1-----BEGIN PGP SIGNED MESSAGE----- 2 3 4 5 Pretty Good Privacy version 2.6.3i - READ ME FIRST 6 . 7 Notes by Stale Schumacher 8 1996/01/18 9 10 11You are looking at the README file for PGP release 2.6.3i. PGP, short for 12Pretty Good Privacy, is a public key encryption package; with it, you can 13secure messages you transmit against unauthorized reading and digitally sign 14them so that people receiving them can be sure they come from you. 15 16 17ABOUT THIS VERSION 18 19PGP 2.6.3i is not an official PGP version. It is based on the source code for 20MIT PGP 2.6.2 (the latest official version of PGP) and has been modified for 21international use. PGP 2.6.3i is probably illegal to use within the USA, but 22is fine in almost every other country in the world. (However, it should be 23possible to compile a version of PGP that is legal even inside the USA, see 24below for details.) This file only explains what is special to version 2.6.3i. 25For a more thorough installation and usage guide, refer to the file setup.doc 26and the documentation for PGP 2.6.2, which is included unmodified in the doc/ 27subdirectory that is created when you unpack the distribution archive. 28 29 30BACKGROUND 31 32Until about two years ago, there were only two "real" PGP versions around: 33PGP 2.3a which was the international freeware version, and 2.4 which was a 34commercial version sold in USA only. However, this situation changed 35dramatically in May 1994 when MIT released a special US freeware version of 36PGP (2.5), in order to put an end to the legal problems surrounding PGP. 37(PGP 2.3a was believed to be illegal in USA because of patent restrictions.) 38The new version had a number of limitations to encourage Americans that were 39using 2.3a to upgrade to the new version. However, these limitations resulted 40in a well of new PGP versions, more or less professionally put together by 41well-intending individuals who wanted a more flexible PGP than that offered 42by MIT. Suddenly, we had ten different PGP versions, not two. 43 44Even though PGP 2.5 and later releases from MIT introduced many bug-fixes and 45improvements over 2.3a, many non-US users of PGP have been reluctant to 46upgrade to the new versions because they feel that the PGP developers have 47abandoned the international PGP community by adding a number of restrictions 48that are only necessary within the USA. That is why I decided to make PGP 492.6.i (and later 2.6.2i and 2.6.3i): to put an end to all the PGP "hack 50versions" that flourish, and by giving the non-US users of PGP a version that 51is more "digestible" than those offered by MIT, and at the same time let them 52benefit from all the improvements that the new versions have introduced over 53PGP 2.3a. PGP 2.6.3i is a "real" 2.6 version, as it is based on the code tree 54for PGP 2.6.2 and not 2.3a. This release fixes a number of bugs present in 55PGP 2.6.2(i), and adds some new features (see below). 56 57 58HOW WAS IT DONE? 59 60PGP 2.6.3i was put together by taking all the source files from PGP 2.6.2i 61(which was again based on 2.6.2), modifying them to correct a number of 62annoying bugs and add some new features, and updating the accompanying text 63and documentation files. All changes in the source that are not applicable 64within the USA are enclosed in #ifdef's, thus enabling you to compile a PGP 65version that is legal to use within the USA. This is accomplished by adding 66the -DUSA option when building the program, and by linking it with the RSAREF 67library (rsaglue2) rather than MPILIB (rsaglue1). For a detailed list of all 68the changes between 2.6.2i and 2.6.3i, see the file pgp263i.dif that is 69included with the source code distribution. 70 71 72DISTRIBUTION 73 74PGP 2.6.3i is distributed in the following files: 75 76 pgp263i.zip This is the MS-DOS executable release, which includes the 77 executable, support files, and basic documentation. 