | Internet: dt194@nextsun.ins.cwru.edu | Freq' KEVLO.ASC |o| |o|FDC Merlin| FidoNet: 1:374/98.5 (Palm Bay, Fl) |@1:374/98 - PGP Key|o| |o|---------------------------------------------------------------------|o| 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Dave Hodgins 21 Aug 94 14:46:58 Subject: Re: PGP26A is out -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 18 Aug 94, Dave Hodgins was quoted as saying: DH> A file has appeared here called PGP26A.ZIP. The readme file DH> claims this version "fixes all known bugs" in the 2.6 version. I'm DH> very suspicious. 'appeared' there? don't you know where your files come from? this file was distributed via the PUBKEYZ1 file distribution. it is an authentic and well tested version that is as its docs state. when a file is hatched into PUBKEYS[Z1], you can presume that it is what it sez it is. DH> The pgp.exe file is signed by the key DH> "Rebellious Guerrilla ". DH> Source files are not included. source was hatched. PGP26ASR.ZIP. DH> The rebel key is not signed by any other keys. must be an old key. it has been signed by most if not all of the hatching members of PUBKEYS[Z1] distribution. DH> Does anyone here have any info on this "release"? don't you read this Echo? this is the second time someone has asked on the Internet a question that has nothing to do with anyone outside this venue. please pay attention if you want to keep up. thanks. TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6a Comment: PGP 2.6 is LEGAL in Zone 1! So USE it! [grin] iQCVAgUBLlehFssQPBL4miT5AQGO3AQAtER9oKVSxG+XDMBKVbxbvP4bILbyYSyr 3ji71YOzm/WkMTFXKVB2m1nAwqMFp7gGkb8AUnDEike3ec3n7Kht+rF7PkoauVlO l+50QKbfxHhl2WUvPjdAbIegNHN7hCRh8OvtzipLTfB/LjoEz5giVv664JuKXaaL mUeiPJSrSlA= =fArd -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: David Chessler 21 Aug 94 20:41:52 Subject: Re: Pres/vice pres -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 19 Aug 94, David Chessler was quoted as saying: DC> The next version of PGP will almost certainly have a -krs command, DC> to remove or even revoke a signature. PGP already has a -krs command to remove signatures from any userid. when PGP 2.6 was mangling my PUBRING.PGP when attempting to remove obsolete signatures, i had to use that command to manually take the old stuff off of all my collected keys on my personal keyring. it works just fine but it takes work. maybe you were referring to a global remove command? [grin] TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6a Comment: PGP 2.6 is LEGAL in Zone 1! So USE it! [grin] iQCVAgUBLlf0Q8sQPBL4miT5AQHANwP+KYXn3Pxkcdx/2JTNNARuaJ07O8sDj3nv I/DJxsZcNejyi6EOsXxaIToJGF1q7YdTmZRECCpy56RrO/yq7FPSQ0bpFyZnmo/U L7M9fY0xuc+1E2vUAGz3kHSIeZ7+Ni+Rq96QGn+uRsRa7L2mWsHCETMo53PU6zfe ifKccxrzOdU= =Nfw+ -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Marc Stuart Area: Public Key Encryption To: Dave Hodgins 21 Aug 94 09:41:00 Subject: PGP26A is out -----BEGIN PGP SIGNED MESSAGE----- DH> A file has appeared here called PGP26A.ZIP. The readme file claims DH> this version "fixes all known bugs" in the 2.6 version. I'm very DH> suspicious. DH> Source files are not included. I received this file and the source for it. I'm not about to call it an official release, but since the source code for just about every version of PGP is or has been readily available, anyone has the ability to generate their own version. Which version you use is totally up to you. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLldZcJ0oU3J5RriBAQHORgP9EU69HuG5icMXuBTnp2ZIL1AdYRKhNMjw NglqWfv5XAk2mo5hDUPnAzVRNULmpfPvBsAdwo1qtbmOjdEMIgj8InmFRnfmep88 d2VA1GcZvajVkujRMMeQg/5PXumWAwls2/yX/jKdjbdS7lK3h9F8iOQBZFHk5W9k w1cLw+JKkoU= =8UQm -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... To remove dust from the eye, pull the eye down over the nose. 201434369420143436942014343694201434369420143436942014343694718 From: Wes Landaker Area: Public Key Encryption To: Tony Belding 21 Aug 94 09:23:30 Subject: -- Help -- -----BEGIN PGP SIGNED MESSAGE----- Hello Tony! 17 Aug 94 21:38, Tony Belding wrote to Kevin Lo: KL> How do I get PGP to sign a a GoldED message, with high-ascii KL> in it (my box) without treating it as a binary file? TB> I would suggest you avoid high ASCII if at all possible. Believe TB> it or not, there