Frequently Asked Questions about PGPi

The following is a list of Frequently Asked Questions about PGPi. Comments may be sent to stale@hypnotech.com.

Last updated: 2 March 2001.


Contents

  1. International vs US version
    1.1. What is PGPi?
    1.2. Why create an international PGP version?
    1.3. Now that NAI can export PGP freely, what will happen to the PGPi project?
    1.4. What is the latest version of PGPi?
    1.5. How does PGPi differ from PGP?
    1.6. How is PGP 6i compatible with other PGP versions?
    1.7. Will there be a PGP 6 for Unix?
    1.8. So, what's the bottom line? Which version should I use?

  2. Legal issues
    2.1. What does "international" mean? Who may use it?
    2.2. Can I use PGPi for commercial purposes?
    2.3. Can I use PGP code in my own programs?
    2.4. May I redistribute PGPi?

  3. Getting it
    3.1. Where can I get a copy of PGPi?
    3.2. What email plugins exist for PGP 6.x?
    3.3. Is there a plugin for Netscape Messenger?
    3.4. Is there a PGP DLL?
    3.5. Where can I get updated language modules for PGPi?
    3.6. Where can I get PGPdisk?

  4. Installing it
    4.1. How can I check the integrity of PGPi?
    4.2. I have problems installing PGPi. What do I do?
    4.3. I can't get PGP 6.0.2i to work with Outlook Express (Internet Explorer) 5.0. What's wrong?

  5. Security issues
    5.1. Can PGP be cracked?
    5.2. Isn't PGPi the version that was weakened for export by the NSA?
    5.3. Does PGP contain a back door?
    5.4. I have heard that PGP 5 and later contain message recovery features. Is this true?
    5.5. Does PGP contain key recovery features?

  6. Miscellaneous
    6.1. How come PGP 5.5 and later were scanned so fast?
    6.2. Are there any bugs in PGPi?
    6.3. Who is responsible for PGPi?
    6.4. Where can I get support for PGPi?
    6.5. Where can I learn more about PGP?

If you have a question about PGP in general, try the comp.security.pgp FAQ.


1.1. What is PGPi?

PGPi is the international variant of PGP (Pretty Good Privacy), a public key encryption program originally written by Phil Zimmermann in 1991. Later PGP versions have been developed and distributed by MIT, ViaCrypt, PGP Inc., and now Network Associates Inc. (NAI). PGP is the de-facto standard for email encryption today, with millions of users worldwide.

The international PGP versions differ slightly from the US versions, but otherwise they are completely interoperable. See below for details.


1.2. Why create an international PGP version?

PGP was originally created inside the USA, but eventually spread to the rest of the world despite the US Export Regulations which controlled export of strong cryptography. PGP 5.0i (released in 1997) was the first PGP version that was legally available outside USA/Canada, because the program was exported as printed books and then scanned and OCRed to make the code available in electronic form.

The reasons for scanning the source and releasing a special version, called PGPi, were manyfold:

  1. To make the source code available to the general public. That way anyone could look through the code for errors and hidden backdoors.
  2. To make ports to other operating systems possible: Unix, MS-DOS, OS/2, Amiga, Atari, VMS, etc.
  3. To remove any doubts about the legal status of PGP outside USA/Canada. Though most people believed that PGP was legal to use once exported, many of them still didn't feel good about using software that was at one point illegally exported.
  4. To show how stupid the US Export Regulations were, and that they were not up to date with the real world.
Thanks to the PGPi project, millions of users worldwide have got access to free, strong cryptography. In 1999, the US Government finally lifted the export controls on cryptographic software. You can read more about the PGPi project here.


1.3. Now that NAI can export PGP freely, what will happen to the PGPi project?

In September 1999 the US Government announced the relaxation of the export regulations on cryptographic software, and in December 1999 NAI obtained a worldwide export license for PGP. This means that it will probably not be necessary to scan and OCR future PGP versions, because the source code can be legally exported electronically. However, the PGPi project will still go on, focussing on development, porting, translation and localization rather than scanning. We are still devoted to giving you high-quality, free versions of PGP, including full source code.


