[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Where to Get the Latest PGP (Pretty Good Privacy) FAQ
-----BEGIN PGP SIGNED MESSAGE-----
WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP)
(Last modified: 7 September 1994 by Mike Johnson)
WHAT IS THE LATEST VERSION?
There is more than one latest version. Pick one or more of the following
that best suits your computer, patent restrictions, and export restrictions.
Some countries (like France) may also restrict import or even use of strong
cryptography like PGP.
| Platform(s) | Latest Version | Distribution File Names |
| DOS, Unix, | Viacrypt PGP 2.7 | disk sets |
| or WinCIM/CSNav | | |
| DOS, Unix, | MIT PGP 2.6.1 | pgp261.zip (DOS + docs) |
| others | | pgp261s.zip (source) |
| | | pg261s.zip source on CompuServe |
| | | pgp261.tar.gz (source) |
| | | pgp261.gz (same as above on DOS)|
| | | pgp261.tar.Z (source) |
| | | pgp261dc.zip (documentation) |
| | | pg261d.zip (docs on CompuServe) |
| Macintosh | MIT PGP 2.6 | MacPGP2.6.sea.hqx (binary+docs) |
| | | macpgp26.hqx (same as above) |
| | | MacPGP2.6.src.sea.hqx (source) |
| | | macpgp26.src (same as above) |
| | | MacPGP2.6-68000.sea.hqx (binary)|
| | | mcpgp268.hqx (same as above) |
| Mac Applescript | MacPGP 2.6ui v 1.2 | MacPGP-2.6ui-v1.2.sit.hqx |
| | | MacPGP2.6ui_V1.2_sources.cpt.hqx|
| | | MacPGP2.6uiV1.2en.cpt.hqx |
| | | MacPGP2.6uiV1.2src.cpt.hqx |
| | | MacPGP2.6uiV1.2.68000.hqx |
| Amiga | Amiga PGP 2.3a.4 | PGPAmi23a_4.lha |
| Atari | Atari PGP 2.6ui | pgp26uib.lzh (binary, docs) |
| | | pgp26uis.lzh |
| Archimedes | Archimedes 2.3a | ArcPGP23a |
Note: there are other versions available, but these are either old, or
outside of the mainstream PGP project. Look for signatures from one of three
sources: Viacrypt (Commercial), [email protected] (North American freeware), or
[email protected] (the unofficial international version source). The
"unofficial international" versions are really just PGP 2.3a, modified just
enough to make it compatible with MIT PGP 2.6, but do not include all of the
fixes in MIT PGP 2.6 and MIT PGP 2.6.1. They are named pgp26ui* or have a
"ui" somewhere in their file names. I recommend the use of the "ui" versions
(1) You are using a Macintosh;
(2) You are using a platform for which there is no Viacrypt or MIT
(3) You are outside of North America, and can't obtain Viacrypt or
MIT PGP; or
(4) You need to use a key longer than 1024 bits (i. e. a 1264 bit
key generated with PGP 2.3a or PGP 2.6ui).
WHERE CAN I GET VIACRYPT PGP?
If you are a commercial user of PGP in the USA or Canada, contact Viacrypt in
Phoenix, Arizona, USA. The commecial version of PGP is fully licensed to use
the patented RSA and IDEA encryption algorithms in commercial applications,
and may be used in corporate environments in the USA and Canada. It is fully
compatible with, functionally the same as, and just as strong as the freeware
version of PGP. Due to limitations on ViaCrypt's RSA distribution license,
ViaCrypt only distributes executable code and documentation for it, but they
are working on making PGP available for a variety of platforms. Call or
write to them for the latest information. The latest version number for
their version of PGP is 2.7.
The Windows version is anticipated to ship by (or before) September 15, 1994;
the Macintosh version is expected to ship in early October. The formal
announcements will go out about one week prior to first ship dates. The
Windows version is a high grade Visual Basic front end with the DOS program
in the back end. It is a point-and-click, drag-and-drop operation.
Here is a brief summary of Viacrypt's currently-available products:
1. ViaCrypt PGP for MS-DOS. Prices start at $99.98
2. ViaCrypt PGP for UNIX. Includes executables for the following
SunOS 4.1.x (SPARC)
IBM RS/6000 AIX
HP 9000 Series 700/800 UX
SCO 386/486 UNIX
Prices start at $149.98
Executables for the following additional platforms are
available upon request for an additional $30.00 charge.
Ultrix MIPS DECstation 4.x
3. ViaCrypt PGP for WinCIM/CSNav. A special package for users of
CompuServe. Prices start at $119.98
In September, 1994, ViaCrypt intends to announce two new major
ViaCrypt PGP for Windows
ViaCrypt PGP for Macintosh
Prices start at $124.98
Viacrypt's licensing and price information is as follows:
ViaCrypt PGP Version 2.7 for Windows (Single User $ 124.98
ViaCrypt PGP Version 2.7 for Windows (Five User) $ 374.98
ViaCrypt PGP Version 2.7 for Macintosh(Single User) $ 124.98
ViaCrypt PGP Version 2.7 for Macintosh(Five User) $ 374.98
ViaCrypt PGP Version 2.7 for MS-DOS (Single User) $ 99.98
ViaCrypt PGP Version 2.7 for MS-DOS (Five User) $ 299.98
ViaCrypt PGP Version 2.7 for UNIX (Single User) $ 149.98
ViaCrypt PGP Version 2.7 for UNIX (Five User) $ 449.98
ViaCrypt PGP for WinCIM/CSNav (Single User) $ 119.98
ViaCrypt PGP for WinCIM/CSNav (Five User) $ 359.98
UNIX platforms of Ultrix and BSD 386 have an additional $30.00
charge per platform.
