home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1994 March
/
Internet Info CD-ROM (Walnut Creek) (March 1994).iso
/
answers
/
alt
/
pgp-faq
/
part2
< prev
next >
Wrap
Text File
|
1994-04-17
|
45KB
|
1,157 lines
Newsgroups: alt.security.pgp,alt.answers,news.answers
Path: bloom-beacon.mit.edu!hookup!swrinde!ihnp4.ucsd.edu!library.ucla.edu!csulb.edu!csus.edu!netcom.com!gbe
From: gbe@netcom.com (Gary Edstrom)
Subject: alt.security.pgp FAQ (Part 2/5)
Message-ID: <gbe94Apr1717400205@netcom.com>
Followup-To: poster
Summary: Frequently Asked Questions (FAQ) for alt.security.pgp
Keywords: pgp privacy security encryption RSA IDEA MD5
Supersedes: <gbe94Mar1310030204@netcom.com>
Reply-To: gbe@netcom.com (Gary Edstrom)
Organization: Sequoia Software
X-Newsreader: TIN [version 1.2 PL1]
References: <gbe94Apr1717400105@netcom.com>
Date: Mon, 18 Apr 1994 00:51:06 GMT
Approved: news-answers-request@mit.edu
Expires: Sun, 31 Jul 1994 07:00:00 GMT
Lines: 1137
Xref: bloom-beacon.mit.edu alt.security.pgp:11405 alt.answers:2463 news.answers:18188
Archive-name: pgp-faq/part2
Version: 9
Last-modified: 1994/4/17
-----BEGIN PGP SIGNED MESSAGE-----
willing to go to great lengths to compromise your mail. Look at the
amount of work that has been put into some of the virus programs that
have found their way into various computer systems. Even when it
doesn't involve money, some people are obsessed with breaking into
systems. Just about week ago, I saw a posting on alt.security.pgp
where the return address had been altered to say
"president@whitehouse.gov". In this case, the content of the message
showed that it was obviously fake, but what about some of those other
not so obvious cases.
========
4.16. Can I be forced to reveal my pass phrase in any legal
proceedings?
The following information applies only to citizens of the United
States in U.S. Courts. The laws in other countries may vary. Please
see the disclaimer at the top of part 1.
There have been several threads on Internet concerning the question of
whether or not the fifth amendment right about not being forced to
give testimony against yourself can be applied to the subject of being
forced to reveal your pass phrase. Not wanting to settle for the many
conflicting opinions of armchair lawyers on usenet, I asked for input
from individuals who were more qualified in the area. The results
were somewhat mixed. There apparently has NOT been much case history
to set precedence in this area. So if you find yourself in this
situation, you should be prepared for a long and costly legal fight on
the matter. Do you have the time and money for such a fight? Also
remember that judges have great freedom in the use of "Contempt of
Court". They might choose to lock you up until you decide to reveal
the pass phrase and it could take your lawyer some time to get you
out. (If only you just had a poor memory!)
========
5. Message Signatures
========
5.1. What is message signing?
Let's imagine that you received a letter in the mail from someone you know
named John Smith. How do you know that John was really the person who sent
you the letter and that someone else simply forged his name? With PGP, it is
possible to apply a digital signature to a message that is impossible to
forge. If you already have a trusted copy of John's public encryption key,
you can use it to check the signature on the message. It would be impossible
for anybody but John to have created the signature, since he is the only
person with access to the secret key necessary to create the signature. In
addition, if anybody has tampered with an otherwise valid message, the
digital signature will detect the fact. It protects the entire message.
========
5.2. How do I sign a message while still leaving it readable?
Sometimes you are not interested in keeping the contents of a message
secret, you only want to make sure that nobody tampers with it, and to
allow others to verify that the message is really from you. For this,
you can use clear signing. Clear signing only works on text files, it
will NOT work on binary files. The command format is:
pgp -sat +clearsig=on <filename>
The output file will contain your original unmodified text, along with
section headers and an armored PGP signature. In this case, PGP is not
required to read the file, only to verify the signature.
========
6. Key Signatures
========
6.1. What is key signing?
OK, you just got a copy of John Smith's public encryption key. How do
you know that the key really belongs to John Smith and not to some
impostor? The answer to this is key signatures. They are similar to
message signatures in that they can't be forged. Let's say that you
don't know that you have John Smith's real key. But let's say that you
DO have a trusted key from Joe Blow. Let's say that you trust Joe Blow
and that he has added his signature to John Smith's key. By inference,
you can now trust that you have a valid copy of John Smith's key. That
is what key signing is all about. This chain of trust can be carried
to several levels, such as A trusts B who trusts C who trusts D,
therefore A can trust D. You have control in the PGP configuration
file over exactly how many levels this chain of trust is allowed to
proceed. Be careful about keys that are several levels removed from
your immediate trust.
========
6.2. How do I sign a key?
- From the command prompt, execute the following command:
PGP -ks [-u userid] <keyid>
A signature will be appended to already existing on the specified key.
Next, you should extract a copy of this updated key along with its
signatures using the "-kxa" option. An armored text file will be
created. Give this file to the owner of the key so that he may
propagate the new signature to whomever he chooses.