1.4. What is the latest version of PGPi?

The latest international release of PGP for Windows 95/98/NT, MacOS and Unix is PGP 6.5.1i.

The latest US release is 7.0.3 (Windows and MacOS), and this is the version you should use if you don't care about the source code, or if you want the latest bug-fixes, as well as support for Windows 2000 and MacOS 9.

For a complete list of the latest PGP version for different platforms, look here.


1.5. How does PGPi differ from PGP?

PGPi is basically the same version as PGP, but there are some important differences:

  1. Use of RSA keys are supported (to ensure backwards compatibilty with PGP 2.x).
  2. The default keyserver is in Europe, not in USA.
  3. The source code for PGPi is available for download, so that you may reveiew the code for any errors, backdoors, etc.
  4. PGPi has been ported to several new platforms, including MS-DOS, OS/2, Amiga, Atari and various Unix variants.


1.6. How is PGP 6i compatible with other PGP versions?

PGP 6i can read and understand messages, keys and signatures created with PGP 2.0 and later. (Note, however, that the keys cannot be larger than 4096 bits. No official PGP version uses larger keys, though.)

PGP 6i can generate messages, keys and signatures that can be read and understood by PGP 2.6.x and later, as long as you only use RSA keys. PGP 6i also supports DSS/Diffie-Hellman keys, but messages encrypted using this new key type cannot be read by versions prior to 5.0.

Note, however, that PGP 6i messages cannot be understood by PGP 2.3a or earlier versions, regardless of which key type you are using.


1.7. Will there be a PGP 6 for Unix?

Yes. PGP 6.5.1i is available as a command line program, similar to the PGP 2.x series. It is currently in beta testing, and the code still needs some work before it will compile cleanly on all platforms. If you are interested you can download it here. You will need GCC and GNU make in order to compile it.


1.8. So, what's the bottom line? Which version should I use?

If you want a PGP version where the source code is available (so that you can check for errors and backdoors), you should use PGP 6.5.1i or 6.5.8. If you are using Windows or MacOS and you want the latest bug-fixes, as well as support for Windows 2000 and MacOS 9, you should use PGP 7.0.3.


2.1. What does "international" mean? Who may use it?

The 'i' in the version number stands for 'international'. It can be used by anyone who lives in any country where encryption is legal. If you're not sure whether encryption is legal in your country, check out the Crypto Law Survey.


2.2. Can I use PGPi for commercial purposes?

Yes, you can, but you must obtain a commercial use license from Network Associates Inc. or its authorized representatives. (The GNU Privacy Guard can be used for commercial purposes without any license.)

If you are located in the U.S. or Canada, go to: http://www.nai.com/.

If you are located elsewhere, go to: http://www.pgpinternational.com/.

If you wish to use a PGP-compatible product (i.e., an encryption product that may be interoperable with PGP or based upon the Open-PGP standard, but does not contain software actually owned by PGP to implement its cryptography functions), you may require additional licenses from third parties, such as from Ascom Systec AG in Switzerland if the IDEA algorithm is used in such product or from RSA Data Security, Inc. if the RSA algorithm is used in such product and the product is to be distributed in the United States.


2.3. Can I use PGP code in my own programs?

The source code for PGP 2.3a and earlier is distributed under GPL - the General Public License - so it can be used freely in your own programs.

The source code for PGP 2.6 and later may be used as a whole in unmodified form in products you write for your own non-commercial use under the terms of PGP's non-commercial source code license for PGP 5.0i. Because of license restrictions, if the IDEA algorithm is included, any modification of the code may require a further license from Ascom Systec AG (see question 2.2).

See also: PGP developer's page.


