Info-PGP: PGP Digest Saturday 12 November 1992 Volume 2 : Number 1 Hugh Miller, List Manager / Moderator Info-PGP is a digested mailing list dedicated to discussion of Philip Zimmermann's `Pretty Good Privacy' (PGP) public-key encryption program for MS-DOS, Unix, VMS, Atari, Amiga, SPARC, Macintosh, and (hopefully) other operating systems. It is primarily intended for users on Internet sites without access to the `alt.security.pgp' newsgroup. Most submissions to alt.security.pgp will be saved to Info-PGP, as well as occasional relevant articles from sci.crypt or other newsgroups. Info-PGP will also contain mailings directed to the list address. To SUBSCRIBE to Info-PGP, please send a (polite) note to info-pgp-request@lucpul.it.luc.edu. This is not a mailserver; there is a human being on the other end, and bodiless messages with "Subject:" lines reading "SUBSCRIBE INFO-PGP" will be ignored until the sender develops manners. To SUBMIT material for posting to Info-PGP, please mail to info-pgp@lucpul.it.luc.edu. In both cases, PLEASE include your name and Internet "From:" address. Submissions will be posted pretty well as received, although the list maintainer / moderator reserves the right to omit redundant messages, trim bloated headers & .sigs, and other such minor piffle. I will not be able to acknowledge submissions, nor, I regret, will I be able to pass posts on to alt.security.pgp for those whose sites lack access. Due to U.S. export restrictions on cryptographic software, I regret that I cannot include postings containing actual source code (or compiled binaries) of same. For the time being at least I am including patches under the same ukase. I regret having to do this, but the law, howbeit unjust, is the law. If a European reader would like to handle that end of things, perhaps run a "Info-PGP-Code" digest or somesuch, maybe this little problem could be worked around. I have received a promise of some space on an anonymous-ftp'able Internet site for back issues of Info-PGP Digest. Full details as soon as they firm up. Oh, yes: ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; STANDARD DISCLAIMERS APPLY. Hugh Miller | Asst. Prof. of Philosophy | Loyola University Chicago FAX: 312-508-2292 | Voice: 312-508-2727 | hmiller@lucpul.it.luc.edu Signed PGP v.2.1 public key certificate available by e-mail & finger(1) ------------------------------------------------------------------------------- From: jcmurphy@acsu.buffalo.edu (Jeff Murphy) Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc Subject: Re: PGP v. 2.1 Released Date: 8 Dec 92 22:29:29 GMT In article <1992Dec8.172944.19370@netcom.com> strnlght@netcom.com (David Sternlight) writes: > >I don't understand the comment that "if you're living in the U.S.A. >you probably shouldn't be using it" (pgp2.1). I thought it was o.k. >for personal, educational, or research use, and only an infringement >if used commercially without permission of PKP. > >Can anyone clear this up once and for all? yes. the algorithm employed in PGP is patented, and PKP (from what I have gathered) does not have permission to use it. Therefore, it is techically illegal to use the program... hope this helps -- jcmurphy@acsu.buffalo.edu cit network installation and repair opnsmurf@ubvms.cc.buffalo.edu standard disclaimers apply. sunyab the neurotic build castles in the sky and the psychotic live in them. =-=-=-=-=-= From: dick.zeitlin%acc1bbs@ssr.com (Dick Zeitlin) Newsgroups: sci.crypt Subject: Re: Questions about US/Ca Date: 7 Dec 92 22:00:00 GMT > .: (2) Is it illegal to crypt any form of communication (like regular > .: mail) or, as above, people are just wishing it were ? RC> .Not yet according to specific statute. 47CFR 97.113(d): (Concerning amateur radio...) No station shall transmit ... messages in codes or ciphers where the intent is to obscure the meaning (except where specifically excepted elsewere (sic) in the Part); Note: I haven't found those exceptions yet... D/ * OLX 2.2 * Bring back A-N airways!! Dick.Zeitlin%acc1bbs@ssr.com =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc From: frechett@spot.Colorado.EDU (-=Runaway Daemon=-) Subject: Re: PGP v. 2.1 Released Date: Thu, 10 Dec 1992 07:53:42 GMT In article <1992Dec8.155135.385@uoft02.utoledo.edu> jsteiner@anwsun.phya.utoledo.edu (jason 'Think!' steiner) writes: >i tried assigning a key to 'pgp -fast +clearsig=on'. this works >as a file pipe, but when i try to use it in vi it hangs on asking for >my password. i know how to set my password as an environment var, >but i'd rather it prompted me each time. It is prompting.. That's why it hangs.. you just can't see the prompt. While it's hung, type in your passwd. It will not show on the screen and then give it a sec. I find it generally takes a