Viewable With ANY Browser

Note: My Web pages are best viewed with style sheets enabled.

Unrated

Pretty Good Privacy® (PGP®)

Copyright © 1998-2008, 2010, 2011 by David E. Ross


Free PGP installation, setup, and training in southern California


The problem is not that we're paranoid, it's that we're not paranoid enough.

From the signature line of someone's E-mail


It appears that the Symantec Corporation — which now owns the right to develop, distribute, and sell PGP software — no longer makes the software available as freeware to non-commercial, individual users. I have written a letter to the president of Symantec, requesting clarification of this issue.


Overview

*** Begin Right Sidebar ***

The term PGP is actually used to mean different (but related) things, which can cause some confusion.

*** End Right Sidebar ***

PGP is a method of encrypting files so that no one except intended recipients can decrypt them. This is a private-key/public-key method in which a recipient's public key is distributed freely to anyone who wants it. PGP lock Using a public key, a mathematical operation is performed on the bytes in the file, changing them into meaningless characters. The public key is then useless to undo that encryption; only the recipient's private key can reverse the process. Of course, the private key is never distributed. PGP is especially useful for encrypting E-mail messages, creating the analogy to a sealed first-class envelope in transit through the U. S. Postal Service. (For reasons why an ordinary person might want to use PGP, see Key Encryption.)

Also, the owner of the private key can use it to digitally sign messages and files. Whoever has the associated public key can then check a signed message or file to authenticate that it indeed came from the purported sender and to verify its integrity (that it has not been altered). The state of California now recognizes the use of digital signatures on documents sent electronically between local governments and the state; the regulations describe PGP without actually citing this method.

I had planned to create a glossary of PGP terms. However, two excellent glossaries are found in the PDF documents installed with PGP: An Introduction to Cryptography and PGP Freeware for Windows 95, Windows 98, Windows 2000 & Windows NT: User's Guide (which is still appropriate for Windows XP).


Links

Links from this page and my related PGP pages that refer to another person, to a company, or to an organization point to this section in general and not to any specific link within the section. While I have tried to alphabetize the links, you should still scroll carefully through them to find the intended link.

There are many on-line sources of information about PGP:

Also, there are two newsgroups where PGP and related topics are discussed: alt.security.pgp and comp.security.pgp.discuss. Often, a novice to encryption can find help there in understanding this subject.


Software Availability

Distribution of PGP software from United States sources was originally restricted by the United States government to U.S. and Canadian users. However, the courts ruled that freedom of the press permitted publication of listings of the source code. The published listings were freely exported, and the resulting proliferation of PGP internationally finally caused the U.S. government to relax its restrictions on export of the software. However, while export is now legal, obtaining an export license can still be cumbersome. See Koops's survey for information on exporting PGP from the U. S. and importing PGP into other nations.

Some products from non-U.S. sources are illegal in the United States because of patent and licensing considerations. However, the patent on the RSA algorithm — the main issue blocking the import of PGP having RSA capabilities — has expired; less than a month before the expiration, RSA, Inc. declared their algorithm to be in the public domain.

Although the PGP Corporation seems to no longer provide freeware versions for individual, non-commercial use, other sources of the software are available:

Most of these can only provide versions that are no longer being maintained and have been superceded by newer, "purchaseware" versions distributed by Symantec. Care should be exercised when selecting a source. After all, if your message or data are so sensitive that they deserve encryption, you really want to know that the software you are using is reliable.

Care must also be taken when attempting to install PGP in some of the newer Windows products of Micro$oft. Command-line features might not work where DOS capabilities have been reduced. This especially impacts the use of PGP 2.6.x, which is operated entirely from a DOS command line; however, PGP 6.x also provides command-line features. At least one new Windows system does not execute AUTOEXEC.BAT when initializing; this too impacts PGP 2.6.x and also other PGP versions. Not only is PGP impacted, but also other software that use PGP may become unusable. Tom McCune gives some details about the compatibility of various versions of Windows and PGP in several entries of his FAQ. R. J. Marquette details the differences between different versions of PGP in his PGP Interactions Page.

I have PGP 2.6.2, PGP 5.0, and PGP 8.0.3 installed under Windows XP. PGP 2.6.2 allows me to generate and process RSA keys but cannot handle DSS/DH keys. PGP 8.0.3 allows me to generate and process both RSA and DSS/DH keys. However, there is some question whether the RSA keys generated by PGP 8.0.3 are compatible with PGP 2.6.2, which is a version still in widespread use. Therefore, I use only PGP 2.6.2 for generating RSA keys. PGP 5.0 is useful for maintaining a second keyring without having to change the settings for PGP 8.0.3, which is my primary installation.


About My Keys

My public keys — both RSA (v.3) and DSS/DH — are available on public key servers and also here in my Web pages. Both for I am @ david at rossde dot com (E-mail address presented this way to avoid spam, they are identified as

Type bits      keyID      Date       
DSS  4096/1024 0xE3EFE1A7 16 Oct 2001
          Key fingerprint =  5A AA 62 0F CF E9 4A A5  94 DD 8C F4 83 71 1B 8A  E3 EF E1 A7

RSA  2047      0x073F7635 21 Nov 2005
          Key fingerprint =  0D 42 6D 58 4A 27 70 9E  23 DB 4D 1B 62 05 73 86

Each key is self-signed, which verifies that it is owned by someone who has a private key with the E-mail address I am @ david at rossde dot com. However, other verification is required to assure that I am indeed that person. (See my Signing PGP Keys regarding validity and trust and my Key-Signing Party for one method of associating a key with a person. See also the information provided by others on this topic.) Each key is also signed by its predecessor, which key was later revoked to prevent further use. The DSS/DH key (labeled merely DSS above) is also signed by the RSA key, but the RSA key is not signed by the DSS/DH key (to preserve the ability to use this key with PGP 2.6.x).

Please: If you wish to sign my RSA key, do so only with another RSA v.3 key. I reserve this key for use with PGP 2.6.x, which cannot handle DSS/DH or RSA v.4 keys or RSA v.3 keys that have DSS/DH or RSA v.4 signatures.


Other Topics

There are many more topics relating to PGP and encryption. These are very thoroughly covered in the FAQ and the PGP user's manual. None of these topics are addressed here. These include:


Legality of PGP

The use and even possession of encryption software is restricted in some nations. In the United States, Congress occasionally debates two extremely opposite positions:

In the U. K., a bill was debated that would implement the latter. The final legislation there imposes criminal penalties for refusing to provide a private key to the police when requested.

Bert-Jaap Koops of the Netherlands (which is more permissive than the United States with respect to exporting encryption software and only slightly less permissive with respect to its use) maintains Crypto Law Survey, an excellent, up-to-date, world-wide survey of national and international laws and regulations on this subject. Koops updates this survey frequently because national and international regulations are in constant flux attempting to keep up with both technical developments and the borderless reality of the Internet. Simone van der Hof has done research on the legal status of digital signatures around the world.


No, I am not employed by the PGP Corporation; and I have no investment in that company. I promote PGP only because I like it and because it will be more useful to me when more people use it. I especially like the freeware version because it is free.

Last updated

This page has been visited times since 20 October 2001.

__________________________________
The term Pretty Good Privacy and its acronym PGP are registered trademarks of the PGP Corporation. The generic term is OpenPGP. If I use the term PGP in a context where it is not clear whether I mean the specific PGP product of the PGP Corporation or OpenPGP generically, please assume I mean the latter. However, please recognize that these Web pages are based on no implementation of the OpenPGP concept except various versions of the specific PGP product. Also, much of what can be said about OpenPGP applies equally to the PGP product.


Valid HTML 4.01