Viewable With ANY Browser

Note: My Web pages are best viewed with style sheets enabled.

Unrated

Pretty Good Privacy® (PGP®)

Copyright © 1998-2008, 2010, 2011, 2016, 2019, 2022 by David E. Ross


Free PGP installation, setup, and training in southern California


The problem is not that we're paranoid, it's that we're not paranoid enough.

From the signature line of someone's E-mail



Overview

*** Begin Right Sidebar ***

The term PGP is actually used to mean different (but related) things, which can cause some confusion.

*** End Right Sidebar ***

PGP is a method of encrypting files so that no one except intended recipients can decrypt them. This is a private-key/public-key method in which a recipient's public key is distributed freely to anyone who wants it. PGP lock Using a public key, a mathematical operation is performed on the bytes in the file, changing them into meaningless characters. The public key is then useless to undo that encryption; only the recipient's private key can reverse the process. Of course, the private key is never distributed. PGP is especially useful for encrypting E-mail messages, creating the analogy to a sealed first-class envelope in transit through the U. S. Postal Service. (For reasons why an ordinary person might want to use PGP, see Key Encryption.)

Also, the owner of the private key can use it to digitally sign messages and files. Whoever has the associated public key can then check a signed message or file to authenticate that it indeed came from the purported sender and to verify its integrity (that it has not been altered). The state of California now recognizes the use of digital signatures on documents sent electronically between local governments and the state.

I had planned to create a glossary of PGP terms. However, two excellent glossaries are found in the PDF documents installed with PGP: An Introduction to Cryptography and PGP Freeware for Windows 95, Windows 98, Windows 2000 & Windows NT: User's Guide (which is still appropriate for Windows XP).


Links

Links from this page and my related PGP pages that refer to another person, to a company, or to an organization point to this section in general and not to any specific link within the section. While I have tried to alphabetize the links, you should still scroll carefully through them to find the intended link.

There are many on-line sources of information about PGP:

Also, there are two newsgroups where PGP and related topics are discussed: alt.security.pgp and comp.security.pgp.discuss. Often, a novice to encryption can find help there in understanding this subject.


Software Availability

Distribution of PGP software from United States sources was originally restricted by the United States government to U.S. and Canadian users. However, the courts ruled that freedom of the press permitted publication of listings of the source code. The published listings were freely exported, and the resulting proliferation of PGP internationally finally caused the U.S. government to relax its restrictions on export of the software. However, while export is now legal, obtaining an export license can still be cumbersome. See Koops's survey for information on exporting PGP from the U. S. and importing PGP into other nations.

Some products from non-U.S. sources are illegal in the United States because of patent and licensing considerations. However, the patent on the RSA algorithm — the main issue blocking the import of PGP having RSA capabilities — has expired; less than a month before the expiration, RSA, Inc. declared their algorithm to be in the public domain.

Although the PGP Corporation seems to no longer provide freeware versions for individual, non-commercial use, other sources of the software are available:

Most of these can only provide versions that are no longer being maintained and have been superceded by newer, "purchaseware" versions distributed by Symantec. Care should be exercised when selecting a source. After all, if your message or data are so sensitive that they deserve encryption, you really want to know that the software you are using is reliable.

Care must also be taken when attempting to install PGP in some of the newer Windows products of Micro$oft. Command-line features might not work where DOS capabilities have been reduced. This especially impacts the use of PGP 2.6.x, which is operated entirely from a DOS command line; however, PGP 6.x also provides command-line features. At least one new Windows system does not execute AUTOEXEC.BAT when initializing; this too impacts PGP 2.6.x and also other PGP versions. Not only is PGP impacted, but also other software that use PGP may become unusable. R. J. Marquette details the differences between different versions of PGP in his PGP Interactions Page.

I have PGP 10.1.2 installed under Windows 7.


About My Keys

My public keys — both RSA (v.3) and DSS/DH — are available on public key servers and also here in my Web pages. Both for I am @ david at rossde dot com (E-mail address presented this way to avoid spam, they are identified as

Type bits      keyID      Date       
DSS  4096/1024 0xE3EFE1A7 16 Oct 2001
          Key fingerprint =  5A AA 62 0F CF E9 4A A5  94 DD 8C F4 83 71 1B 8A  E3 EF E1 A7

RSA  2047      0x073F7635 21 Nov 2005
          Key fingerprint =  0D 42 6D 58 4A 27 70 9E  23 DB 4D 1B 62 05 73 86

Each key is self-signed, which verifies that it is owned by someone who has a private key with the E-mail address I am @ david at rossde dot com. However, other verification is required to assure that I am indeed that person. (See my Signing PGP Keys regarding validity and trust and my Key-Signing Party for one method of associating a key with a person. See also the information provided by others on this topic.) Each key is also signed by its predecessor, which key was later revoked to prevent further use. The DSS/DH key (labeled merely DSS above) is also signed by the RSA key, but the RSA key is not signed by the DSS/DH key (to preserve the ability to use this key with PGP 2.6.x).

Please: If you wish to sign my RSA key, do so only with another RSA v.3 key. I reserve this key for use with PGP 2.6.x, which cannot handle DSS/DH or RSA v.4 keys or RSA v.3 keys that have DSS/DH or RSA v.4 signatures.


Other Topics

There are many more topics relating to PGP and encryption. These are very thoroughly covered in the FAQ and the PGP user's manual. None of these topics are addressed here. These include:


Legality of PGP

The use and even possession of encryption software is restricted in some nations. In the United States, Congress occasionally debates two extremely opposite positions:

In the U. K., a bill was debated that would implement the latter. The final legislation there imposes criminal penalties for refusing to provide a private key to the police when requested.

Bert-Jaap Koops of the Netherlands (which is more permissive than the United States with respect to exporting encryption software and only slightly less permissive with respect to its use) maintains Crypto Law Survey, an excellent, up-to-date, world-wide survey of national and international laws and regulations on this subject. Koops updates this survey frequently because national and international regulations are in constant flux attempting to keep up with both technical developments and the borderless reality of the Internet.


No, I am not employed by the PGP Corporation or the Symantec Corporation (its owner); and I have no investment in either company. I promote PGP only because I like it and because it will be more useful to me when more people use it. I especially like the freeware version because it is free.

Last updated 29 January 2022

__________________________________
The term Pretty Good Privacy and its acronym PGP are registered trademarks of the PGP Corporation. The generic term is OpenPGP. If I use the term PGP in a context where it is not clear whether I mean the specific PGP product of the PGP Corporation or OpenPGP generically, please assume I mean the latter. However, please recognize that these Web pages are based on no implementation of the OpenPGP concept except various versions of the specific PGP product. Also, much of what can be said about OpenPGP applies equally to the PGP product.


Valid HTML 4.01