bit longer.. Of course if you mistype it's hard to tell what it's up to.. Kill it with ^C. >jason ian =-=-=-=-=-= From: mathew Newsgroups: alt.security.pgp Subject: Re: PGP-compatible archiver released Date: Wed, 09 Dec 92 16:47:39 GMT pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes: > - Quality Postscript documentation (600K worth) Any chance of making the documentation available in some sort of document format, rather than as a printer dump file? I mean, how would you like it if I posted this article in HPGL? mathew -- Lung cancer and arteriosclerosis. For people who like to smoke. =-=-=-=-=-= Newsgroups: alt.security.pgp Subject: Re: PGP-compatible archiver released From: pgut1@cs.aukuni.ac.nz (Peter Gutmann) Date: Thu, 10 Dec 1992 12:58:12 GMT In <5TXiVB38w165w@mantis.co.uk> mathew writes: >pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes: >> - Quality Postscript documentation (600K worth) >Any chance of making the documentation available in some sort of document >format, rather than as a printer dump file? I mean, how would you like it if >I posted this article in HPGL? There's a flat ASCII file included with the source code and executables if you can't handle Postscript (that's why I put the PS docs in a seperate file - not everyone will want them. You get the ASCII docs by default, and if you want better-quality ones you can grab the PS stuff). As for the second comment, I've seen PS .sigs, so why not a posting in HPGL? Go ahead, be the first on your system to post in a fancy text format - SS 0 0 0 fC 32 0 0 50 50 0 0 45 /Times-Roman /font32 ANSIFont font 300 209 717 (If you've got it, why not flaunt it :-\)) SB EJ RS SS RS (Damn, PS smilies don't quite turn out right) Peter. -- pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz (In order of preference - one of 'ems bound to work) =-=-=-=-=-= Newsgroups: alt.security.pgp From: dbarber@crash.cts.com (David C. Barber) Subject: PGP -- drugs or security? Date: 10 Dec 92 01:31:59 GMT PGP here seems to refer to a public key cypher system, while in alt.drugs they are discussing PGP as something found in mushrooms. Is this a put-on somewhere, or do we just happen to use the same acryonim both places? Without change, *David Barber* nothing can ever get better. @}-->---- UUCP: ucsd!crash!dbarber INET: dbarber@crash.cts.com =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns From: uri@watson.ibm.com (Uri Blumenthal) Subject: Re: PGP v. 2.1 Released Date: Thu, 10 Dec 1992 17:36:45 GMT In article <1992Dec9.181918.13779@netcom.com>, strnlght@netcom.com (David Sternlight) writes: |> It is unlikely that the government would "tip off" PKP, since that |> would be an acknowledgement that they're monitoring and using traffic |> in general without a court order. I don't see how one would prove that the gov't "tipped" PKP in case it happens. How about the following scenario: 1) A scapegoat is chosen. 2) His traffic is monitored and some "cherry" is found (like using PGP :-). 3) A court order is received for some "chicken-shit" offense. 4) That offense isn't proven and therefore doesn't stick, but during the "investigation" a case of patent infringement is opened. 5) PKP sues the pants off the poor individual. 6) Go to step 1). |> It is, I believe, still illegal |> for the NSA to monitor wholly domestic traffic, and the FBI cannot |> do so without a court order showing probable cause for an individual |> monitored. Though I'm not an attorney, I speculate that the FBI could |> not get a general court order permitting monitoring of, say, domestic |> Internet mail. Theoretically your're correct. Practically - "might is right". And you can't even TELL whether your traffic is monitored... So I wouldn't stake my life/freedom on how strictly FBI/NSA/??? are observing the regulations supposedly governing them. Somewhere in PGP docs there's a nice phrase: "PGP is guerilla freeware....." Well, guerillas who announce themselves publicly. don't live long (physical law :-). Why does PGP has those ugly lines "----BEGIN PGP...." and so on? PGP-2.1 is much better than PGP-2.0. Let's make it really good now - GET RID OF THOSE BETRAYING TAGS! NOW! |> Disclaimer: Nothing in this message should be read to imply I'm using |> any system covered by PKP patents, in violation of such patents. Of course! Neither am I (:-) -- Regards, Uri. uri@watson.ibm.com ------------ =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns From: strnlght@netcom.com (David Sternlight) Subject: Re: PGP v. 2.1 Released Date: Thu, 10 Dec 1992 18:51:07 GMT I have mixed feelings about Uri's message. Until the legal status is resolved, one might wish to get rid of the PGP "tags" which are overt confirmation that one is using a public key system. On the other hand, I disagree