78 79 pgp263ix.zip This is a 32-bit MS-DOS compilation of PGP. If you have a 80 386 processor or better, this version will give you a 81 slightly better performance than the ordinary (16-bit) 82 MS-DOS version. 83 84 pgp263i-os2.zip This is the OS/2 executable with documentation and support 85 (pgp263i2.zip) files. 86 87 pgp263is.zip This is the source code release, which includes all the 88 source code needed to compile PGP and examples of usage. 89 It also contains all the files in pgp263i.zip except the 90 pgp.exe binary. 91 92 pgp263is.tar.gz This contains exactly the same files as pgp263is.zip, 93 except that they use Unix rather than MS-DOS line end 94 conventions. 95 96 Binaries for other platforms (Amiga, Atari, Macintosh etc.) will probably 97 be available soon after the official release. 98 99 100DIFFERENCES BETWEEN PGP 2.6.3i AND 2.6.2 101 102PGP 2.6.3i differs from MIT PGP 2.6.2 in the following ways: 103 104 (1) It identifies itself as version 2.6.3i 105 106 This is to clearly distinguish it from other PGP versions. This is 107 important because users within the USA should not use PGP 2.6.3i, and 108 also because script files, shells and other PGP add-ons may need to 109 know exactly how your copy of PGP will behave under different 110 circumstances. If you compile your copy of PGP using the -DUSA option, 111 you will get a version called 2.6.3 instead. 112 113 (2) It uses PRZ's MPILIB instead of RSAREF 114 115 PGP 2.3a and earlier versions use a special library for all the RSA 116 encryption/decryption routines, called MPILIB, and written by Philip R. 117 Zimmermann (PRZ), the original author of PGP. However, starting with 118 version 2.5, all official releases of PGP have been using the RSAREF 119 library from RSADSI Inc, a US company that holds the patent on the RSA 120 algorithm in the USA. This change was made in order to make PGP legal 121 to use within the USA. 122 123 Please observe that PGP 2.6.3i does NOT use RSAREF, but rather PRZ's 124 original MPILIB library, which is functionally identical to RSAREF and 125 slightly faster on most platforms. Because 2.6.3i uses MPILIB rather 126 than RSAREF, this PGP version is also able to verify key signatures made 127 with PGP 2.2 or earlier versions. This is not true for MIT PGP, because 128 the RSAREF library only understands the new PKCS signature format 129 introduced in PGP 2.3. 130 131 The use of the MPILIB library is the main reason why PGP 2.6.3i is 132 probably illegal to use within the USA. If you are in the USA, you 133 should compile the source code using the -DUSA option and link it with 134 the RSAREF library rather than MPILIB. 135 136 (3) It lets you disable the "legal kludge" 137 138 PGP 2.6.2 contains a "feature" that will cause it to generate keys and 139 messages that are not readable by PGP 2.3a and earlier versions. This 140 is the "legal kludge", and was introduced to encourage users in the USA 141 to upgrade from PGP 2.3a. 142 143 PGP 2.6.3i provides you with a way to disable the "legal kludge". This 144 means that messages and keys generated with PGP 2.6.3i can be used and 145 understood by all existing 2.x versions of PGP. To disable the legal 146 kludge, uncomment the following line in your config.txt file so that it 147 reads: 148 149 legal_kludge = off 150 151 This option may also be set on the command line: "pgp +le=off <command>". 152 If you compile PGP using the -DUSA option, the legal kludge cannot be 153 disabled. 154 155 (4) It allows you to generate keys up to and including 2048 bits 156 157 Because of a bug in PGP 2.6.2, this version would not let you generate 158 keys bigger than 2047 bits on some platforms. This problem has been 159 corrected in PGP 2.6.3i. 160 161 (5) It contains a number of bug-fixes 162 163 PGP 2.6.3i also fixes a number of other bugs found in PGP 2.6.2, most 164 notably the signature bug for keys over 2034 bits, as reported by 165 ViaCrypt. PGP 2.6.3i will also let you clearsign messages in 8-bit 166 character sets, such as Russian, Japanese, Korean etc. Many other 167 bugs have also been corrected, see pgp262i.dif and pgp263i.dif for 168 details. 