-----BEGIN PGP SIGNED MESSAGE----- Pretty Good Privacy version 2.6.2i - READ ME FIRST Notes by Stale Schumacher 1995/05/07 You are looking at the README file for PGP release 2.6.2i. PGP, short for Pretty Good Privacy, is a public key encryption package; with it, you can secure messages you transmit against unauthorized reading and digitally sign them so that people receiving them can be sure they come from you. ABOUT THIS VERSION PGP 2.6.2i is not an official PGP version. It is based on the source code for MIT PGP 2.6.2 (the latest official version of PGP) and has been modified for international use. PGP 2.6.2i is probably illegal to use within the USA, but is fine in almost every other country in the world. This file only explains what is special to version 2.6.2i. For a more thorough installation and usage guide, refer to the file setup.doc and the documentation for PGP 2.6.2, which is included unmodified in the doc/ subdirectory that is created when you unpack the distribution archive. BACKGROUND Until about a year ago, there were only two "real" PGP versions around: PGP 2.3a which was the international freeware version, and 2.4 which was a commercial version sold in USA by a company called ViaCrypt. However, this situation changed dramatically in May 1994 when MIT released a special US freeware version of PGP (2.5), in order to put an end to the legal problems surrounding PGP. (PGP 2.3a was believed to be illegal in USA because of patent restrictions.) The new version had a number of limitations to encourage Americans that were using 2.3a illegally to upgrade to the legal version. However, these limitations resulted in a well of new PGP versions, more or less professionally put together by well-intending individuals who wanted a more flexible PGP than that offered by MIT. Suddenly, we had ten different PGP versions, not two. Even though PGP 2.5 and later releases from MIT introduced many bug-fixes and improvements over 2.3a, many non-US users of PGP have been reluctant to upgrade to the new versions because they feel that the PGP developers have abandoned the international PGP community by adding a number of restrictions that are only necessary within the USA. That is why I decided to make PGP 2.6.i (and later 2.6.2i): to put an end to all the PGP "hack versions" that flourish, and by giving the non-US users of PGP a version that is more "digestible" than those offered by MIT, and at the same time let them benefit from all the improvements that the new versions have introduced over PGP 2.3a. PGP 2.6.2i is a "real" 2.6 version, as it is based on the code tree for PGP 2.6.2 and not 2.3a. This release is basically a bug-fix for PGP 2.6.i, which was based on PGP 2.6.1. HOW WAS IT DONE? PGP 2.6.2i was put together by taking all the source files from PGP 2.6.2, adding a few #ifdef's and modifying a handful of lines - and that's it. In fact, the use of #ifdef's wherever a change has been made allows you to compile a version that is byte-identical to MIT PGP 2.6.2. This is accomplished by adding the -DMIT option when building the program, and by linking it with the RSAREF library (rsaglue2) rather than MPILIB (rsaglue1). Many of the accompanying text and documentation files for PGP 2.6.2 have also been updated in this release, as this had not been done since PGP 2.3a. In addition, a few minor but annoying bugs in PGP 2.6.2 have been corrected. For a detailed list of all the changes between 2.6.2 and 2.6.2i, see the file diffs.doc. DISTRIBUTION PGP 2.6.2i is distributed in the following files: - - pgp262i.zip This is the MS-DOS executable release, which includes the executable, support files, and basic documentation. - - pgp262is.zip This is a source code release, which includes all the source code needed to compile PGP and examples of usage. It also contains all the files in pgp26i.zip except the pgp.exe binary. - - pgp262is.tar.gz This contains exactly the same files as pgp26is.zip, except that they use Unix rather than MS-DOS line end conventions. If you are within the USA, you should download the files pgp262.zip, pgp262s.zip or pgp262s.tar.gz instead. DIFFERENCES BETWEEN PGP 2.6.2i AND 2.6.2 PGP 2.6.2i differs from MIT PGP 2.6.2 in the following ways: (1) It identifies itself as version 2.6.2i This is to clearly distinguish it from PGP 2.6.2. This is important because users within the USA should not use PGP 2.6.2i, and also because script files, shells and other PGP add-ons may need to know exactly how your copy of PGP will behave under different circumstances. (2) It uses PRZ's MPILIB instead of RSAREF PGP 2.3a and earlier versions use a special library for all the RSA encryption/decryption routines, called MPILIB, and written by Philip R. Zimmermann (PRZ), the original author of PGP. However, starting with version 2.5, all official releases of PGP have