2.4. May I redistribute PGPi?

Yes. All PGPi freeware versions can be freely redistributed, as long as all the files in the distribution archive are included, and that they are not modified in any way. Specifically, you may:

* Make it available for download on a website or on an FTP server
* Include it on a CD-ROM that is distributed for free, or for a modest price to cover the media and shipping costs
* Include it on a CD-ROM that is bundled with a book or a magazine
It should also be made clear that this is a freeware version, with pointers to where you can find the latest version and the commercial version (e.g. www.pgpi.org).

The only things you can't do with the software, is to:

  1. Take money for it
  2. Modify it
  3. Give the impression that it cannot be obtained elsewhere for free


3.1. Where can I get a copy of PGPi?

PGPi is available both as source code and as precompiled binaries for many different platforms. You can get PGP from one of the following sources:

WWW:

http://www.pgpi.org/download/

FTP:

ftp://ftp.pgpi.org/pub/pgp/


3.2. What email plugins exist for PGP 6.x?

PlatformProgramPGP 6.0.2iPGP 6.5.1iComment
WindowsEudora 3.x, 4.1 and 4.2YesYesIncluded with PGP 6.0.2i and later. Note: For Eudora 4.3.x, you'll need PGP 6.5.2 or newer.
Outlook 97 & 98YesYesIncluded with PGP 6.0.2i and later
Outlook 2000NoYesIncluded with PGP 6.5.1i
Outlook Express 4YesYesIncluded with PGP 6.0.2i and later
Outlook Express 5NoYesIncluded with PGP 6.5.1i
Netscape Messenger 3.x and 4.xNoYesYou can get it here
Mozilla (Netscape 5.x)NoNoNot yet - is anybody working on this?
Lotus NotesYesYesIncluded with PGP 6.5.1i, 6.0.2i plugin available here
Pegasus Mail 3.xYesYesYou can get it here
MacintoshEudoraYesYesIncluded with PGP 6.0.2i and later
Claris EmailerYesYesIncluded with PGP 6.0.2i and later


3.3. Is there a plugin for Netscape Messenger?

PGP 6.x does not include a plugin for Netscape, but there are a couple of 3rd party freeware versions available:

*Netscape PGP Plugin by Jerry Davis
*Half-plugin by Disastry (only does encryption, not decryption)
In addition, you can always encrypt/decrypt via the clipboard.


3.4. Is there a PGP DLL?

Yes. PGP 6.x for Windows includes a DLL that you can call from within your own programs. Note, however, that the API has changed from PGP 5.x to 6.x, so you shouldn't use the DLL that comes with PGP 5.x. For information on how to use the DLL, see the PGPsdk documentation.

There are also other DLLs, SDKs and libraries that you can use for your own program development - see the PGP developer's resources.


3.5. Where can I get updated language modules for PGPi?

Language modules for the command-line versions of PGP can be found here.


3.6. Where can I get PGPdisk?

PGPdisk is a commercial product, and is not included with PGPfreeware (except 6.0.2i, where it was included by a mistake). For more information on how to get PGPdisk, look here.


4.1. How can I check the integrity of PGPi?

All the PGPi distribution archives contain one or more signature files so that you can verify that the files have not been tampered with. The signature files have the ".asc" or ".sig" file extension, and are either inside the distribution archive (so that you can check each file in the archive), or in a separate file in the same directory as the archive file (so that you can check the whole archive at once).

In order to verify the signatures, you need the signer's public key:

* Ståle Schumacher Ytteborg (0xCCEF447D / 0x0A791610): source code, Unix and Windows versions
* Michael Westlund (0x7C20A990): Macintosh version
* CN Lab (0xDE2AB910): 6.5.1int version, Windows and Macintosh
* Stefan Zakarias (0xCA214F18): Amiga version


4.2. I have problems installing PGPi. What do I do?

First, make sure that you read the documentation carefully.

If you are still having problems, have a look at the support page.