Be very careful with your secret keyring. Never be tempted to put a
copy in somebody else's machine so you can sign their public key -
they could have modified PGP to copy your secret key and grab your
pass phrase.
It is not considered proper to send his updated key to a key server
yourself unless he has given you explicit permission to do so. After
all, he may not wish to have his key appear on a public server. By
the same token, you should expect that any key that you give out will
probably find its way onto the public key servers, even if you really
didn't want it there, since anyone having your public key can upload
it.
========
6.3. Should I sign my own key?
Yes, you should sign each personal ID on your key. This will help to
prevent anyone from placing a phony address in the ID field of the key
and possibly having your mail diverted to them. Anyone changing a
user id to your key will be unable to sign the entry, making it stand
out like a sore thumb since all of the other entries are signed. Do
this even if you are the only person signing your key. For example,
my entry in the public key ring now appears as follows if you use the
"-kvv" command:
Type bits/keyID Date User ID
pub 1024/90A9C9 1993/09/13 Gary Edstrom <gbe@netcom.com>
sig 90A9C9 Gary Edstrom <gbe@netcom.com>
Gary Edstrom <72677.564@compuserve.com>
sig 90A9C9 Gary Edstrom <gbe@netcom.com>
========
6.4. Should I sign X's key?
Signing someone's key is your indication to the world that you believe
that key to rightfully belong to that person, and that person is who
he purports to be. Other people may rely on your signature to decide
whether or not a key is valid, so you should not sign capriciously.
Some countries require respected professionals such as doctors or
engineers to endorse passport photographs as proof of identity for a
passport application - you should consider signing someone's key in
the same light. Alternatively, when you come to sign someone's key,
ask yourself if you would be prepared to swear in a court of law as to
that person's identity.
========
6.5. How do I verify someone's identity?
It all depends on how well you know them. Relatives, friends and
colleagues are easy. People you meet at conventions or key-signing
sessions require some proof like a driver's license or credit card.
========
6.6. How do I know someone hasn't sent me a bogus key to sign?
It is very easy for someone to generate a key with a false ID and send
e-mail with fraudulent headers, or for a node which routes the e-mail
to you to substitute a different key. Finger servers are harder to
tamper with, but not impossible. The problem is that while public key
exchange does not require a secure channel (eavesdropping is not a
problem) it does require a tamper-proof channel (key-substitution is a
problem).
If it is a key from someone you know well and whose voice you
recognize then it is sufficient to give them a phone call and have
them read their key's fingerprint (obtained with PGP -kvc <userid>).
If you don't know the person very well then the only recourse is to
exchange keys face-to-face and ask for some proof of identity. Don't
be tempted to put your public key disk in their machine so they can
add their key - they could maliciously replace your key at the same
time. If the user ID includes an e-mail address, verify that address
by exchanging an agreed encrypted message before signing. Don't sign
any user IDs on that key except those you have verified.
========
7. Revoking a key
========
7.1. My secret key ring has been stolen or lost, what do I do?
Assuming that you selected a good solid random pass phrase to encrypt
your secret key ring, you are probably still safe. It takes two parts
to decrypt a message, the secret key ring, and its pass phrase.
Assuming you have a backup copy of your secret key ring, you should
generate a key revocation certificate and upload the revocation to one
of the public key servers. Prior to uploading the revocation
certificate, you might add a new ID to the old key that tells what
your new key ID will be. If you don't have a backup copy of your
secret key ring, then it will be impossible to create a revocation
certificate under the present version of pgp. This is another good
reason for keeping a backup copy of your secret key ring.
========
7.2. I forgot my pass phrase. Can I create a key revocation certificate?
YOU CAN'T, since the pass phrase is required to create the
certificate! The way to avoid this dilemma is to create a key
revocation certificate at the same time that you generate your key
pair. Put the revocation certificate away in a safe place and you
will have it available should the need arise. You need to be careful
how you do this, however, or you will end up revoking the key pair
that you just generated and a revocation can't be reversed. After you
have generated your key pair initially, extract your key to an ASCII
file using the -kxa option. Next, create a key revocation certificate
and extract the revoked key to another ASCII file using the -kxa
option again. Finally, delete the revoked key from your public key
ring using the - kr option and put your non-revoked version back in
the ring using the -ka option. Save the revocation certificate on a
floppy so that you don't lose it if you crash your hard disk sometime.
========
8. Public Key Servers
========
8.1. What are the Public Key Servers?
Public Key Servers exist for the purpose of making your public key
available in a common database where everybody can have access to it
for the purpose of encrypting messages to you. While a number of key
servers exist, it is only necessary to send your key to one of them.
The key server will take care of the job of sending your key to all
other known servers. As of 1-Feb-94 there are about 3,088 keys on the
key servers.
========
8.2. What public key servers are available?
The following is a list of all of the known public key servers active
as of the publication date of this FAQ. I try to keep this list
current by requesting keys from a different server every few days on a
rotating basis. Any changes to this list should be posted to
alt.security.pgp and a copy forwarded to me for inclusion in future
releases of the alt.security.pgp FAQ.