been using the RSAREF library from RSADSI Inc, a US company that holds the patent on the RSA algorithm in the USA. This change was made in order to make PGP legal to use within the USA. Please observe that PGP 2.6.2i does NOT use RSAREF, but rather PRZ's original MPILIB library, which is functionally identical to RSAREF and slightly faster on most platforms. Because 2.6.2i uses MPILIB rather than RSAREF, this PGP version is also able to verify key signatures made with PGP 2.2 or earlier versions. This is not true for MIT PGP, because the RSAREF library only understands the new PKCS signature format introduced in PGP 2.3. The use of the MPILIB library is the main reason why PGP 2.6.2i is probably illegal to use within the USA. If you are in the USA, you should compile the source code using the -DMIT option and link it with the RSAREF library rather than MPILIB. Note that RSAREF is NOT included in this distribution, so if you are a US user, it is probably easier to get a copy of the original MIT 2.6.2 release. (3) It lets you disable the "legal kludge" PGP 2.6.2 contains a "feature" that will cause it to generate keys and messages that are not readable by PGP 2.3a and earlier versions. This is the "legal kludge", and was introduced to encourage users in the USA to upgrade from PGP 2.3a. PGP 2.6.2i provides you with a way to disable the "legal kludge". This means that messages and keys generated with PGP 2.6.2i can be used and understood by all existing 2.x versions of PGP. To disable the legal kludge, uncomment the following line in your config.txt file so that it reads: legal_kludge = off This option may also be set on the command line: "pgp +le=off ". (4) It allows you to generate keys up to and including 2048 bits Because of a bug in PGP 2.6.2, this version would not let you generate keys bigger than 2047 bits on some platforms. This problem has been corrected in PGP 2.6.2i. (5) It contains a number of bug-fixes PGP 2.6.2i also fixes a number of other bugs found in PGP 2.6.2, most notably the signature bug for keys over 2034 bits, as reported by ViaCrypt. (6) It can be compiled on many new platforms PGP 2.6.2i has been modified in order to let it compile "out of the box" for such platforms as Amiga, Atari, FreeBSD, UnixWare and various flavours of VMS. It can also be compiled under MS-DOS using Borland C (MIT PGP 2.6.2 only supports Microsoft C). (7) It includes updated documentation and language files The language files for MIT PGP 2.6.2 had not been updated for a long time. This has been fixed in this version. PGP 2.6.2i comes with standard language files for French, Spanish and Norwegian. All the other text and documentation files for PGP 2.6.2i have also been brought up to date. DIFFERENCES BETWEEN PGP 2.6.2i and 2.6ui A PGP version that has been very popular among non-US users of PGP is 2.6ui. If you have been using PGP 2.6ui up to now, you should note that PGP 2.6.2i differs from this version in the following ways: (1) It is a "real" 2.6 version PGP 2.6.2i is based on the source code for PGP 2.6.2, whereas PGP 2.6ui is based on the source code for 2.3a. This means that 2.6.2i contains a lot of bug-fixes that are not present in 2.6ui, and it also adds a number of new features that are lacking in 2.6ui. These include the new PUBRING, SECRING, RANDSEED and COMMENT options in config.txt. (2) It doesn't have the version_byte option PGP 2.6ui has an option to allow you to choose which message format to use when generating keys and messages. This is the version_byte option, and can be set both in the config.txt file and on the command line: version_byte = 2 (use backwards-compatible format, default) version_byte = 3 (use new 2.6 format) In PGP 2.6.2i, the same is accomplished using the legal_kludge flag: legal_kludge = off (use backwards-compatible format) legal_kludge = on (use new 2.6 format, default) (3) It doesn't have the armor_version option PGP 2.6ui has an option to let you "forge" the version number in the ASCII armored files produced by PGP. In PGP 2.6.2i, the armor_version option is NOT supported, as this is a feature that is heavily misused. If you must change the version number of your keys and messages, you can do so in the language.txt file instead. LEGAL STUFF PGP 2.6.2i is not approved by MIT or PRZ or NSA or the Pope or anyone else. However, it should be possible to use it legally by anyone in the free world (i.e. all countries except USA, Iraq and a few others). There are three reasons why people may claim (incorrectly) that PGP 2.6.2i is illegal: (1) It is based on source code that was illegally exported from the USA The ITAR regulations classifies cryptography in the same category as munitions, and so it is very likely that exporting PGP from the USA is considered illegal by US authorities. In the case of PGP 2.6.2i, large portions of