4.3. I can't get PGP 6.0.2i to work with Outlook Express (Internet Explorer) 5.0. What's wrong?

The Outlook Express plugin that comes with PGP 6.0.2i only works with OE version 4. Upgrade to PGP 6.5.1i instead.


5.1. Can PGP be cracked?

Yes. Any PGP version can be cracked, provided that the attacker has enough time and resources (= money) for the job. However, a typical 1024-bit PGP message would take about 300,000,000,000 MIPS year to crack, so the ordinary citizen is relatively safe off, at least for the next few decades. See the PGP Attack FAQ for details. If someone really wants to read your PGP encrypted messages, he/she would probably rather steal a copy of your secret key and try to guess your pass phrase or force you to reveal it.


5.2. Isn't PGPi the version that was weakened for export by the NSA?

No. PGPi is just as secure as any other version of PGP. Neither Phil Zimmermann, MIT, NSA, myself nor anybody else have put any backdoor into PGPi, lobotomized the random number generator, limited the effecive key size or otherwise done anything to compromise the security of the program. If you don't believe it, download the source code and see for yourself. The PGP source is free for anyone to scrutinize, and has been so for many years now. Still, nobody has been able to find any backdoors.

If you're still not convinced, please read what Phil Zimmermann writes about the cryptographic integrity of PGP.


5.3. Does PGP contain a back door?

No, not that I am aware of. See question 5.2. The ARR feature explained in question 5.4 is not a back door; it is a well-known and openly discussed feature (though many people dislikes it). You don't have to use it if you don't want to.


5.4. I have heard that PGP 5 and later contain message recovery features. Is this true?

Yes. All PGP 5.x and 6.x versions contain a feature known as ADK (Additional Decryption Key), or ARR (Additional Recipient Request). PGP, Inc. implemented this feature in PGP at the demand of companies who wanted to be able to recover messages written by their employees (e.g. when the employees quit). However, they made it entirely optional. It works like this:

When you generate a new key using the PGP business edition, you may specify that messages encrypted with this key should also be encrypted with your company's key. When other people later encrypt messages using your key, PGP will request that the messages should also be encrypted using your company's key. It does this by adding your company's key to the recipient list. However, the user may freely remove this key from the recipient list if he/she so wishes. That's why this feature is indeed an Additional Recipient Request; it is not mandatory.

NB! There is a bug in all PGP 5.5.x and 6.x versions prior to 6.5.8 with respect to the ADK feature. The problem is that PGP honours the ADK request even if it is not signed. This allows malicious users to add unsigned ADK packets to other people's public keys. It is recommended that all users of the vulnerable versions upgrade to PGP 6.5.8 (available for Windows and MacOS only). For more information on the ADK bug, see the CERT advisory and the security advisory from NAI.


5.5. Does PGP contain key recovery features?

No, it doesn't. PGP 5 and later does, however, contain message recovery features. See question 5.4.


6.1. How come PGP 5.5 and later were scanned so fast?

The PGP 5.0 scanning project took many months to complete, but 5.5 and later versions were scanned and proofread in just a couple of weeks. Teun Nijssen explains how this was possible.


6.2. Are there any bugs in PGPi?

No program is 100% error free, and this applies to PGPi as well. To see a list of known bugs and how to fix them, or to report new bugs, refer to the PGP bug page at http://www.pgpi.org/doc/bugs/.


6.3. Who is responsible for PGPi?

PGPi was published by Ståle Schumacher Ytteborg in Norway. However, this work would not have been possible without the help of many individuals around the world. For more information on the PGPi project, please see here.


6.4. Where can I get support for PGPi?

There is no support for freeware versions of PGP. If you want support, you'll have to buy one of the commercial versions. Having said that, there are many resources about PGP on the Internet where you can get help if you have problems installing or using PGP. For more information, look here.


6.5. Where can I learn more about PGP?

Here are some links to get you started:

* Other FAQs
* PGP documentation
* PGP links


PGPi Home > Documentation > FAQs > PGPi FAQ > English ]