are computers out here in the wide world that TB> don't use the IBM PC character set! For example, your "box" TB> looks rather ugly on my Amiga. And, believe it or not, there are languages out there in the world that use use other symbols that aren't in English's twenty-six letter alphabet. :) It's much more annoying to try to correspond in French or German without any accents or umlats than it is to make a few minor modifications to software. The PGP source can be modified to _always_ clearsign when you tell it to clearsign. It's faily easy to do; it's right in PGP.C, and you basically just need to comment out a line or three to stop PGP from even checking. =) Of course, then you don't want to try to clearsign any binary files, or your going to have problems. ;) wjl [Team OS/2] * 1:202/1822@fidonet.org * 371:30/1@chnet.ftn * * wjl@f1822.n202.z1.fidonet.org * PGP Key: AD2254A5 * FREQ: PGPKEY * -----BEGIN PGP SIGNATURE----- Version: 2.6wjl iQCVAgUBLleNnclPrmStIlSlAQE0mgQAsDKfKqNCh3774PxZb/sR+5oYROeLcJkq RHmiGFEsxPyoHNQ30NAQlWlbX2uQyeSxDOwVd3eRrHtsXe4aco4u/i7B7Tcvy0rH lb8xlc6vunZdhtye8ZN8ya4p/xrY8l1yZo7/haxdDUgZLpAJ4DGqdotJv/J3aH9U XAqQjXUUbrI= =vcH5 -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Dan Booth Area: Public Key Encryption To: Jason Carr 22 Aug 94 05:48:00 Subject: Re: Dallas Area Or Internet --> Dan Booth Quotes a message written by Jason Carr --> to Dan Booth on 08-19-94 22:08 saying: JC> following up a message from Kevin Lo to Dan Booth: JC> JC> DB> Hi I'm trying to locate the file PGP26.zip either in the JC> area JC> DB> or somewhere on the Internet? Any help would be apprecia JC> in JC> DB> advanced. JC> JC> It's FREQable and d-loadable from my bbs (below) on the first JC> JC> jason JC> JC> ... Oh, you ALWAYS get to be Jesus. JC> Thanks Jason, I got it already from the Internet...figured it out. 201434369420143436942014343694201434369420143436942014343694718 From: Alan Pugh Area: Public Key Encryption To: Shawn McMahon 21 Aug 94 13:37:08 Subject: Re: pgpblue -----BEGIN PGP SIGNED MESSAGE----- =snip= SM> I haven't done benchmarks, but gut instinct and years of experience SM> tell me my 486DX40 runs rings around it. SM> BTW, OS/2 seems to multitask a lot smoother than the HP's operating SM> system. SM> However, I'm surprised your local electric company doesn't give you an SM> HP for free; if you actually used it, they'd make their money back in SM> mere months. i know a guy who uses his to heat his house in the winter. SM> As for security on those things: we used to spend spare minutes SM> recreating Trojan Horse programs from scratch on the thing. Didn't SM> have to bother to keep a copy lying around, because it was too easy to SM> make another. I wouldn't recommend running PGP on it if anybody SM> capable of rudimentary BASIC programming has been on it for more than SM> an hour, ever. most people wouldn't be familiar enough with the system to be able to do much. i've got some stuff from eugene volokh on how to make yourself sysgod very quickly and easily. i know most of the gotchas as i worked as sysop for about 7 years on them. i dont know if they had _mpex_ by vesoft on y'alls system, but this is pretty good at helping to plug most holes. i'd like to be able to set up a computer like this as a bbs as it is the most reliable computer i've ever worked on. i had the highest uptime on my systems than any computer in our company. (approx 25 minutes downtime every other month). since it is a multiuser system, pgp wouldn't be a very good program to run on it. i wouldn't really reccomend pgp on mulituser unix systems either, but i know it is done. there is no real way to protect your private keys on such a system. this is a real issue if public key encryption is to be universally adopted. let's say you are on a multiuser unix system and a fed of some kind wanted a copy of your private key. you could purge your private key if you wanted, but that really wouldn't help much since the file would almost undoubtably be on magtape somewhere, and there are few companies indeed that would not give the file to a fed, as they wouldn't want the irs up their rear with a microscope. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCxAgUBLleexdQ9obngT6LhAQHLfwTfWLlKkA8rLDagiu1fSvuMCyZBOUzalrVn Rea/k1Hjmq87G+vGVkbg6oTcuMcU8UGqoeXqykN3RFZQqrpZ0wGo/8ASixjkxxG8 yZygdpmZN1L559rmYnTpOiiCqRxz8epOhcAH6GxcRKMpEVp0yP70xh5Ch9ftWfk/ 4on7MTQ94Xp+tisSo3KGM93hN+aurLfEvrQcw7biwQrhHYRC =hb/+ -----END PGP SIGNATURE----- ~~~ PGPBLUE 2.5 ... I drank What? - Socrates 201434369420143436942014343694201434369420143436942014343694718 From: Tim Devore Area: Public Key Encryption To: Mike Riddle 21 Aug 94 18:14:08 Subject: Net 106 still at it? In a message of 18 Aug 94 Mike Riddle wrote to me: MR> In a message to Scott Mills on Aug 15 94 at 23:19, Tim Devore wrote: TD>> No it's not "against the law" for the sysop to review any TD>> Net Mail. Find a copy of the Policy4 and read section 2 and TD>> it will fill you in on alot of stuff. MR> It might not be against policy, but in the U.S. you better check out MR> the ECPA, and Steven Horn informs us there is similar legislation in MR> Canda. As it states in the FIDOPolicy4 the sysop can read all mail, including net-mail but the contents of the net-mail are not allowd to be disclosed without permission from the writter or reciever of said net-mail. When the contents of any net-mail message are disclosed without any permission then that is where the law steps in. But I'm glad to hear that things are changing towards net-mail privacy. They really need to update the Policy4 and get it up to the times. MR> The ECPA tells you when and how you may read netmail on your system and MR> under what limited circumstances and to whom you may disclose your MR> knowledge. I can read any un-encrypted net-mail that passes through my sysops BBS of which I'm a co-sysop and I can read it when and how I want but I can't disclose any of that info without permission from the writter or reciever of it. BTW, I don't read any net-mail unless it's for me because I only get my net-mail at my point and don't go through the BBS to get it. MR> "The contents of this message are intended as general legal information MR> and should not form the basis for legal advice of any kind". No problem. I need to know what's going on with this kinda stuff anyway. I'm all for Public Key Encryption and will fight to the bitter end to keep it around. I don't feel that Sysops should be held liable for the contents of any net-mail/private message sent to or through his/her system. But the software that deals with the tossing/scanning of messages should be permantly set to have the net-mail private flag ackowledged. I'm not going to get into another debate on this subject. I know that the privacy laws are being changed to cover e-mail. Tim Devore, Amiga Library-Op, Co-Sysop of Realm of Thought 201434369420143436942014343694201434369420143436942014343694718 From: Tim Devore Area: Public Key Encryption To: Rich Veraa 21 Aug 94 18:16:14 Subject: Net 106 still at it? In a message of 18 Aug 94 Rich Veraa wrote to me: TD>> No it's not "against the law" for the sysop to review any Net Mail. TD>> Find a copy of the Policy4 and read section 2 and it will fill you TD>> in on alot of stuff. RV> Nope.. Pol 4 was written prior to the Federal Electronic Communications RV> Privacy Act. It's now illegal. Then I guess FIDO lag is hitting Pol 4 and they need to update it like yesterday. Creates a conflict of interest when the don't update things like Pol 4 as often as they should. Tim Devore, Amiga Library-Op, Co-Sysop of Realm of Thought 201434369420143436942014343694201434369420143436942014343694718 From: David Rye Area: Public Key Encryption To: Christopher Baker 21 Aug 94 17:23:10 Subject: Comment Hello Christopher... Sunday August 14 1994, Christopher Baker wrote to David Rye: DR>> How did you get the comment to show up? CB> by putting the following in my CONFIG.TXT in the PGP directory: CB> comment=PGP 2.6 is LEGAL in Zone 1! So USE it! [grin] Thanks. L8er Dave ... Diplomacy: Saying 'nice doggy'... until you find a rock. 201434369420143436942014343694201434369420143436942014343694718 From: Michel Bertler Area: Public Key Encryption To: Kevin Lo 20 Aug 94 08:46:00 Subject: -- Help -- -----BEGIN PGP SIGNED MESSAGE----- Hello Kevin! 