-----BEGIN PGP SIGNED MESSAGE----- NoiseNet Privacy Echo Frequently-Asked Questions 16 March 1994 'Copyleft' Rob Szarka (1:320/42) mrnoise@econs.umass.edu 1. Why this FAQ? While more than one excelent privacy-related FAQ is available on the Internet, this FAQ is intended to be posted to the NoiseNet Privacy Echo, Fidonet Public Keys Echo, & other appropriate amateur networks. I will attempt to keep it a good deal shorter than the comparable Internet versions to preserve bandwidth & allow frequent posting, while providing information of particular concern to BBS users. Please send pertinent information to me at the addresses above, or search your nodelist for 'Szarka' or 'Mr. Noise'. I can also be reached in NOISE_PRIVACY, PUBLIC_KEYS, or on my BBS at +1-203-886-1441. This document is CopyLeft 1993 by Robert Szarka. Unattributed quotations throughout are from the PGP documentation by Phil Zimmerman. The latest copy of this FAQ is available for FREQ at 1:320/42 as PFAQ. The following people have contributed to this FAQ (directly or unknowingly by posting useful information): christopher.baker@f14.n374.z1.fidonet.org rudy.crespin@f101.n265.z1.fidonet.org dt194@kanga.ins.cwru.edu (Kevin Lo) Also, a big 'thank you' to the sysops who have volunteered to be listed as sources for PGP below. 2. What is PGP? What is public-key cryptography? PGP (Pretty Good Privacy) is a free public-key cryptography program written by Phil Zimmerman. To use such a program, you must first generate a 'key pair', consisting of a 'public key' & 'secret key'. You then distribute the public key, which allows others to encrypt a message so that it can be decoded only with your secret key; the secret key, & the passphrase that you use with it, must be kept secure. The PGP documentation gives an excellent discussion of the subject, & it is recommend reading even if you're just interested & never intend to use the program. 3. Is PGP illegal? What is ViaCrypt PGP? There are two issues here: export controls & patent infringement. Technically, it is illegal to export the executable versions of PGP from the United States. The government takes the view that cryptography has military applications, & is thus a 'munition'. Never mind that the most recent versions of PGP originated in Europe & were *imported* to the U.S.; our government has never been what you could call open-minded about things like this. People are working to change this situation, & you should certainly contact your Congresscritters to support their efforts. Source code is a murkier matter. It ought to be exportable under the technical data exception to the law, but the government is currently investigating (i.e., harrassing) folks for doing so. Public Key Partners also contends that PGP violates their patent on the RSA algorithmn used as part of PGP (the text is encrypted using IDEA, but the IDEA key is then encrypted using RSA). (Note that the U.S. is the only country that allows patents on algorithms, so PGP is still legal is the rest of the world!) Zimmerman, & others, tried to obtain a license for PGP, but to no avail. In November, ViaCrypt (+1-602-944-1543) released a commercial version of PGP (at an introductory price of $100) under their license with Public Key Partners. ViaCrypt PGP is compatible with PGP & solves the legal questions for businesses & others that don't want to chance violating the law. (Note that government employees can use the RSA algorithim for official business anyway, as it was developed with tax dollars.) 