Changes:
17-Apr-94 Updated information on pgp-public-keys@io.com
17-Apr-94 Added ftp: alex.sp.cs.cmu.edu:/links/security/pubring.pgp
13-Apr-94 Sorted these modification dates from newest to oldest.
06-Mar-94 Added information on <sled@drebes.com>
05-Mar-94 Changed FTP status on pgp-public-keys@sw.oz.au from
"Unknown" to "None".
05-Feb-94 Added pgp-public-keys@io.com plus note on finger server.
01-Feb-94 Verified that pgp-public-keys@kiae.su is still operational.
24-Jan-94 Added message announcing WWW access to public keyserver
on martigny.ai.mit.edu
24-Jan-94 Verified the existance of pgp-public-keys@sw.oz.au and
corrected its address.
21-Jan-94 Added pgp-public-keys@ext221.sra.co.jp to list.
20-Jan-94 Added pgp-public-keys@kub.nl to list.
17-Jan-94 Added pgp-public-keys@jpunix.com to key servers no longer
operational.
Internet sites:
pgp-public-keys@demon.co.uk
Mark Turner <mark@demon.co.uk>
FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp
Verified: 10-Apr-94
pgp-public-keys@fbihh.informatik.uni-hamburg.de
Vesselin V. Bontchev <bontchev@fbihh.informatik.uni-hamburg.de>
FTP: ftp.informatik.uni-hamburg.de:/pub/virus/misc/pubkring.pgp
Verified: 10-Apr-94
public-key-server@martigny.ai.mit.edu
Brian A. LaMacchia <public-key-server-request@martigny.ai.mit.edu>
FTP: None
Verified: 10-Apr-94
pgp-public-keys@pgp.ox.ac.uk
Paul Leyland <pcl@ox.ac.uk>
FTP: None
Verified: 11-Apr-94
pgp-public-keys@dsi.unimi.it
David Vincenzetti <vince@dsi.unimi.it>
FTP: ghost.dsi.unimi.it:/pub/crypt/public-keys.pgp
Verified: 10-Apr-94
pgp-public-keys@kub.nl
Teun Nijssen <teun@kub.nl>
FTP: None
Verified: 10-Apr-94
pgp-public-keys@ext221.sra.co.jp
Hironobu Suzuki <hironobu@sra.co.jp>
FTP: None
Verified: 11-Apr-94
pgp-public-keys@sw.oz.au
Jeremy Fitzhardinge <jeremy@sw.oz.au>
FTP: None
Verified: 8-Mar-94
pgp-public-keys@io.com
Sysop: pgpkeys@wasabi.io.com
FTP: wasabi.io.com:/pub/pgpkeys
NNNNNN.asc for individual keys
KV pgp -kv listing
KVV pgp -kvv listing
KXA.asc full keyring (pgp -kxa listing)
pgpkeys.tar.Z all the above (for other archive sites)
(This site does *not* hold a binary keyring)
Verified: 10-Apr-94
Server does not support "Last <n>" command
finger <userid>@wasabi.io.com - Returns all names matching <userid>
finger <keyid>@wasabi.io.com - Returns armored key matching <keyid>
finger @wasabi.io.com - Returns help for finger server
Note: site name may change at some time in the future: if wasabi.io.com
doesn't exist, try pgp.io.com ...
pgp-public-keys@kiae.su
<blaster@rd.relcom.msk.su>
FTP: Unknown
Verified: 15-Apr-94
sled@drebes.com
(See the message below on how to use this server)
Public Key Ring also available from:
ftp: alex.sp.cs.cmu.edu:/links/security/pubring.pgp
The following key servers are no longer in operation:
pgp-public-keys@junkbox.cc.iastate.edu
pgp-public-keys@toxicwaste.mit.edu
pgp-public-keys@phil.utmb.edu
pgp-public-keys@pgp.iastate.edu
pgp-public-keys@jpunix.com
BBS sites:
Unknown
===============
From: bal@zurich.ai.mit.edu (Brian A. LaMacchia)
Newsgroups: alt.security.pgp
Subject: Announcing WWW access to public keyserver on martigny.ai.mit.edu
Date: 22 Jan 94 00:19:37
Announcing a new way to access public keyservers...
The public keyserver running on martigny.ai.mit.edu may now be
accessed via a World Wide Web client with forms support (such as
Mosaic). In your favorite WWW client, open the following URL to start:
http://martigny.ai.mit.edu/~bal/pks-toplev.html
Access to keys on the server is immediate. You can also submit new
keys and/or signatures in ASCII-armored format to the server. New
keys are processed every 10 minutes (along with server requests that
arrive by e- mail).
The martigny.ai.mit.edu keyserver currently syncs directly with these
other keyservers:
pgp-public-keys@demon.co.uk
pgp-public-keys@pgp.ox.ac.uk
pgp-public-keys@ext221.sra.co.jp
pgp-public-keys@kub.nl
NOTE! This service is experimental, and has limited options at
present. I expect to be making changes to the server over the next
few weeks to make it more useful. I would appreciate any bug reports,
comments or suggestions you might have.
