PGP Frequently Asked Questions with Answers
Frequently Asked Questions
alt.security.pgp
25 May 1995
========================================================================
IMPORTANT DISCLAIMER!
The use of PGP raises a number of political and legal
issues. I AM NOT a lawyer and AM NOT qualified to give
any legal opinions. Nothing in this document should be
interpreted as legal advice. If you have any legal
questions concerning the use of PGP, you should consult
an attorney who specializes in patent and/or export
law. In any case, the law will vary from country to
country.
========================================================================
Introduction
This is the list of Frequently Asked Questions for the Pretty Good
Privacy (PGP) encryption program written by Phillip Zimmermann. It
is one of two FAQ lists for the newsgroup alt.security.pgp.
The other FAQ list is the "Where to Get PGP" FAQ, which is written and
maintained by Michael Paul Johnson . It covers many
topics this one does not; in particular, it contains more complete
information on sites that distribute PGP and the legal and technical
questions surrounding its distribution. You may get a current copy
from:
ftp://ftp.csn.net/mpj/getpgp.asc
This FAQ is slanted towards the DOS or Unix users of PGP and many of
the examples given may only apply to them. For other systems, I would
like to direct your attention to the following documents:
MAC: "Here's How to MacPGP!" by Xenon
Archimedes PGP comes with its own PGPhints file.
Send e-mail to pgpinfo@mantis.co.uk for a list of PGP tips.
It should be noted that most of the questions and answers concerning
PGP apply equally well to the ViaCrypt(tm) version.
Material for this FAQ has come from many different sources. It would
be difficult to name each of the contributors individually, but I
would like to thank them as a group for their assistance.
A current copy of this FAQ can be retrieved from my WWW home page:
http://www.prairienet.org/~jalicqui/pgpfaq.txt
or via FTP:
ftp://ftp.prairienet.org/pub/providers/pgp/pgpfaq.?
The ? indicates the file format: clearsigned text (txt), gzipped
version of clearsigned text (txt.gz), PGP-signed-and-compressed binary
(pgp), or ASCII armored PGP-signed-and-compressed file (asc).
The PGP FAQ is also posted to news.answers and alt.answers, and can be
found in any of the standard FAQ repositories in the three-part form
it is posted in.
Permission is granted to copy, archive, or otherwise make this FAQ
available in any way you please, with only the following restriction:
that in every place where this FAQ may be accessed, it must also be
reasonably easy for a user to access a copy of the FAQ with its PGP
signature(s) from me intact. This ensures that uncorrupted copies of
the FAQ get propagated where those who care can check them, and also
preserves attributions, etc. If you HTMLize this document, you can
tag the two links mentioned above if you want to avoid storing
multiple copies of the FAQ.
Future plans for the FAQ:
- Mac section!
- hypertexting it and making it available in various forms (LaTeX,
HTML, texinfo, or some such)
Any corrections or suggestions should be sent to me.
Jeff Licquia
jalicqui@prairienet.org
========================================================================
Table of Contents
1. Introductory Questions
1.1. What is PGP?
1.2. Why should I encrypt my mail? I'm not doing anything illegal!
1.3. What are public keys and private keys?
1.4. How much does PGP cost?
1.5. Is encryption legal?
1.6. Is PGP legal?
1.7. What's the current version of PGP?
1.8. Is there an archive site for alt.security.pgp?
1.9. Is there a commercial version of PGP available?
1.10. Is PGP available as a programming library, so I can write
programs that use it?
1.11. What platforms has PGP been ported to?
1.12. Where can I obtain PGP?
1.13. I want to find out more!
2. Very Common Questions and Problems
2.1. Why can't a person using version 2.2 read my version 2.3 message?
2.2. Why can't a person using version 2.3 read my version 2.6 message?
2.3. Why does PGP complain about checking signatures every so often?
2.4. Why does it take so long to encrypt/decrypt messages?
2.5. How do I create a secondary key file?
2.6. How does PGP handle multiple addresses?
2.7. Where can I obtain scripts to integrate pgp with my email or news
reading system?
2.8. How can I decrypt messages I've encrypted to others?
2.9. Why can't I generate a key with PGP for Unix?
2.10. When I clearsign a document in PGP, it adds a "dash-space" to
several of my lines. What gives?
3. Security Questions
3.1. How secure is PGP?
3.2. Can't you break PGP by trying all of the possible keys?
3.3. How secure is the conventional cryptography (-c) option?
3.4. Can the NSA crack RSA?
3.5. Has RSA ever been cracked publicly? What is RSA-129?
3.6. How secure is the "for your eyes only" option (-m)?
3.7. What if I forget my pass phrase?
3.8. Why do you use the term "pass phrase" instead of "password"?
3.9. What is the best way to crack PGP?
3.10. If my secret key ring is stolen, can my messages be read?
3.11. How do I choose a pass phrase?
3.12. How do I remember my pass phrase?
3.13. How do I verify that my copy of PGP has not been tampered with?
3.14. I can't verify the signature on my new copy of MIT PGP with my
old PGP 2.3a!
3.15. How do I know that there is no trap door in the program?
3.16. I heard that the NSA put a back door in MIT PGP, and that they
only allowed it to be legal with the back door.
3.17. Can I put PGP on a multi-user system like a network or a mainframe?
3.18. Can I use PGP under a "swapping" operating system like Windows
or OS/2?
3.19. Why not use RSA alone rather than a hybrid mix of IDEA, MD5, & RSA?
3.20. Aren't all of these security procedures a little paranoid?
3.21. Can I be forced to reveal my pass phrase in any legal proceedings?
4. Keys
4.1. Which key size should I use?
4.2. Why does PGP take so long to add new keys to my key ring?
4.3. How can I extract multiple keys into a single armored file?
4.4. I tried encrypting the same message to the same address two different
times and got completely different outputs. Why is this?
4.5. How do I specify which key to use when an individual has 2 or more
public keys and the very same user ID on each, or when 2 different
users have the same name?
4.6. What does the message "Unknown signator, can't be checked" mean?
4.7. How do I get PGP to display the trust parameters on a key?
4.8. How can I make my key available via finger?
5. Message Signatures
5.1. What is message signing?
5.2. How do I sign a message while still leaving it readable?
5.3. Can't you just forge a signature by copying the signature
block to another message?
5.4. Are PGP signatures legally binding?
6. Key Signatures
6.1. What is key signing?
6.2. How do I sign a key?
6.3. Should I sign my own key?
6.4. Should I sign X's key?
6.5. How do I verify someone's identity?
6.6. How do I know someone hasn't sent me a bogus key to sign?
6.7. What's a key signing party?
6.8. How do I organize a key signing party?
7. Revoking a key
7.1. My secret key ring has been stolen or lost, what do I do?
7.2. I forgot my pass phrase. Can I create a key revocation certificate?
8. Public Key Servers
8.1. What are the Public Key Servers?
8.2. What public key servers are available?
8.3. What is the syntax of the key server commands?
9. Bugs
10. Recommended Reading
11. General Tips
Appendix (I-VI)
Appendix I - PGP add-ons and Related Products
Appendix II - Glossary of Cryptographic Terms
Appendix III - Cypherpunks
Appendix IV - Testimony of Philip Zimmermann to Congress
Appendix V - Announcement of Philip Zimmermann Defense Fund
Appendix VI - A Statement from ViaCrypt Concerning ITAR