13 Aug 94 15:57, Kevin Lo wrote to All: KL> Greetings All, KL> How do I get PGP to sign a a GoldED message, with high-ascii in KL> it (my box) without treating it as a binary file? I tried KL> changing the charset to ASCII, cp850 (something like that) and KL> alt_codes, and still nothing worked. I tried: 'pgp +force -sta KL> golded.msg' at the command line. Seems to me you're requesting how to "clear sign" a message from Golded?! Ok first, remove the "+force" from your command line, for some weird reason as I've already experienced this myself, I couldn't get PGP to work properly with this "+force" addition into command line. Here's a brief sample of my Golded implemented commands menu for PGP, if you wish you could add these few lines to your GOLDED.CFG file and adapt them to your convenience: EXTERNUTIL 1 c:\pgp\pgp.exe -sta @file -o @file EXTERNUTIL 2 c:\pgp\pgp.exe -sea @file "@dname" -u "@oname" -o @file EXTERNUTIL 3 c:\pgp\pgp.exe -ea @file "@dname" "@oname" -o @file EXTERNUTIL 4 c:\pgp\pgp.exe @file -o @file EXTERNUTIL 5 c:\archives\list.com EDITSAVEUTIL 1 "I PGP clearsIgn the msg" EDITSAVEUTIL 2 "S PGP encSign the msg" EDITSAVEUTIL 3 "E PGP Encrypt the msg" EDITSAVEUTIL 4 "D PGP Decrypt the msg" EDITSAVEUTIL 5 "L List!" Now, whenever you want to "clear sign" a message, press & release F2 then key "i" and save as usual. BTW, this message has been processed the same way. Michel - --- GoldED 2.42.G0615+ -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLlX/giS7hDvuVNVxAQGmggQAl1Vh/cUVyds5KEyN/S03Q/U9OeuFMy1v ZzKQLrVblnK57rmIezOVim0BZoN6NCmn3iuw80i9dyEzHJprQXA5eR9jqCrMN6OV L+wBU6HF4Ipmdv98AmSEYdrw4PJwBj471Mtgf8BEoxvL17HY4R8A/UpYiITMjJIf 68Z9QKDj2jc= =/kLd -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: Jim Grubs 21 Aug 94 23:24:06 Subject: Pkey_drop Jim Grubs wrote in a message to Lloyd Warren: JG> fbihh.informatik.uni-hamburg.de. I don't trust the American JG> keyservers -- particularly MIT's. Why not? Are they incompetent or deliberately screwy or what? Enquiring minds want to know. jason ... I guess a cynic smells different. 201434369420143436942014343694201434369420143436942014343694718 From: jason carr Area: Public Key Encryption To: Shawn McMahon 21 Aug 94 23:39:10 Subject: New to PGP -----BEGIN PGP SIGNED MESSAGE----- Shawn McMahon wrote in a message to jason carr: jc> That is correct: it is good form, imo, to ask permission before jc> doing anything that might agitate the mod. SM> Did you netmail Chris to ask him if he was offended by SM> abbreviations before you used "imo?" Acronyms save space, not "waste" it. SM> That's just as legitimate a target for objection as digital SM> sigs. The use of acronyms and emoticons is a longstanding email tradition. SM> There is no court case pending in which it is being claimed SM> that digital sigs are illegal. There is no one testifying SM> before Congress for them to make digital sigs legal. Ahhh, but there =has= been testimony given about digisigs. jc> i would ask before posting anything on someone else's corkboard. SM> Did you netmail Chris to ask permission to post in this echo SM> before you did? Chris has made this a conf open to all. I saw there were no "Mod Approval Required" flags on the EListing before I AREAFIXED it. SM> The object is to make allowing digital sigs the norm, SM> instead of the reverse. Agreed. SM> If you take actions that entrench SM> the opposition's position, you're part of the problem SM> instead of part of the solution. We're just going to have to disagree on this point. i think that diplomacy and tact secure more longterm objectives than clearsigning without permission. Still, your POV has given me a chance to reconsider and qualify my position. I appreciate the time you've put into this. It's definitely a strategic point we needed to discuss on this. jc> But I argue that it's bad form to behave in such a way that the jc> mod is forced to =make= a new rule. SM> If everyone who wants to protect his rights by signing his SM> mail asks permission first, moderators will find it easy to SM> say "no." There are precious few =rights= in fidonet. SM> If, on the other hand, everybody signs their mail, SM> moderators will have to take the time and trouble to tell SM> them "sorry, you have to quit doing that." SM> Then they'll have to respond to "why?" I prefer not to urge users to steamroll my brother moderators with unneccesary work on their echos. :\ SM> Nobody will have done anything wrong, and the problem will SM> go away. I'm not