--Brian LaMacchia
bal@martigny.ai.mit.edu
public-key-server-request@martigny.ai.mit.edu
===============
Date: Sat, 5 Mar 1994 11:44:53 -0800
From: Stable Large Email Database <sled@drebes.com>
To: gbe@netcom.com
Subject: Sled Info
-----------------------------------
SLED : Stable Large Email Database
-----------------------------------
SLED is an attempt to provide a reasonable mechanism to maintain
and search email addresses for individuals and companies that
make up the on-line community. SLED is intended for those who
have one or more mailboxes that are generally checked on a
daily basis, and are addressable from the internet.
--- What does it provide? ---
I. Timely maintenance of current email address: Over a
period of time a person may have many different email
addresses, which come and go with the changing of jobs, internet
providers, schools, and so on. Maintenance also means
pruning the list for those who no longer interact on-line
(and are perhaps dead).
II. Realistic search parameters: Current email databases such
as whois & netfind provide a search granularity that is
useful only if you already know the person's email address.
The data set is crafted by each individual user. It can
contain entries for schools, occupations, research areas,
nick names, and so on. See note below on how this data
is kept private.
III. Protection against the enemy: SLED is intended to provide
a high quality data set which provides flexibility in
searching, but yields protection against the enemies of large
address books.
The enemy can be one of the following.
- Head Hunters/Body shops
- Anonymous and Fake user accounts
- Commercial Junk mailers
IV. A repository for PGP public keys: SLED provides an alternative
to the huge, very public "public key" rings on some of the
foreign key servers. (If you don't know what PGP is, don't
worry.) The public keys retrieved from SLED are signed by 'sled'.
A key is signed by 'sled', after the check clears, an exchange
of encrypted messages occurs, and fingerprints are compared.
SLED uses ViaCrypt PGP.
--- How? ---
It costs a few $$, and it requires the use of snail mail ( USPS )
at least once.
There are several reasons for charging a small (very small in this case)
fee for this service.
1. Authoritative ID. For your data to be included in the database
we require that you write a personal check. For the initial
sign-up, we verify that the name on the check matches the name
in the database. A signed check which clears the
banking system provides very good authentication.
A semantic note: we don't actually wait for the check to clear.
We get the check, eyeball the data, update the computer and then
send the check to the bank. If the check turns out to be bogus
we go back and zap you. (So you see, there is a way to get a
couple days of free time.)
2. By charging a small fee, we can help offset the cost of the
resources used to maintain & back up the database. With the
fee structure, no one will get rich or poor, but there is
an increased likelihood that this database will be around
for years.
3. By tacking on a few dollars to the initial fee, we hope to
discourage people who would fail to maintain their data, and
then drop out of the database, then re-join, then drop out,
then re-join.
4. Every 5 months (or so), we email an invoice (typically
for $5.00 US) for the next 5 months of service. This invoice
must be printed and sent to us, with a check, via US mail.
This procedure keeps all data reasonably current ( +/- 5 months),
which is about as good as it's going to get for such a
remote service. The point being, you can not just write
a check for $50.00 and be covered for the next
4 years.
If you have PGP, you will only be subjected to this
procedure every 10 months, as verification can be accomplished
via a signed email message.
--- Well, how much does it cost? ---
Fee to add your data to the database: $4.00 US
Fee to maintain your data: $1.00 US / per month
--- Trivia ---
- The database is meant to be hold REAL names, no aliases,
anonymous, or otherwise bogus id's.
- In order to search the database, users must themselves exist
in the database.
- The dataset you enter for yourself can never viewed as a whole.
You are encouraged to enter data for previous & current schools,
occupations & other organizations/institutions, but a match on
a single item will not reveal the others. For example, you used
to work at AT&T, and now you work for IBM. If an old friend
was trying to track you down, they might search on parts
of your First and Last Name and AT&T. If you were found, it
would only show your one line entry corresponding to AT&T.
The point being that although your data might be read as
a personal resume, it won't be shown that way. Of course
that won't stop your nosy friend from sending you email
asking where you are working now.
- People keep asking why the database doesn't have fields
for phone & address. No! That kind of data is too personal
for a large database like this. If you want someone's address,
send them email and ask for it.
- The searching criteria make it really hard to use this
database for something like head hunting or generating a
junk mail list (this is by design).
--- Interface ---
The interface is via email. This allows the database to span all
services (cis, prodigy, aol,...) which have gateways to the
internet. Also, it allows each user to craft their data with
their own editor, in a flexible time frame.
Searching the database via email, while very functional, is a bit
more kludgy than is desirable.
A searcher accessible via telnet will probably not be put on-line,
rather the next step will be a Mosaic searcher/browser.
--- How To Start ---
Send Mail to:
- sled@drebes.com subject 'info' for a (this) text
- sled@drebes.com subject 'add' to add yourself to SLED
- sled@drebes.com subject 'change' to alter your data
- sled@drebes.com subject 'search' to search the SLED
- bugs@drebes.com To report a bug.
- comments@drebes.com To send a comment that isn't quite a bug.
