1-----BEGIN PGP SIGNED MESSAGE----- 2 3To: PGP users 4From: Philip Zimmermann 5 6I have received a many inquiries concerning the status of the various 7"international versions" of PGP(tm), called PGP 2.6ui, PGP 2.6.i, etc. 8There are, as many people know, serious restrictions placed on my 9statements by my lawyers, as a consequence of an ongoing criminal 10investigation by agencies of the United States Government. I have 11reviewed copies of the public distributions of these "versions" of PGP, 12and I have some observations to make. 13 14The US Government regards any unlicensed exportation of PGP from the 15USA as at least potentially in violation of its own regulations 16governing the export of cryptographic tenchnology. MIT and I took all 17reasonable steps to prevent such export of PGP. None of the current 18"international versions" of PGP is an official product of myself or 19Phil's Pretty Good Software. While I personally regard the application 20of export restrictions to software such as PGP as unjustifiable and 21harmful to the interests of both the US Government and its citizens, I 22do not condone violations of US export law, and I deplore the 23activities of those who illegally exported any version of PGP developed 24in the USA. Along with my lawyers, MIT, and others, I am implementing 25a plan of action that we hope will make PGP legally available 26throughout the world, for both commercial and non-commercial users who 27are interested in strong data encryption. 28 29The unofficial variant of PGP named PGP 2.6.i by its developers 30replaces RSAREF routines with other code implementing RSA-related 31algorithms. I am very familiar with that code, and while I tried to 32make PGP use RSAREF in a manner that did not suffer a performance 33penalty, I believe that these other subroutines are at least as 34efficient, as well as being functionally identical for PGP's purposes. 35Since the RSA patent does not exist outside the USA, it seems 36reasonable to not encumber European users with the RSAREF subroutine 37library and its own additional copyright restrictions (but there's no 38reason for people in the US to use PGP 2.6.i, and I urge them not to, 39because that version is not licensed by RSA). PGP 2.6.i also 40implements some bug fixes which are appropriate for the correction of 41errors in the official PGP 2.6.1 distributed by MIT; many of those bug 42fixes, or their precise functional equivalent, appear along with other 43bug fixes in PGP 2.6.2, planned for distribution by MIT on 24 October 441994. PGP 2.6.i also includes some minor functional enhancements -- 45including recognition (and beginning in December 94, generation) of 46keys up to 2048 bits in length--that are consistent with planned future 47development of the official PGP freeware product. Based on my own 48review of the publicly-distributed source code, I believe that users of 49PGP 2.6.i will experience a smooth migration to future versions of PGP 50which I hope will be legally available for non-commercial and 51commercial use worldwide. The publisher of 2.6.i, Staale Schumacher in 52Norway, seems intent in supporting a version of PGP in Europe that is 53as consistent and as interoperable as possible with my own official PGP 54releases from MIT. He also seems willing to respect my copyrights, my 55trademarks, and my agenda for the future of PGP. And he tells me that 56has has carefully avoided exporting or encouraging the export of PGP 57from the US. I have no objection to him using the PGP trademark for 58the version of PGP that he has released. 59 60There will be a PGP RFC document released soon, to faciltate the 61development of PGP standards. The PGP RFC is an informational RFC, and 62is based on deployed code. After that, a standards-track RFC will 63likely be started on in an IETF working group, reflecting the new 64formats of PGP 3.0. This will stabilize PGP formats and facilitate 65other implementations that interoperate. 66 67I am continuing, along with other programmers dedicated to the 68improvement of public-key encryption for the masses, to develop PGP. 69Along with my lawyers, I am gradually implementing a plan of action 70that we hope will make such improved versions of PGP available both 71inside and outside the US, in full compliance with all applicable laws, 72including US technology export restrictions. Because of those 73restrictions, it would be ill-advised for me to participate in 74cross-border development of PGP at this time. PGP's home is in the US, 75at least for now. I cannot discuss, until the US Government alters its 76policies concerning export controls on cryptographic software, such 77cross-border development. I have read and regretted numerous Usenet 78news posts speculating on my abandonment of PGP users outside the US. 79Please be assured that this is not the case. A great deal of effort 80has been and will continue to be expended on serving the entire 81worldwide community of users in a lawful fashion. I want to thank all 82the users across the globe who have supported PGP, and me. Although I 83think these restrictions on our right to free expression of our 84technical ideas are at odds with the US Bill of Rights, I deplore the 85actions of those who have illegally evaded those restrictions by 86exporting PGP. I am doing everything I can to make strong data 87security available to everyone in the world, freely and legally. I 88hope all of you who believe in that goal will continue to support PGP. 89 90 -Philip Zimmermann 91 prz@acm.org 92 93 94-----BEGIN PGP SIGNATURE----- 95Version: 2.6 96 97iQCVAwUBLqf+fmV5hLjHqWbdAQHo/gP8CXX9APCu7Xj4v4e/hqsyXI0qAOF734ID 983cEPCxEoGe97r8LQ51jM0iwf6eyz9tr24aNdToggX2P3neDKd6LwwPxu+kDceLut 99Mmd4tK1Qj5kkWx/cjhNGamv/kD9IQyokvlCqXetGLhld0GNfO+FZyuWs583LC4gK 100x+5ZbxGdi2w= 101=uks5 102-----END PGP SIGNATURE----- 103