saying it's wrong, I'm saying it's just rude and may work against our long term goals. jason ... Never use a preposition to end a sentence with. - --- timEd-B9 # Origin: Log on, Tune in, Burn out. Irving Tx 214.650.0382 (1:124/3208) * Origin: PODNet <-> FidoNet EchoGate! (93:9600/0.0) SEEN-BY: 107/946 147/1077 259/212 382/7 640/217 3611/19 9600/0 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Jason Carr 22 Aug 94 22:43:56 Subject: Re: Re: Double-Key ENCRYPTION -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 20 Aug 94, Jason Carr was quoted as saying: JC> * Reply to msg originally in Fido: INTERNET: For discussion of JC> TK> freeware implementation of a public key encryption system. JC> PGP 2.6 is JC> TK> available, but I haven't been able to locate it as yet. It JC> What's the real deal. Is 2.6 unsafe? Has anybody talked to Phil JC> about it? the msg you are questioning must be very old since this was hashed out months ago. JC> Anybody out there know enough about the source to check it out? 2.6 has bugs but is a genuine version. your msg date is two days ago. have you been away? TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6a Comment: PGP 2.6 is LEGAL in Zone 1! So USE it! [grin] iQCVAgUBLlliYcsQPBL4miT5AQH/oAP8D+zzI4Z1MRyjUwiGu6UbixDy/DtfaZWU mPNMtHAQdFljdcTszdAHA47QX7oXUIv12lqDexGogSiR50NkI/Ve+8wjwpYjJxH5 ou3C/0XbHmpmFkFlu+YxA7JLhMWfkwb3TwHvKsqdeaCWII40OHEpNiPp+AU1xdG+ UzbURDZ3XH8= =JdQz -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Christopher Baker Area: Public Key Encryption To: Rick Munday 22 Aug 94 22:46:46 Subject: Re: Signature Test -----BEGIN PGP SIGNED MESSAGE----- In a message dated: 21 Aug 94, Rick Munday was quoted as saying: RM> PID: WILDMAIL!/WC v4.00 93-0963 RM> -----BEGIN PGP SIGNED MESSAGE----- RM> -----BEGIN PGP SIGNATURE----- RM> -----END PGP SIGNATURE----- perfectly normal. TTFN. Chris -----BEGIN PGP SIGNATURE----- Version: 2.6a Comment: PGP 2.6 is LEGAL in Zone 1! So USE it! [grin] iQCVAgUBLlljCcsQPBL4miT5AQFRRwQAmgrLZPEdU/PDtaQfn8rwXRThO8b/xQaT g7WTSjFEiSs2O4LhO1SpZQTxZRo27FM92hKgMteHL4OIxLhIDUcvMpIzeBQgMLOH 2Ojg86hfmWefB7xDVKuxhGYLv+5/ben0lGZGe+FezrUb7hfME6JSdfzsCO29Tq7M hW55GmIVE1k= =kABP -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718 From: Jim Grubs Area: Public Key Encryption To: All 21 Aug 94 11:05:00 Subject: PGP26A From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Newsgroups: alt.security.pgp Subject: Re: PGP 2.6a -- real or fake? Safe? enystrom@palace.infinet.com (enystrom@palace.infinet.com) writes: > I received (by a Fidonet distribution method), three files a couple of > days ago, purporting to be PGP 2.6a. I looked, and firstly, there is no > internal pgp zip file, and secondly, it doesn't seem to be by one of the > "regular" authors. It is NOT an official version. The official version of MIT-PGP must carry the detached signature of Jeff Schiller. If it is not there - the version is bogus. Now, is your bogus version malicious? I don't think so - it looks as a legitimate attempt of somebody to fix the bugs and disable the legal kludge. However, the problem is that you have no way to *know* that, unless you check (and understand) every single line of the sources yourself. For all you know, it might be adding NSA's public key to the list of recepients of all messages that you encrypt with it. :-) Therefore, it is safer not to trust it, since it is not signed by a trusted developer. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany 201434369420143436942014343694201434369420143436942014343694718 From: Jim Grubs Area: Public Key Encryption To: All 21 Aug 94 11:06:00 Subject: Phil's views From: colin@nyx10.cs.du.edu (Colin Plumb) Subject: Zimmermann on PGP 2.6 myths Philip Zimmermann sent this out to cypherpunks, and asked me to forward it to the rest of the world, as he has lousy news service. Obviously, you can check the signature to make sure I didn't just make it up. Apparently there's been a lot of weird rumours flying about. -- -Colin -----BEGIN PGP SIGNED MESSAGE----- To: All Users of PGP From: Philip Zimmermann, creator of PGP Re: Misconceptions about PGP 2.6 from MIT Date: 18 Aug 94 I'd like to clear up some widely held misconceptions about PGP version 2.6 from MIT. I get a lot of email and phone calls from people who