--- The End ---
===============
8.3. What is the syntax of the key server commands?
The remailer expects to see one of the following commands placed in the
subject field. Note that only the ADD command uses the body of the message.
- -------------------------------------------------------------
ADD Your PGP public key (key to add is body of msg) (-ka)
INDEX List all PGP keys the server knows about (-kv)
VERBOSE INDEX List all PGP keys, verbose format (-kvv)
GET Get the whole public key ring (-kxa *)
GET <userid> Get just that one key (-kxa <userid>)
MGET <userid> Get all keys which match <userid>
LAST <n> Get all keys uploaded during last <n> days
- -------------------------------------------------------------
If you wish to get the entire key ring and have access to FTP, it
would be a lot more efficient to use FTP rather than e-mail. Using
e-mail, the entire key ring can generate a many part message, which
you will have to reconstruct into a single file before adding it to
your key ring.
========
9. Bugs
========
9.1 Where should I send bug reports?
Post all of your bug reports concerning PGP to alt.security.pgp and
forward a copy to me for possible inclusion in future releases of the
FAQ. Please be aware that the authors of PGP might not acknowledge
bug reports sent directly to them. Posting them on USENET will give
them the widest possible distribution in the shortest amount of time.
The following list of bugs is limited to version 2.2 and later. For
bugs in earlier versions, refer to the documentation included with the
program.
========
9.2 Version 2.3 for DOS has a problem with clear signing messages.
Anyone using version 2.3 for DOS should upgrade to version 2.3a.
========
9.3 Version 2.2 for DOS has a problem of randomly corrupting memory,
which can (and sometimes does) make DOS trash your hard disk.
========
10. Related News Groups
alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow
alt.security general security discussions
alt.security.index index to alt.security
alt.security.pgp discussion of PGP
alt.security.ripem discussion of RIPEM
alt.society.civil-liberty general civil liberties, including privacy
comp.compression discussion of compression algorithms
comp.org.eff.news News reports from EFF
comp.org.eff.talk discussion of EFF related issues
comp.patents discussion of S/W patents, including RSA
comp.risks some mention of crypto and wiretapping
comp.society.privacy general privacy issues
comp.security.announce announcements of security holes
misc.legal.computing software patents, copyrights, computer laws
sci.crypt methods of data encryption/decryption
sci.math general math discussion
talk.politics.crypto general talk on crypto politics
========
11. Recommended Reading
========
> The Code Breakers
The Story of Secret Writing
By David Kahn
The MacMillan Publishing Company (1968)
866 Third Avenue, New York, NY 10022
Library of Congress Catalog Card Number: 63-16109
ISBN: 0-02-560460-0
This has been the unofficial standard reference book on the history of
cryptography for the last 25 years. It covers the development of
cryptography from ancient times, up to 1967. It is interesting to read
about the cat and mouse games that governments have been playing with
each other even to this day. I have been informed by Mats Lofkvist <d87-
mal@nada.kth.se> that the book has been reissued since its original
printing. He found out about it from the 'Baker & Taylor Books'
database. I obtained my original edition from a used book store. It is
quite exhaustive in its coverage with 1164 pages. When I was serving in
the United States Navy in the early 1970's as a cryptographic repair
technician, this book was considered contraband and not welcome around my
work place, even though it was freely available at the local public
library. This was apparently because it mentioned several of the pieces
of secret cryptographic equipment that were then in use in the military.
> The following list was taken from the PGP documentation:
Dorothy Denning, "Cryptography and Data Security", Addison-Wesley,
Reading, MA 1982
Dorothy Denning, "Protecting Public Keys and Signature Keys", IEEE Computer,
Feb 1983
Martin E. Hellman, "The Mathematics of Public-Key Cryptography," Scientific
American, Aug 1979
Steven Levy, "Crypto Rebels", WIRED, May/Jun 1993, page 54. (This is a "must-
read" article on PGP and other related topics.)
Ronald Rivest, "The MD5 Message Digest Algorithm", MIT Laboratory for
Computer Science, 1991
Available from the net as RFC1321.
----------------
Also available at ghost.dsi.unimi.it and its mirror at
nic.funet.fi:/pub/crypt/ghost.dsi.unimi.iti is: IDEA_chapter.3.ZIP, a
postscript text from the IDEA designer about IDEA.
Xuejia Lai, "On the Design and Security of Block Ciphers", Institute for
Signal and Information Processing, ETH-Zentrum, Zurich, Switzerland, 1992
Xuejia Lai, James L. Massey, Sean Murphy, "Markov Ciphers and Differential
Cryptanalysis", Advances in Cryptology- EUROCRYPT'91
Philip Zimmermann, "A Proposed Standard Format for RSA Cryptosystems",
Advances in Computer Security, Vol III, edited by Rein Turn, Artech House,
1988
Bruce Schneier, "Applied Cryptography: Protocols, Algorithms, and Source Code
in C", John Wiley & Sons, 1993
Paul Wallich, "Electronic Envelopes", Scientific American, Feb 1993, page 30.