the code were written inside the USA, and later exported to the rest of the world. However, this is not a problem, because it is the _export_ that is illegal, not the _use_ of the program. Once the software is (illegally) exported, anyone may use it legally. (I didn't export it, and I strongly recommend that you won't do it either.) As long as you make sure that you get your copy of PGP 2.6.2i from somewhere outside the USA, then you should be on the safe side. (2) It infringes the RSA patent This is not a problem either, because PGP 2.6.2i is not intended for use in the USA (which just happens to be the only country in the world where the RSA patent is valid, and still the validity of this patent is somewhat dubious). If you are inside the USA, you should obtain a copy of PGP 2.6.2 instead, or compile the source using the -DMIT option and link it with the RSAREF library, which will in fact give you a version that is identical to MIT PGP 2.6.2. (3) It violates the MIT license The second point in the MIT license for PGP 2.6.2 explicitly forbids anyone to remove the so-called "legal kludge". Still, this is exactly what PGP 2.6.2i does. However, it should be clear that this limitation only refers to the RSAREF versions of PGP. PGP 2.6.2i, on the other hand, does not use RSAREF, and so this point becomes irrelevant. If you still feel uncomfortable about this, take a look at the file przon26i.asc which is included in the distribution archive. This file contains a statement by Phil Zimmermann on PGP 2.6.i and the various "unofficial international" versions of PGP. (PGP 2.6.2i is simply a bug- fix for PGP 2.6.i, so everything that covers 2.6.i applies to 2.6.2i as well.) COMMENTS AND BUG REPORTS PGP 2.6.2i was put together by Stale Schumacher with the help of many individuals around the world (see the file diffs.doc for details). All questions regarding PGP 2.6.2i should be addressed directly to him, or to . Please note that PRZ, MIT and the University of Oslo have nothing to do with this release. Comments, bug reports and suggestions for future releases are welcome. I WANT TO KNOW MORE! If you want to find out more about PGP and encryption in general, there are a number of resources available, both on paper and in electronic form. Here are a few, to get you started: FAQs: PGP Frequently Asked Questions http://www.prairienet.org/~jalicqui/pgpfaq.txt ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt Where to Get the Latest PGP Program FAQ ftp://ftp.uu.net/usenet/news.answers/pgp-faq/where-is-PGP.Z WWW: The International PGP Home Page http://www.ifi.uio.no/~staalesc/PGP/home.html Fran Litterio's PGP Page (from the Virtual Library) http://draco.centerline.com:8080/~franl/pgp/pgp.html The Official Bug List for MIT PGP 2.6.2 http://www.mit.edu:8001/people/warlord/pgp-faq.html The Phil Zimmermann Legal Defense Fund Page http://www.netresponse.com/zldf FTP: ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp/ ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ Newsgroups: alt.anonymous discussion of anonymity and anon remailers alt.anonymous.messages for anonymous encrypted message transfer alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow alt.security general security discussions alt.security.index index to alt.security alt.security.pgp discussion of PGP alt.security.ripem discussion of RIPEM alt.security.keydist key distribution via Usenet alt.society.civil-liberty general civil liberties, including privacy comp.compression discussion of compression algorithms comp.org.eff.news news reports from EFF comp.org.eff.talk discussion of EFF related issues comp.patents discussion of S/W patents, including RSA comp.risks some mention of crypto and wiretapping comp.society.privacy general privacy issues comp.security.announce announcements of security holes misc.legal.computing software patents, copyrights, computer laws sci.crypt methods of data encryption/decryption sci.math general math discussion talk.politics.crypto general talk on crypto politics Books: The Official PGP User's Guide by Philip R. Zimmermann MIT Press 1995 ISBN 0-262-74017-6 216 pp. $14.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates 1994 ISBN 1-56592-098-8 430 pp. $24.95 Protect Your Privacy: The PGP User's Guide by William Stallings Prentice Hall PTR 1995 ISBN 0-13-185596-4 302 pp. $19.95 Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier Wiley Publishing 1994 ISBN 0-471-59756-2 E-Mail Security: How to Keep Your Electronic Mail Private by Bruce Schneier Wiley Publishing ISBN 0-471-05318-X -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBL60KZrCfd7bM70R9AQGKMAP+NMNFIZup8Mwk7lTHJDYHAxJ1Exk7xOmF WnZE28Q7by2VlY7o/5eAr+mPAOuwh+jyEKBWbmNF+dpJvQ4ZRs480/GWVMRk7d9U 7pga9MCCA5Ob2cFoj0hngA10voMs6PWViFV2JkshCMMacnZVFMfkzqx7LISRwMxd /LCM+k5ovSQ= =AEW+ -----END PGP SIGNATURE-----