report a lot of misinformation on many Internet newsgroups about this MIT version of PGP. (For those of you who need an introduction to Pretty Good Privacy (PGP), it is a free software package that encrypts email. PGP is the worldwide defacto standard for email encryption. It's available via FTP from net-dist.mit.edu, in the pub/PGP directory. But then, if you haven't heard of PGP, you don't need to read this letter.) Here is a list of misconceptions: Myth #1: PGP 2.6 is incompatible with previous versions. Myth #2: PGP 2.6 is weaker than previous versions, with a back door. Myth #3: PGP 2.6 was released without Zimmermann's cooperation. All of these misconceptions would be cleared up if you read the PGP User's Guide that comes with PGP 2.6, but a lot of people seem to be spreading and believing these myths without looking into the matter empirically and getting the new PGP and reading the manual. Let's go over these myths in detail. - --------------------------------------------------------- Myth #1: PGP 2.6 is incompatible with previous versions. - --------------------------------------------------------- This is untrue. PGP 2.6 will ALWAYS be able to read stuff from earlier versions. PGP version 2.6 can read anything produced by versions 2.3, 2.3a, 2.4, or 2.5. However, because of a negotiated agreement between MIT and RSA Data Security, PGP 2.6 will change its behavior slightly on 1 September 1994, triggered by a built-in software timer. On that date, version 2.6 will start producing a new and slightly different data format for messages, signatures and keys. PGP 2.6 will still be able to read and process messages, signatures, and keys produced under the old format, but it will generate the new format. This change is intended to discourage people from continuing to use the older (2.3a and earlier) versions of PGP, which Public Key Partners contends infringes its RSA patent (see the section on Legal Issues). PGP 2.4, distributed by Viacrypt (see the section Where to Get a Commercial Version of PGP) avoids infringement through Viacrypt's license arrangement with Public Key Partners. PGP 2.5 and 2.6 avoid infringement by using the RSAREF(TM) Cryptographic Toolkit, under license from RSA Data Security, Inc. According to ViaCrypt, which sells a commercial version of PGP, ViaCrypt PGP will evolve to maintain interoperability with new freeware versions of PGP, beginning with ViaCrypt PGP 2.7. It appears that PGP 2.6 has spread to Europe, despite the best efforts of MIT and myself to prevent its export. Since Europeans now seem to be using version 2.6 in Europe, they will have no problems maintaining compatability with the Americans. Outside the United States, the RSA patent is not in force, so PGP users there are free to use implementations of PGP that do not rely on RSAREF and its restrictions. Canadians may use PGP without using RSAREF, and there are legal ways to export PGP to Canada. In environments where RSAREF is not required, it is possible to recompile the same PGP source code to perform the RSA calculations without using the RSAREF library, and re-release it under the identical licensing terms as the current standard freeware PGP release, but without the RSAREF-specific restrictions. The licensing restrictions imposed by my agreement with ViaCrypt apply only inside the USA and Canada. It seems likely that any versions of PGP prepared outside the US will follow the new format, whose detailed description is available from MIT. If everyone upgrades before September 1994, no one will experience any discontinuity in interoperability. Some people are attracted to PGP because it appeals to their rebellious nature, and this also makes them resent anything that smacks of "giving in" to authority. So they want to somehow circumvent this change in PGP. Even though the change doesn't hurt them at all. I'd like to urge them to think this one through, and see that there is absolutely no good reason to try to get around it. This new version is not "crippled" -- in fact, it is the old versions that are now crippled. I hope that PGP's "legalization" does not undermine its popularity. This format change beginning with 2.6 is similar to the process that naturally happens when new features are added, causing older versions