in the sense that if unlicensed use of public key systems REALLY IS a violation of law (not "is asserted to be by PKP")--for example after a court case--then his suggestions is tantamount to publicly advocating the concealing of a legal violation, which I cannot support. If one feels PKP is over-broad in their claims, the way to deal with this is by direct resolution. If one feels PKP is legally on firm ground but thinks there "shouldn't be" patent protection for software, or some such, again the way to deal with this is by trying to get the law changed. I'm not one who supports illegal acts in the face of what one thinks is unfairness. Finally, I trust the police and intelligence agencies of our government. They are not a bunch of fascists out to get the innocent, as some messages sometimes imply, but hard-working fellow-Americans trying to do a very difficult job. Yes, there have been, and may continue to be some individual abuses, sometimes by senior people, but the way to deal with that is via strong internal and external watchdogs, and by clear definition of what is, and isn't to be permitted. Recent trials of government officials, and recent use of independent prosecutors, whatever one thinks of the substance, go a long way toward compelling caution by those who would abuse their privileged and trusted positions in the FBI and intelligence services. David =-=-=-=-=-= Newsgroups: alt.security.pgp From: res@colnet.cmhnet.org (Rob Stampfli) Subject: pgp2.1 signed announcement botched by usenet? Date: Thu, 10 Dec 1992 05:29:39 GMT I missed the official announcement of pgp2.1 which was apparently posted here several days ago, but I found a copy of it posted to alt.privacy. The message was signed by Phil with the new pgp "+clearsig=on" option. Unfortunately, Phil's concern about mailers slightly corrupting the message in innocuous ways so that it no longer matches the original, and therefore no longer has a valid signature, appears to be borne out by the posting to alt.privacy: All empty lines in that post have one space added to them. The signature only checks out when one edits the posted file and ":%s/^ $//". BTW, excellent job on the 2.1 release -- a clean compile the first time. -- Rob Stampfli rob@colnet.cmhnet.org The neat thing about standards: 614-864-9377 HAM RADIO: kd8wk@n8jyv.oh There are so many to choose from. =-=-=-=-=-= From: ujacampbe@memstvx1.memst.edu (James Campbell) Newsgroups: alt.security.pgp Subject: Re: PGP v. 2.1 Released Date: 10 Dec 92 18:44:29 -0600 In article <1992Dec10.173645.147966@watson.ibm.com>, Uri Blumenthal raves: >Somewhere in PGP docs there's a nice phrase: > > "PGP is guerilla freeware....." > >Well, guerillas who announce themselves publicly. don't >live long (physical law :-). > >Why does PGP has those ugly lines "----BEGIN PGP...." >and so on? PGP-2.1 is much better than PGP-2.0. Let's >make it really good now - GET RID OF THOSE BETRAYING >TAGS! NOW! I've seen this demand before, and didn't comment on it, but now I'll go ahead and make the obvious suggestion: If you don't want the lines -----BEGIN PGP MESSAGE-----, Version: 2.1, and -----END PGP MESSAGE---- in the messages you're transmitting, why not just strip them out and send the radix-64 stuff only? The recipient need only add that information (or, simpler still, write a short program to add it), then decrypt as usual. Considering how little PGP's developers are making off this paragon of freeware programming, it ill behooves us to DEMAND IMMEDIATE CHANGES that we can easily add ourselves, or simulate with a couple of easily-written STRIPTAG and ADDTAG programs. James Campbell, Math Sciences Department, MSU; ujacampbe@memstvx1.memst.edu =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns From: Alex.Strasheim@launchpad.unc.edu (Alex Strasheim) Subject: Re: PGP v. 2.1 Released Date: Thu, 10 Dec 1992 23:05:53 GMT I know that pgp files can be identified as pgp files (because, after all, you can always try to feed it into pgp and see if it asks you for a public key). It seems to me that this is a necessary consequence of having a key managment system, but I don't have the expertise to say for sure. What I want to know is: is identifiability a *necessary* feature of a public key system? Would it be possible to to devise a public key encryption program that would, when used to encrypt a message with someone's private key, emit a series of bytes that would appear to be essentially random? If this is possible, then people could just assume that whenever they received a seemingly random stream of bytes in the mail, that it was in fact a message that had been encrypted with their private key. If this is indeed possible, it seems to me that any attempt to require private key registration (as