4. Where do I get PGP? Is it available for (insert your OS here)? Many sysops make PGP available for FREQ using the following magic names: PGPFILES PGP/privacy/encryption filelist. PGP Current version of MSDOS PGP executables and docs. PGPSRC Current version of PGP source files. PGPALL Both MS-DOS executables and source. PGPAMIGA Amiga version of PGP. PGPATARI Atari version of PGP. PGPMAC Macintosh version of PGP. PGPOS2 OS/2 version of PGP. On Fido, the following sites have PGP available for FREQ (sites with an asterix also have it available for download on the first call): SOURCE CODE: 1:320/42; *1:102/903; 1:106/1776; 1:352/333; *1:273/937 MS-DOS EXECUTABLES: *1:102/903; *1:106/1776; 1:3607/25; 1:352/333; *1:273/937; *1:3807/110 OS/2 EXECUTABLES: 1:352/333; *1:3807/110 MAC EXECUTABLES: *1:3807/110; *1:106/1776 AMIGA EXECUTABLES: 1:352/333; 1:374/14; *1:106/1776 ATARI EXECUTABLES: *1:3807/110; *1:106/1776 On Internet, the best place to start is the cypherpunks FTP site at soda.berkeley.edu. 5. Where do I get public keys? Those on Fidonet should pick up the PKEY_DROP echo, intended for the posting of public keys. In addition, many sysops make public keys available via FREQ using the following magic names: PGPKEY The sysop's PGP public key. (Make the filename distinctive with your node number or name.) KEYRING Complete public keyring. (Make the filename similarly distinctive.) PEMKEY PEM public-key PEMRING PEM public-keyring You may FREQ KEYRING from 1:320/42 for a large collection of public keys, including many from the Internet key servers. Those with HST may wish to FREQ INETKRNG.ARJ from 1:376/74 or 1:376/76 for a complete Internet keyring current to December 1993. Several keyservers are available via Internet, including the following: pgp-public-keys@demon.co.uk pgp-public-keys@sw.oz.au pgp-public-keys@dsi.unimi.it pgp-public-keys@kiae.su pgp-public-keys@fbihh.informatik.uni-hamburg.de pgp-public-keys@pgp.ox.ac.uk public-key-server@martigney.ai.mit.edu If you don't know how to use a key server, send email to a server with the subject 'HELP'. 6. How do I clearsign a message with PGP? Remember that *second* doc file? ;-) Here's the relevant portion of the docs: To enable this feature, set CLEARSIG=ON, and set ARMOR=ON (or use the -a option), and set TEXTMODE=ON (or use the -t option). For example, you can set CLEARSIG directly from the command line: pgp -sta +clearsig=on message.txt 7. I want to put my public key ring up for freq, but I don't want my trust parameters available to anyone else. What's the easiest way to extract all the keys on my keyring? There is an undocumented feature in PGP for doing a wholesale extraction using the * parameter: pgp -kxa * publicringfilename will extract all the keys you've collected to an ASCII output file. Such output does not contain anything but keys and signatures. (Remember: a large file like this may get split into chunks if ArmorLines is different from zero in your config.) Leave the -a off, of course, if you don't want ASCII encoding. 8. How do I view the 'fingerprint' of a public key? Again, from volume 1 of the PGP documentation: To view the "fingerprint" of a public key, to help verify it over the telephone with its owner: pgp -kvc [userid] [keyring] 9. How can I help the cause? Phil Zimmerman has not yet been sued or charged with a crime, but there's no telling what will happen tommorrow--sooner or later this thing has got to come to a head. The Electronic Frontier Foundation has already stepped forward to provide moral & financial support, and you can do your part by mailing a contribution to Zimmerman's lawyer for his defense: Philip Dubois, Esq. 2305 Broadway Boulder, CO 80304 +1-303-444-3885 Zimmerman, & the others who have stepped forward to help with PGP's development over the years, have done us a great service. They deserve our support. One idea that I'm trying here at Sea of Noise is to earmark 10% of contributions to the BBS for Zimmerman's defense; I hope other sysops will join me. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLYa66VMuzCoJtKg7AQHe4QQAl6cY2r0QlihwT4UyfE9ZUlfzNXzHaDls XQ6cuJlsUIAWhkgRmjcrKGsIp/XVlmkz2MqoO5q+uD9Pm5oRNWKpnmfd86PzutKp Cj7E17uvYdLfqsAV6qF7peNccs4UcHvZOMwJ7uEpPO4GFSD/RxKNO1dBp0K+/SjP CQjSKWqC/Y4= =DjR8 -----END PGP SIGNATURE-----