of PGP to be unable to read stuff from the newer PGP, while the newer version can still read the old stuff. All software evolves this way. The only difference is that this is a "legal upgrade", instead of a technical one. It's a worthwhile change, if it can achieve peace in our time. Future versions of PGP now under development will have really cool new features, some of which can only be implemented if there are new data format changes to support them. Like 2.6, the newer versions will still read the older stuff, but will generate new stuff that the old versions can't read. Anyone who clings to the old versions, just to be rebellious, will miss out on these cool new features. There is a another change that effects interoperability with earlier versions of PGP. Unfortunately, due to data format limitations imposed by RSAREF, PGP 2.5 and 2.6 cannot interpret any messages or signatures made with PGP version 2.2 or earlier. Since we had no choice but to use the new data formats, because of the legal requirement to switch to RSAREF, we can't do anything about this problem for now. Not many people are still using version 2.2 or older, so it won't hurt much. Beginning with version 2.4 (which was ViaCrypt's first version) through at least 2.6, PGP does not allow you to generate RSA keys bigger than 1024 bits. The upper limit was always intended to be 1024 bits -- there had to be some kind of upper limit, for performance and interoperability reasons. But because of a bug in earlier versions of PGP, it was possible to generate keys larger than 1024 bits. These larger keys caused interoperability problems between different older versions of PGP that used different arithmetic algorithms with different native word sizes. On some platforms, PGP choked on the larger keys. In addition to these older key size problems, the 1024-bit limit is now enforced by RSAREF. A 1024-bit key is very likely to be well out of reach of attacks by major governments. In some future version, PGP will support bigger keys. This will require a carefully phased software release approach, with a new release that accepts larger keys, but still only generates 1024-bit keys, then a later release that generates larger keys. - --------------------------------------------------------------------- Myth #2: PGP 2.6 is weaker than previous versions, with a back door. - --------------------------------------------------------------------- This is not true. I would not allow MIT or anyone else to weaken PGP or put a back door in. Anyone who knows me will tell you that. This is not to say that PGP doesn't have any bugs. All versions have had bugs. But PGP 2.6 has no known bugs that have any net effect on security. And MIT should be releasing a bug-fixed version of PGP 2.6 Real Soon Now. - ---------------------------------------------------------------- Myth #3: PGP 2.6 was released without Zimmermann's cooperation. - ---------------------------------------------------------------- Well, that's not true, either. Or I wouldn't be telling you all this. MIT did not steal PGP from me. This was a joint venture by MIT and myself, to solve PGP's legal problems. It took a lot of manuevering by me and my lawyers and by my friends at MIT and MIT's lawyers to pull this off. It worked. We should all be glad this came off the way it did. This is a major advance in our efforts to chip away at the formidable legal and political obstacles placed in front of PGP; we will continue to chip away at the remaining obstacles. I hope this clears up the myths about PGP 2.6. I urge all PGP users to upgrade to the new version before September. And I urge you all to use the official 2.6 release, not anyone else's incompatible bastardized mutant strain of PGP. Please pass the word around, and help dispel these misguided rumors. This letter may be (and should be) quickly reposted to BBS's and all appropriate newsgroups. --Philip Zimmermann -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLlL/iWV5hLjHqWbdAQFV7AP/VBSa9BiRfTuoBonJdkwTVC8fNGW8aI7n QctOh+GrDaGl26rqtRjxtYTabAo+4B+sw6Dqz5o1OipKF/NuK7PFMzITdGMh940+ MXqOPCSLfDIwNzRzIHYQV/93jeJsixFZu/6j76mMxB6xrETXmswxIRicwm/QUxC1 0jbZEBrb/ug= =u7IY -----END PGP SIGNATURE----- 201434369420143436942014343694201434369420143436942014343694718