169 170 (6) It contains a number of new features 171 172 Version 2.6.3i adds some new functionality to PGP, while maintaining 173 compatibility with older versions, e.g.: 174 175 a) You may now specify additional user IDs from a separate file when 176 encrypting a message to multiple recipients. This is particularly 177 useful on MS-DOS systems, which impose an upper limit of 127 178 characters on the command line. The command line syntax is: 179 180 pgp -eat filename.txt user1 user2 -@moreusers.txt 181 182 The file moreusers.txt is a normal text file with one key ID or user 183 ID on each line. 184 185 b) Userids can be automatically signed with your secret key when 186 creating keys ('pgp -kg') or adding new userids ('pgp -ke'). This 187 is controlled through the new AutoSign option in the configuration 188 file. 189 190 c) When extracting keys with the 'pgp -kxa' command, PGP 2.6.3i will 191 label the ASCII output with a text similar to that of the 'pgp -kv' 192 keyring listing. 193 194 d) When clearsigning messages, PGP 2.6.3i will add a "Charset:" header 195 to the signature block, explaining which character set was used for 196 creating the signature. This will help the recipient of the message 197 to select correct character conversion when verifying the signature. 198 If he/she is using version 2.6.3i, PGP will automatically choose the 199 correct character set, thereby eliminating a lot of "Bad signature" 200 problems. 201 202 (7) It can be compiled on many new platforms 203 204 PGP 2.6.3i has been modified in order to let it compile "out of the box" 205 for such platforms as Amiga, Atari, VMS, IBM mainframes running MVS and 206 Windows NT/Windows 95. Furthermore, the Macintosh port of PGP is now 207 integrated into the main source distribution. PGP 2.6.3i will also 208 compile under MS-DOS using Borland C (MIT PGP 2.6.2 only supports 209 Microsoft C). 210 211 (8) It includes updated documentation and language files 212 213 The language files for MIT PGP 2.6.2 had not been updated for a long 214 time. This has been fixed in this version. PGP 2.6.3i comes with 215 a combined translation file for German, French and Spanish. Additional 216 language modules may be downloaded from: 217 218 http://www.ifi.uio.no/pgp/modules.shtml 219 ftp://ftp.ifi.uio.no/pub/pgp/lang/ 220 221 All the other text and documentation files for PGP 2.6.3i have also 222 been brought up to date, with the exception of PRZ's original PGP 223 Users's Guide from PGP 2.6.2, which is included unmodified in the 224 various distribution archives. 225 226 (9) It includes additional PGP tools 227 228 The PGP 2.6.3i source code distribution contains two new tools for use 229 with PGP, called Stealth and PGPSort. Take a look in the contrib/ 230 subdirectory for details. The binary distributions now contain pre- 231 compiled versions of PGPSort and MD5Sum. 232 233 234DIFFERENCES BETWEEN PGP 2.6.3i and 2.6ui 235 236A PGP version that has been very popular among non-US users of PGP is 2.6ui. 237If you have been using PGP 2.6ui up to now, you should note that PGP 2.6.3i 238differs from this version in the following ways: 239 240 (1) It is a "real" 2.6 version 241 242 PGP 2.6.3i is based on the source code for PGP 2.6.2, whereas PGP 2.6ui 243 is based on the source code for 2.3a. This means that 2.6.3i contains a 244 lot of bug-fixes that are not present in 2.6ui, and it also adds a 245 number of new features that are lacking in 2.6ui. 246 247 (2) It doesn't have the version_byte option 248 249 PGP 2.6ui has an option to