(This is an article on PGP)
========
12. General Tips
> Some BBS sysops may not permit you to place encrypted mail or files on
their boards. Just because they have PGP in their file area, that
doesn't necessarily mean they tolerate you uploading encrypted mail or
files - so *do* check first.
> Fido net mail is even more sensitive. You should only send encrypted net
mail after checking that:
a) Your sysop permits it.
b) Your recipient's sysop permits it.
c) The mail is routed through nodes whose sysops also permit it.
> Get your public key signed by as many individuals as possible. It
increases the chances of another person finding a path of trust from
himself to you.
> Don't sign someone's key just because someone else that you know has
signed it. Confirm the identity of the individual yourself. Remember,
you are putting your reputation on the line when you sign a key.
========================================================================
Appendix I - PGP add-ons and Related Programs
========================================================================
Much of this section was taken from an old FAQ supplied to me for the
development of this list. This section will hopefully grow to contain
a list of every utility that has been written. I would appreciate it
if the authors of the various utilities could send me mail about their
latest version, a description, if source code is available, and where
to get it. I will then include the information in the next release of
the FAQ.
If you have a utility, but don't know how to make it widely available,
send mail to David Vincenzetti <vince@dsi.unimi.it> who is crypto
collection maintainer at ghost.dsi.unimi.it. That ftp-site is weekly
mirrored at nic.funet.fi in area: /pub/crypt/ghost.dsi.unimi.it
========================================================================
> There are utilities in the source code for PGP. Get pgp23srcA.zip and
unpack with 'pkunzip -d pgp23srcA.zip' to get them all come up nicely
sorted in subdirectories.
========
Amiga
========
PGP Mail Integration Project
========
TITLE
PGP Mail Integration Project
VERSION
Release 1
AUTHOR
Peter Simons <simons@peti.GUN.de>
DESCRIPTION
Pretty Good(tm) Privacy (PGP), from Phil's Pretty Good Software, is a
high security cryptographic software application for MSDOS, Unix,
AmigaOS, and other computers. PGP allows people to exchange files or
messages with privacy and authentication.
All in all, PGP is a very useful and important program. However it is
a little bit...uh... overkill for the average Joe Dow to install this
rather complex package, just to encrypt his few e-mail, which are not
so private anyway. PGP comes with dozens of options, switches and
configuration possibilities, far too many to 'just install and run'.
This has prevented many potential users from using PGP for their
private mail.
This is what the PGP Mail Integration Project wants to change. In our
opinion man-kind should stay superior and leave the 'dirty-work' to the
machines. :-)) Our idea was to integrate PGP, as far as possible, into
common UUCP packages so the user needn't care starting about PGP
himself. Outgoing or incoming mail should be en-/decrypted
automatically and the software should do all the basics of controlling
PGP.
This archive contains the Amiga versions of PGPSendmail and PGPRMail,
which incorperate public key encryption into the ordinary SLIP or UUCP
setup. Full source in C and an AmigaGuide manual is included in the
distribution.
SPECIAL REQUIREMENTS
none
HOST NAME
Any Aminet host, i.e. ftp.uni-kl.de (131.246.9.95).
DIRECTORY
/pub/aminet/comm/mail/
FILE NAMES
PGPMIP.lha
PGPMIP.readme
DISTRIBUTABILITY
GNU General Public License
========
PGPAmiga-FrontEnd
========
Date: Tue, 22 Feb 94 21:10:31 +0100
From: simons@peti.gun.de
To: gbe@netcom.com
Subject: PGPAmiga-FrontEnd available
A beta version of PGPAmiga-FrontEnd is available via BMS from
peti.GUN.de. If you can't bms, just contact me via email and I will
send you an uuencoded copy. This program is a graphical front end,
controlling PGPAmiga. You can de-/encrypt., sign and much more, using
a comfortable GUI.
========
Archimedes
========
PGPwimp
========
From: Peter Gaunt
Current Version: 0.12
Where Available: ftp.demon.co.uk:/pub/archimedes
Information Updated: 21-Dec-93
A multi-tasking WIMP front-end for PGP (requires RISC OS 3). Operates on
files - it has no hooks to allow integration with mailers/newsreaders.
========
RNscripts4PGP
========
From: pla@sktb.demon.co.uk (Paul L. Allen)
Current Version: 1.1
Where Available: ftp.demon.co.uk:/pub/archimedes
Information Updated: 12-Dec-93
A collection of scripts and a small BASIC program which integrate PGP
with the ReadNews mailer/newsreader. Provides encryp, decrypt, sign
signature- check, add key.
========
DOS / MS Windows
========
AutoPGP
PGPSORT
========
From: Stale Schumacher <staalesc@ifi.uio.no>
Date: Wed, 13 Apr 1994 12:51:57 +0200
To: gbe@netcom.com
Subject: PGP utilities for FAQ
Gary,
I have a couple of PGP utilities that you may want to include in your FAQ:
APGP20B5.ZIP: AutoPGP v2.0b5: Automatic QWK email encryption with PGP
PGPSORT.ZIP : Utility to sort PGP public key rings (BP7 source included)
Both programs are for MS-DOS, and will soon be available at most ftp sites
that carry PGP. Note that AutoPGP is still in beta, and that I am interested
in beta testers.
