1-----BEGIN PGP SIGNED MESSAGE-----
2
3To:  PGP users
4From:  Philip Zimmermann
5
6I have received a many inquiries concerning the status of the various
7"international versions" of PGP(tm), called PGP 2.6ui, PGP 2.6.i, etc.
8There are, as many people know, serious restrictions placed on my
9statements by my lawyers, as a consequence of an ongoing criminal
10investigation by agencies of the United States Government.  I have
11reviewed copies of the public distributions of these "versions" of PGP,
12and I have some observations to make.
13
14The US Government regards any unlicensed exportation of PGP from the
15USA as at least potentially in violation of its own regulations
16governing the export of cryptographic tenchnology.  MIT and I took all
17reasonable steps to prevent such export of PGP.  None of the current
18"international versions" of PGP is an official product of myself or
19Phil's Pretty Good Software.  While I personally regard the application
20of export restrictions to software such as PGP as unjustifiable and
21harmful to the interests of both the US Government and its citizens, I
22do not condone violations of US export law, and I deplore the
23activities of those who illegally exported any version of PGP developed
24in the USA.  Along with my lawyers, MIT, and others, I am implementing
25a plan of action that we hope will make PGP legally available
26throughout the world, for both commercial and non-commercial users who
27are interested in strong data encryption.
28
29The unofficial variant of PGP named PGP 2.6.i by its developers
30replaces RSAREF routines with other code implementing RSA-related
31algorithms.  I am very familiar with that code, and while I tried to
32make PGP use RSAREF in a manner that did not suffer a performance
33penalty, I believe that these other subroutines are at least as
34efficient, as well as being functionally identical for PGP's purposes.
35Since the RSA patent does not exist outside the USA, it seems
36reasonable to not encumber European users with the RSAREF subroutine
37library and its own additional copyright restrictions (but there's no
38reason for people in the US to use PGP 2.6.i, and I urge them not to,
39because that version is not licensed by RSA).  PGP 2.6.i also
40implements some bug fixes which are appropriate for the correction of
41errors in the official PGP 2.6.1 distributed by MIT; many of those bug
42fixes, or their precise functional equivalent, appear along with other
43bug fixes in PGP 2.6.2, planned for distribution by MIT on 24 October
441994.  PGP 2.6.i also includes some minor functional enhancements --
45including recognition (and beginning in December 94, generation) of
46keys up to 2048 bits in length--that are consistent with planned future
47development of the official PGP freeware product.  Based on my own
48review of the publicly-distributed source code, I believe that users of
49PGP 2.6.i will experience a smooth migration to future versions of PGP
50which I hope will be legally available for non-commercial and
51commercial use worldwide.  The publisher of 2.6.i, Staale Schumacher in
52Norway, seems intent in supporting a version of PGP in Europe that is
53as consistent and as interoperable as possible with my own official PGP
54releases from MIT.  He also seems willing to respect my copyrights, my
55trademarks, and my agenda for the future of PGP.  And he tells me that
56has has carefully avoided exporting or encouraging the export of PGP
57from the US.  I have no objection to him using the PGP trademark for
58the version of PGP that he has released.
59
60There will be a PGP RFC document released soon, to faciltate the
61development of PGP standards.  The PGP RFC is an informational RFC, and
62is based on deployed code.  After that, a standards-track RFC will
63likely be started on in an IETF working group, reflecting the new
64formats of PGP 3.0.  This will stabilize PGP formats and facilitate
65other implementations that interoperate.
66
67I am continuing, along with other programmers dedicated to the
68improvement of public-key encryption for the masses, to develop PGP.
69Along with my lawyers, I am gradually implementing a plan of action
70that we hope will make such improved versions of PGP available both
71inside and outside the US, in full compliance with all applicable laws,
72including US technology export restrictions.  Because of those
73restrictions, it would be ill-advised for me to participate in
74cross-border development of PGP at this time.  PGP's home is in the US,
75at least for now.  I cannot discuss, until the US Government alters its
76policies concerning export controls on cryptographic software, such
77cross-border development.  I have read and regretted numerous Usenet
78news posts speculating on my abandonment of PGP users outside the US.
79Please be assured that this is not the case.  A great deal of effort
80has been and will continue to be expended on serving the entire
81worldwide community of users in a lawful fashion.  I want to thank all
82the users across the globe who have supported PGP, and me.  Although I
83think these restrictions on our right to free expression of our
84technical ideas are at odds with the US Bill of Rights, I deplore the
85actions of those who have illegally evaded those restrictions by
86exporting PGP.  I am doing everything I can to make strong data
87security available to everyone in the world, freely and legally.  I
88hope all of you who believe in that goal will continue to support PGP.
89
90 -Philip Zimmermann
91  prz@acm.org
92
93
94-----BEGIN PGP SIGNATURE-----
95Version: 2.6
96
97iQCVAwUBLqf+fmV5hLjHqWbdAQHo/gP8CXX9APCu7Xj4v4e/hqsyXI0qAOF734ID
983cEPCxEoGe97r8LQ51jM0iwf6eyz9tr24aNdToggX2P3neDKd6LwwPxu+kDceLut
99Mmd4tK1Qj5kkWx/cjhNGamv/kD9IQyokvlCqXetGLhld0GNfO+FZyuWs583LC4gK
100x+5ZbxGdi2w=
101=uks5
102-----END PGP SIGNATURE-----
103