allow you to choose which message format to 250 use when generating keys and messages. This is the version_byte option, 251 and can be set both in the config.txt file and on the command line: 252 253 version_byte = 2 (use backwards-compatible format, default) 254 version_byte = 3 (use new 2.6 format) 255 256 In PGP 2.6.3i, the same is accomplished using the legal_kludge flag: 257 258 legal_kludge = off (use backwards-compatible format) 259 legal_kludge = on (use new 2.6 format, default) 260 261 (3) It doesn't have the armor_version option 262 263 PGP 2.6ui has an option to let you "forge" the version number in the 264 ASCII armored files produced by PGP. In PGP 2.6.3i, the armor_version 265 option is NOT supported, as this is a feature that is heavily misused. 266 If you must change the version number of your keys and messages, you can 267 do so in the language.txt file instead. 268 269 270LEGAL STUFF 271 272PGP 2.6.3i is not approved by MIT or PRZ or NSA or the Pope or anyone else. 273However, it should be possible to use it legally by anyone in the free world 274(i.e. all countries except USA, France, Iraq and a few others). There are three 275reasons why people may claim (incorrectly) that PGP 2.6.3i is illegal: 276 277 (1) It is based on source code that was illegally exported from the USA 278 279 The ITAR regulations classifies cryptography in the same category as 280 munitions, and so it is very likely that exporting PGP from the USA 281 is considered illegal by US authorities. In the case of PGP 2.6.3i, 282 large portions of the code were written inside the USA, and later 283 exported to the rest of the world. However, this is not a problem, 284 because it is the _export_ that is illegal, not the _use_ of the 285 program. Once the software is (illegally) exported, anyone may use it 286 legally. (I didn't export it, and I strongly recommend that you won't 287 do it either.) As long as you make sure that you get your copy of PGP 288 2.6.3i from somewhere outside the USA, then you should be on the safe 289 side. 290 291 (2) It infringes the RSA patent 292 293 This is not a problem either, because PGP 2.6.3i is not intended for use 294 in the USA (which just happens to be the only country in the world where 295 the RSA patent is valid, and still the validity of this patent is 296 somewhat dubious). If you are inside the USA, you should compile the 297 source using the -DUSA option and link it with the RSAREF library, 298 which will give you a version that identifies itself as PGP 2.6.3. 299 300 (3) It violates the MIT license 301 302 The second point in the MIT license for PGP 2.6.2 explicitly forbids 303 anyone to remove the so-called "legal kludge". Still, this is exactly 304 what PGP 2.6.3i does. However, it should be clear that this limitation 305 only refers to the RSAREF versions of PGP. PGP 2.6.3i, on the other 306 hand, does not use RSAREF, and so this point becomes irrelevant. If you 307 still feel uncomfortable about this, take a look at the file 308 przon26i.asc which is included in the distribution archive. This file 309 contains a statement by Phil Zimmermann on PGP 2.6.i, the predecessor 310 to PGP 2.6.3i. 311 312 313COMMERCIAL USE 314 315PGP 2.6.3i may be freely used for non-commercial purposes only. If you want 316to use PGP for commercial purposes, you need to buy a separate license for 317the IDEA algorithm used in PGP. IDEA licenses can be purchased from Ascom 318Systec AG in Switzerland. The fee is charged on a per-user basis as 319follows: 320 321 1.. 10 users 120 SFr. per copy 322 11.. 