I quote from the AutoPGP documentation:
- ------------------------------------------------------------------------
AutoPGP 2.0b5
=============
Automatic e-mail encryption with PGP
by Stale Schumacher
(C) 1993, 1994 Felix Shareware
Revised 1994/04/10
AutoPGP is a fully automatic e-mail encryption package for use with PGP
2.3a and an offline mail reader. It enables you to write encrypted
messages and read decrypted messages from within your favourite QWK mail
reader, using the highly secure and widely acclaimed Pretty Good Privacy
software package by Philip Zimmermann - the new standard in public key
encryption. AutoPGP combines the ease and comfort of reading and writing
e-mail in an offliner with the security of public key encryption. You
don't need any previous experience with PGP or any other encryption
software, as AutoPGP will handle all interfacing with PGP automatically.
If you are already familiar with the concepts of offline mail reading,
you will soon get acquainted to AutoPGP, even if you have never used PGP
before.
Features of AutoPGP 2.0 include:
* Full QWK support. You may use AutoPGP in conjunction with any offline
mail reader which conforms to the QWK/REP packet specifications.
AutoPGP also supports XBoard and Offliner, two popular Norwegian
offline readers that use the PCBoard and MBBS grab formats rather than
QWK.
* Easy installation. An intuitive, easy-to-use installation program will
configure AutoPGP correctly for the first-time user. The installation
program will automatically detect many popular offline readers, and
configure AutoPGP for use with these readers. It will also find the
correct paths to PKZIP, ARJ and PGP, set DOS environment variables and
update your AUTOEXEC.BAT file if necessary.
* Automatic, seamless operation. When correctly set up, AutoPGP will
automatically decrypt, encrypt and sign messages, verify signatures
and add new public keys to your public key ring, all with a minimum of
interaction from the user.
* Advanced functions not found in any other PGP front-end utility.
AutoPGP lets you:
+ encrypt and/or sign only part(s) of a message
+ insert your own or other users' public keys anywhere in a message
+ include PGP ASCII armoured files in a message
+ decrypt incoming messages
+ verify signatures on incoming messages
+ add new public keys found in incoming messages to your keyring
+ extract PGP ASCII armoured files from incoming messages
+ choose which public keys to use from an alphabetic list of userids
+ and much more!
- ------------------------------------------------------------------------
I have also translated PGP into Norwegian. The Norwegian language module
LANGUAGE.TXT will soon be available by ftp, or directly from me.
I can be contacted at:
email: staalesc@ifi.uio.no
www : http://www.ifi.uio.no/~staalesc
Best regards,
Stale <staalesc@ifi.uio.no>
========
HPACK79 PGP-compatible archiver
========
114243 Nov 20 07:08 garbo.uwasa.fi:/pc/arcers/hpack79.zip
146470 Dec 3 01:01 garbo.uwasa.fi:/pc/doc-soft/hpack79d.zip
511827 Dec 3 14:46 garbo.uwasa.fi:/pc/source/hpack79s.zip
667464 Dec 5 16:43 garbo.uwasa.fi:/unix/arcers/hpack79src.tar.Z
Where hpack79.zip is the MSDOS executable, hpack79d.zip is the
Postscript documentation, hpack79s.zip is the source code, and
hpack79src.tar.Z is the source code again but in tar.Z format (note
that the latter is a tiny bit more recent that hpack79s.zip and
contains changes for the NeXT). There is a (rather primitive)
Macintosh executable somewhere on garbo as well, possibly
/mac/arcers/hpack79mac.cpt. OS/2 32-bit versions of
HPACK is available for anonymous FTP from the UK. `ftp.demon.co.uk'
[158.152.1.65] in ~/pub/ibmpc/pgp
Note:
The OS/2 executables of hpack at ftp.demon.co.uk are out of date,
version 0.78. Current 0.79 executables are available at
ftp.informatik.tu-muenchen.de in
/pub/comp/os/os2/crypt/hpack79{os2,src}.zip.
HPACK is also available from:
pgut1@cs.aukuni.ac.nz
p_gutmann@cs.aukuni.ac.nz
gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz
peter@nacjack.gen.nz
peter@phlarnschlorpht.nacjack.gen.nz
(In order of preference - one of 'ems bound to work)
========
MENU.ZIP
========
Menushell for MSDOS. (Requires 4DOS or Norton's NDOS) You can
customize the menu for your own preferences. The name 'MENU' violates
file naming conventions on ftp-sites, so I guess it's hard to find
this program somewhere else. Exists at ghost.dsi.unimi.it area:
/pub/crypt/ (ask archie about 4DOS, a comand.com replacement)
========
OzPKE
========
Date: 05-Mar-94 08:48 PST
From: Don Moe [72407,1054]
Subj: Info about OzPKE for PGP/OzCIS.
Gary,
Recently I downloaded your PGPFAQ from EFFSIG on CompuServe and enjoyed
reading it.
As the author of a utility program, OzPKE, which links PGP with the OzCIS
automated access program, I would like to inform you about my program.