Prof. Denning has proposed) would be futile, because it would be impossible to prove that public key encryption had been used. Alex -- The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information Technology, or the Experimental Bulletin Board Service. internet: laUNChpad.unc.edu or 152.2.22.80 =-=-=-=-=-= From: yee@mipg.upenn.edu (Conway Yee) Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns Subject: Re: PGP v. 2.1 Released Date: 11 Dec 92 00:06:36 GMT >Would it be possible to to devise a public key >encryption program that would, when used to encrypt a message with >someone's private key, emit a series of bytes that would appear to be >essentially random? If a series of bytes were to be random, no message could possibly be encoded within it. The question, then becomes, is it possible that two entirely different encoding schemes would produces bytestreams which are statistically indistinguishable from each other. -- 411 Blockley Hall | Conway Yee, N2JWQ 418 Service Drive | yee@ming.mipg.upenn.edu (preferred) Philadelphia, PA 19104 | cy5@cunixa.cc.columbia.edu (forwarded to above) (215) 662-6780 | =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: PGP v. 2.1 Released Date: Fri, 11 Dec 1992 03:08:07 GMT uri@watson.ibm.com writes: >Somewhere in PGP docs there's a nice phrase: > > "PGP is guerilla freeware....." > >Well, guerillas who announce themselves publicly. don't >live long (physical law :-). > >Why does PGP has those ugly lines "----BEGIN PGP...." >and so on? PGP-2.1 is much better than PGP-2.0. Let's >make it really good now - GET RID OF THOSE BETRAYING >TAGS! NOW! I guess you never read the docs. Those "betraying tags" have a purpose -- they allow the system to automatically find the beginning and end of messages. You can feed mail messages into PGP without even stripping the headers. Its all very well engineered, and the feds can tell you are using PGP anyway by looking at the magic numbers in the Radix 64 text. I don't think there is any point in stripping them, since it adds no security for you and will make the program a lot more inconvenient to use. Its inconvenient enough already.... -- Perry Metzger pmetzger@shearson.com -- "They can have my RSA key when they pry it from my cold dead fingers." Libertarian Party info: Phone 1-800-682-1776, E-Mail 345-5647@mcimail.com =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns From: frechett@spot.Colorado.EDU (-=Runaway Daemon=-) Subject: Re: PGP v. 2.1 Released Date: Fri, 11 Dec 1992 07:09:17 GMT -----BEGIN PGP MESS----- Put -----BEGIN PGP etc etc.. around all your messages.. encrypted or not. I am admitting no guilt here. I simply like the way it looks. -----END PGP MESS----- ;) ian =-=-=-=-=-= Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc From: luckey@rtfm.mlb.fl.us (Jon Luckey) Subject: Re: PGP 2.1 site list Date: Thu, 10 Dec 1992 23:35:08 GMT s0rah@exnet.co.uk (R A Hollands) writes: >I've fetched pgp21.zip three times from funet and every time I end >up with a zip file that crc errors in the two doc files and the exe. >I am using pkunzip 1.1. Anyone else have this trouble? Anyone have >have a stunningly obvious solution? >TIA Richard. I've had a similar problem. I don't know why, or if there are any other solutions. But what I finally ended up doing was using a unix unzip to unzip the zip file from funet, then rezip using a -ks option. That archive I was able to unzip using PKUNZIP 1.1 on a DOS machine. For some reason, implode type compression seemed to cause crc errors sometimes, but for shrink compression seemed to work. =-=-=-=-=-= From: cme@ellisun.sw.stratus.com (Carl Ellison) Newsgroups: alt.security.pgp,alt.security,sci.crypt,talk.politics.misc,talk.politics.guns Subject: Re: PGP v. 2.1 Released Date: 10 Dec 92 17:21:52 GMT In article cburian@ux4.cso.uiuc.edu (Christopher J Burian) writes: >I was just wondering... I've heard rumors that the guvmint filters >everything going over the net. Do you suppose they look for >----BEGIN PGP * along with the usual mundane stuff? Then go after >people for patent infringement; confiscating burglary tools, a.k.a >citizens' computers..... Sounds like a good reason to switch from PGP to RIPEM. More to the point, someone should publish an interface description for PGP so that someone else can write a totally legal program which sends and receives in PGP format but uses RSAREF and its individual license. This way, those of us who would like to remain legally proper can participate in the exchange of PGP-like mail. -- -- <> -- Carl Ellison cme@sw.stratus.com -- Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 -- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 ***** End Info-PGP Digest ***** Downloaded From P-80 International Information Systems 304-744-2253