20 users 80 SFr. per copy 323 21..100 users 60 SFr. per copy 324 325For more information, contact: 326 327 Ascom Systec AG 328 IDEA Licensing 329 Gewerbepark 330 CH-5506 Maegenwil 331 Switzerland 332 333 Phone : +41 62 889 59 54 334 Fax : +41 62 889 59 54 335 Email : idea@ascom.ch 336 337 338COMMENTS AND BUG REPORTS 339 340PGP 2.6.3i was put together by Stale Schumacher <stale@hypnotech.com> with 341the help of many individuals around the world (see the file pgp263i.dif for 342a list of names). All questions regarding PGP 2.6.3i should be addressed to 343pgp-bugs@ifi.uio.no. Please note that PRZ, MIT and the University of Oslo have 344nothing to do with this release. Comments, bug reports and suggestions for 345future releases are welcome. 346 347 348I WANT TO KNOW MORE! 349 350If you want to find out more about PGP and encryption in general, there are a 351number of resources available, both on paper and in electronic form. Here are 352a few, to get you started: 353 354WWW: 355 356 The International PGP Home Page 357 http://www.ifi.uio.no/pgp/ 358 Fran Litterio's PGP Page (from the Virtual Library) 359 http://world.std.com/~franl/pgp/pgp.html 360 The Official Bug List for MIT PGP 2.6.2 361 http://www.mit.edu:8001/people/warlord/pgp-faq.html 362 363FTP: 364 365 ftp://ftp.ifi.uio.no/pub/pgp/ 366 ftp://ftp.ox.ac.uk/pub/crypto/pgp/ 367 ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP/ 368 ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp/ 369 370DOCs: 371 372 http://www.ifi.uio.no/pgp/doc.shtml 373 http://www.pegasus.esprit.ec.org/people/arne/pgp.html 374 ftp://ftp.ifi.uio.no/pub/pgp/doc/ 375 ftp://ftp.rhein.de/pub/peti/ 376 377FAQs: 378 379 PGP 2.6.3i FAQ 380 http://www.ifi.uio.no/pgp/FAQ.shtml 381 PGP FAQs from alt.security.pgp 382 http://www.prairienet.org/~jalicqui/pgpfaq.txt 383 ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.txt 384 Where to Get the Latest PGP Program FAQ 385 ftp://ftp.uu.net/usenet/news.answers/pgp-faq/where-is-PGP.Z 386 387Newsgroups: 388 389 alt.anonymous discussion of anonymity and anon remailers 390 alt.anonymous.messages for anonymous encrypted message transfer 391 alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow 392 alt.security general security discussions 393 alt.security.index index to alt.security 394 alt.security.pgp discussion of PGP 395 alt.security.ripem discussion of RIPEM 396 alt.security.keydist key distribution via Usenet 397 alt.society.civil-liberty general civil liberties, including privacy 398 comp.compression discussion of compression algorithms 399 comp.org.eff.news news reports from EFF 400 comp.org.eff.talk discussion of EFF related issues 401 comp.patents discussion of S/W patents, including RSA 402 comp.risks some mention of crypto and wiretapping 403 comp.society.privacy general privacy issues 404 comp.security.announce announcements of security holes 405 misc.legal.computing software patents, copyrights, computer laws 406 sci.crypt methods of data encryption/decryption 407 sci.math general math discussion 408 talk.politics.crypto general talk on crypto politics 409 410Books: 411 412 The Official PGP User's Guide 413 by Philip R. Zimmermann 414 MIT Press 1995 415 ISBN 0-262-74017-6 416 216 pp. $14.95 417 418 PGP: Pretty Good Privacy 419 by Simson Garfinkel 420 O'Reilly & Associates 1994 421 ISBN 1-56592-098-8 422 430 pp. $24.95 423 424 Protect Your Privacy: The PGP User's Guide 425 by William Stallings 426 Prentice Hall PTR 1995 427 ISBN 0-13-185596-4 428 302 pp. $19.95 429 430 Applied Cryptography: Protocols, Algorithms, and Source Code in C 431 2nd Edition 432 by Bruce Schneier 433 John Wiley & Sons 1996 434 ISBN 0-471-11709-9 435 436 E-Mail Security with PGP and PEM: How to Keep Your Electronic Mail Private 437 by Bruce Schneier 438 John Wiley & Sons 1995 439 ISBN 0-471-05318-X 440 441 442 443-----BEGIN PGP SIGNATURE----- 444Version: 2.6.3i 445Charset: latin1 446 447iQCVAgUBMP5+SbCfd7bM70R9AQEGvAP/TNiKcvWsaFD4Guno6FV2uBW+QWf2NZtp 448wW7zcyx2850gqEPfrHeiDSP0mn22qMgjdh4UPq0t7Qd1JJlmiUbOe/x+xwzwvpaN 449Ef71xdhQO6sUJtcAQSqrxBAQW7ADilAPICzZolxYaXZiENZcsFQm+5TYZ6J+MI2z 450wdtvHhXqZA4= 451=w1Pe 452-----END PGP SIGNATURE----- 453