Here an exerpt from the documentation file:
- ----------------
"This utility program, OzPKE, works in conjunction with Steve Sneed's
automated CompuServe access program OzCIS (v2.0a) and ViaCrypt PGP program
(v2.4) to assure secure communications via electronic mail. Alternative
similar encryption programs are also supported.
"The goal is to simplify public key encryption of outgoing and decryption of
incoming messages and files passing through the CompuServe Information
System. Both direct electronic mail and forum messages as well as file
attachments are supported. OzPKE handles encryption of outgoing messages and
files as well as decryption of incoming messages and received files.
"Although the user could use whatever public-key encryption software he
chooses, provided it supports command-line operation, the recommended program
is ViaCrypt PGP system since OzPKE makes use of PGP's public keyring file and
specific features of that program.
"The program OzPKE contains no encryption or decryption algorithms or
routines and relies entirely on the external encryption software to perform
that task."
- ----------------
OzPKE is available on EFFSIG lib 15 and OZCIS lib 7. Version 1.3 was just
recently additionally uploaded EURFORUM lib 1.
========
PBBS (Scheduled for release summer 1994)
========
Public Bulletin Board System (PBBS) ver 1.0 is a privacy-oriented host
BBS application designed with the "anonymous movement's" diverse needs
in mind. PBBS is a compact application at 75K, allowing it to be run
off of a floppy disk if desired, and requires no telecommunications
experience to operate. Installation of PBBS takes about 2 minutes
flat, and is easy to set up and maintain. Don't let the size fool you
however, it packs a powerful set of Zmodem, Ymodem, and Xmodem
assembly-language protocols, supports speeds up to 57,600 bps, door
support, full ANSI-emulation, and many more features!
Public BBS is an eclectic and powerful BBS and also the first bulletin
board system designed to work with Pretty Good Privacy (PGP), the
public-key encryption program. A unique Post Office within PBBS
allows users to send each other private "postcards" or to upload and
download PGP-encrypted messages to other user's mail boxes. PBBS also
contains a comprehensive public message base with "anonymous" read,
write, and reply options. PBBS has a built in emergency self-destruct
sequence for the sysop that desires an extra level of security. The
ESD option will completely shred all PBBS- related files on disk,
assuring the sysop that his or her BBS will not be compromised in any
way. Look for Public BBS to be released on all Internet sites and
FidoNet BBS's as PBBS10.ZIP. PBBS will change the face of cyber-
fringe telecommunications forever! Questions or comments please
e-mail James Still at <still@kailua.colorado.edu>.
========
PGP-Front
========
From: Walter H. van Holst <121233@pc-lab.fbk.eur.nl>
Current Version:
Where Available: ghost.dsi.unimi.it:/pub/crypt
nic.funet.fi:/pub/crypt
Information Updated: 09-Jan-94
"PGP-Front is an interactive shell for Phill Zimmerman's Pretty Good
Privacy and is available since November 1993 on some of the biggest
FTP-sites. It features an easy to use interface for those who don't
want to learn all PGP flags by heart but still want to make use of its
versatility. The most used options of PGP are supported, including
most key-management options. An improved version is under development
and will feature support for some of the advanced options of PGP and a
lot of extra configuration options for PGP- Front itself. System
requirements for this beta-version:
- - 80286 or better (will be lifted in version 1.00)
- - MS/PC-DOS 3.11 or better
- - Enough memory to run PGP plus an extra 512 bytes for PGP-Front, thanks to
Ralph Brown.
Any feedback on this project will be appreciated,
Walter H. van Holst <121233@pc-lab.fbk.eur.nl>"
========
PGP-NG.ZIP
========
At nic.funet.fi; /pub/crypt/pgp-ng.zip. A norton Guide database for PGP ver
2.0. Easy to find info for programmers about all the functions in the source
code, and users can more easily find their subject. Is any update for the
current version planned? Ask archie about the 2 Norton guide clones that are
out on the net.
========
PGPSHELL
========
Date: 12-Jan-94
From: James Still <still@kailua.colorado.edu>
Subject: PGPShell Version 3.0
- --------------------------------------------------------------------
FOR IMMEDIATE RELEASE
- --------------------------------------------------------------------
PGPSHELL VERSION 3.0 PROGRAM RELEASE
PGPShell, a front-end DOS program for use with Philip Zimmermann's
Pretty Good Privacy (PGP) public-key encryption software, has just
been upgraded and released as version 3.0.
PGPShell incorporates easy to use, mouse-driven menus and a unique Key
Management Screen to easily display all public key ring information in
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQCVAgUBLbHXHkHZYsvlkKnJAQE1ZgP7BH7zYdMn2RNW8XLS5amusGoUbCE7M8yP
9tZ9EIS7VplEHJAluM+DYkReY5vmtBL0/bXiw8EOmk/IMK/NIqXJ9BfQOyWrYCCS
X0KZ/sdO2iq8P3gQJ2qpUrqIwlSwosT4fh7gnUFNrDpZhIZR6hSpDmS5ouiIddNV
9KRJYTjmrxk=
=gICo
-----END PGP SIGNATURE-----