PGP: Pretty Good Privacy

PGP stands for Pretty Good Privacy, and gives you the ability to encrypt messages that can only be read by another PGP user, decrypt messages that are intended for you, authenticate messages from others, or apply a digital signature to your message such that the recipient can be assured that you and only you sent that message, and that it arrived untampered-with. These pages are being written to help introduce dc.sage members and others to PGP. These pages are under continuous revision. Please send any comments or suggestions to Rob Jenson

dc.sage and PGP

dc.sage conducts PGP key signings as part of the regular monthly meeting. You must physically attend the dc.sage meeting in order to participate in the keysigning for that month.

dc.sage also maintains a keyring of PGP public keys of members, including those who have participated in past keysignings. This keyring is available in binary format [ PGP Signature] or in ASCII-armored format [ PGP Signature]. Please be sure to check the PGP signature of the keyring that you download before you add it to your personal keyring.

Where to get PGP

There are several versions of the FAQ on where to get PGP. Each contains the same data but is formatted differently. The FAQ maintainer is Peter Herngaard pethern@datashopper.dk and any comments about the content should go to him.

Finding Keys and Propagating Yours

If you are looking for someone's PGP public key, the second- best place to get it is from one of the public keyservers closest to where in the world you are:

BAL's PGP Key Server at M.I.T. in the U.S.A.
Germany
Norway
Sweden
United Kingdom

This is also the place to submit your key so that others on the Internet can send you encrypted messages and verify your signed messages.

The best way to get a public key is from the individual in person. You should verify that the key belongs to that individual by checking their key fingerprint against the key that you receive. Key fingerprints should be exchanged in person, over the telephone, or in some other manner where physical identity can be assured (i.e., not via E-mail). The process in which key fingerprints are exchanged in order that individuals may sign each others' key are called keysignings. By participating in key signings, you will acquire PGP keys that you can be 100% certain belong to the individual who uses it, and you can assure this same assurance to anyone who acquires your key.

Participating in keysignings is another good way to gather signatures on your key and have yours signed by others. In addition to the monthly dc.sage keysigning, there are other groups that have set up formal procedures to sign your key:

USENIX has begun a keysigning procedure for members at their conferences.

Reference Books on PGP

An excellent reference on PGP is PGP: Pretty Good Privacy by Simson Garfinkel. This is a good starting place if you want to read the book. Phil Zimmerman also included a lengthy "User's Guide to PGP" which is included with PGP distribution. You will have this available to you as soon as you download the software. You can also buy a bound copy from MIT press.

Other Useful Web Pages about PGP

Start with Fran Litterio's page on PGP. It is an outstanding reference page that covers many of the basics and contains pointers to many other pages.
The web space of the PGP User's List is another outstanding collection of PGP information, including an excellent list of Do's & Dont's and a form to get you subscribed to the mailing list.
The comp.security.pgp FAQ answers many questions about PGP.
Yahoo maintains this metapage of information about PGP and where to find it.

Newsgroups and Mailing Lists about PGP

alt.security.pgp - high noise, low value content.
comp.security.pgp.announce
comp.security.pgp.discuss
comp.security.pgp.resources
comp.security.pgp.tech
PGP-USERS mailing list This web page is also an excellent resource of information that has been gathered by list members.
The PGP Announce List is maintained by the guys and gals working on the next release of PGP.

Legality

There have been numerous arguments about the legality of PGP in the past, due to patents and copyrights and other things that keep lawyers employed and sysadmins frustrated. The current situation is as follows: If you plan to use PGP for commercial purposes, you must buy it from ViaCrypt. If you plan to use it for non-commercial purposes, you can obtain it here. You will have to attest to the fact that you are in the U.S.A. or Canada, and that you are a citizen of the U.S.A. or Canada. If you are overseas, you will want to check out the abovementioned FAQ.

PGP, like all usable encryption programs, is regulated by numerous U.S. laws involving munitions (can you kill with a code?!?). You can't export the program, or put it on your anonymous FTP site, or anything fun like that, without making some sort of guarantees that it won't get into the hands of foreigners. This is not the same thing as sending a PGP-encrypted message overseas. You can send and receive signed and encrypted messages anywhere in the world unless that particular country has restrictions about their citizens using crytography. Please be sure that your recipient is not in a country that may interpret your sending of encrypted messages as an illegal act. The legal status of encryption in many countries is available at http://cwis.kub.nl//~frw/people/koops/lawsurvy.htm.

Thanks to: Ken Mayer for his contribution of the references.

Return to the top of this page.

Return to the dc.sage home page.

Return to the SAGE home page.

Author: Rob Jenson
Last Revised: $Date: 1997/10/04 12:25:27 $ $Revision: 1.4 $

dc.sage gratefully acknowledges the sponsorship of Heller Information Services for this and other Internet services.
This document is © copyright 1996, 1997 Robert B. Jenson. All Rights to use of and reproduction of the content is granted freely to all members of dc.sage. All other rights reserved.
These pages maintained by: Rob Jenson.