Please contact ViaCrypt for pricing of 20 users and above.
Orders may be placed by calling 800-536-2664 during the hours of
8:30am to 5:00pm MST, Monday - Friday. We accept VISA,
MasterCard, AMEX and Discover credit cards.
If you have further questions, please feel free to contact:
Paul E. Uhlhorn
Director of Marketing, ViaCrypt Products
Mail: 9033 N. 24th Avenue
Phoenix AZ 85021-2847
Phone: (602) 944-0773
Fax: (602) 943-2601
Internet: [email protected]
WHERE CAN I GET THE FREEWARE PGP?
These listings are subject to change without notice. If you find that PGP has
been removed from any of these sites, please let me know so that I can update
this list. Likewise, if you find PGP on a good site elsewhere (especially on
any BBS that allows first time callers to access PGP for free), please let me
know so that I can update this list. Because this list changes frequently, I
have not attempted to keep it complete, but there should be enough pointers
to let you easily find PGP.
There are several ways to get the freeware PGP: ftp, WWW, BBS, CompuServe,
America Online (maybe), email ftp server, and sneakernet (ask a friend for a
copy). Just don't ask the author directly for a copy.
FTP SITES IN NORTH AMERICA
These sites generally have some mechanism to (1) discourage export of PGP and
violation of the ITAR, (2) protect the site operators from harrassment by the
Federal Government, and (3) still allow automated distribution of PGP as far
as is allowed under all applicable laws.
Telnet to net-dist.mit.edu, log in as getpgp, answer the questions, then ftp
to net-dist.mit.edu and change to the hidden directory named in the telnet
session to get your own copy.
MIT-PGP is for U. S. and Canadian use only, but MIT is only distributing it
within the USA (due to some archaic export control laws).
1. Read ftp://net-dist.mit.edu/pub/PGP/mitlicen.txt and agree to it.
2. Read ftp://net-dist.mit.edu/pub/PGP/rsalicen.txt and agree to it.
3. Telnet to net-dist.mit.edu and log in as getpgp.
4. Answer the questions and write down the directory name listed.
5. QUICKLY end the telnet session with ^C and ftp to the indicated directory
on net-dist.mit.edu (something like /pub/PGP/dist/U.S.-only-????) and get
the distribution files (see the above chart for names).
If the hidden directory name is invalid, start over at step 3, above.
You can also get PGP from:
See ftp://ftp.csn.net/mpj/README.MPJ for the ???????
See ftp://ftp.csn.net/mpj/help for more help on negotiating this site's
export control methods (open to USA and Canada).
See ftp://ftp.netcom.com/pub/mpj/README.MPJ for the ???????
See ftp://ftp.netcom.com/pub/mpj/help for more help on negotiating this
site's export control methods.
TO GET THESE FILES BY EMAIL, send mail to [email protected]
containing the word HELP in the body of the message for instructions.
You will have to work quickly to get README.MPJ then the files before
the ??????? part of the path name changes again (several times a day).
Follow the instructions found in README.Dist that you get from one of:
(U. S. and Canadian users only)
See /pub/crypto/software/README for the characters for XXXXXXXX
This site has all public releases of the freeware PGP.
WORLD WIDE WEB ACCESS
The NCSA Forum sysops have a library (Library 12: Export Controlled) that is
available only to people who send them a message asserting that they are
within the U. S. A. This library contains PGP. I have also seen PGP in some
other places on Compuserve. Try searching for PGP261.ZIP in the IBMFF forum
for up-to-date information on PGP in selected other areas. The last time I
tried a search like this, PGP 2.6 was found in the PC World Online forum (GO
PWOFORUM) new uploads area, along with several PGP shells and accessories.
I've also heard that EUROFORUM caries PGP 2.6ui, but have not confirmed this.
Compuserve file names are even more limited than DOS (6.3 instead of the
already lame 8.3), so the file names to look for are PGP26.ZIP, PG261S.ZIP
(source code), PGP261.GZ (Unix source code) and PG261D.ZIP (documentation
BULLETIN BOARD SYSTEMS
Colorado Catacombs BBS
Mike Johnson, sysop
Mac and DOS versions of PGP, PGP shells, and some other crypto stuff.
Also the home of some good Bible search files and some shareware written
by Mike Johnson, including DLOCK, CRYPTA, CRYPTE, CRYPTMPJ, MCP, MDIR,
DELETE, PROVERB, SPLIT, ONEPAD, etc.
v.FAST/v.32bis/v.42bis, speeds up to 28,800 bps
8 data bits, 1 stop, no parity, as fast as your modem will go.
Use ANSI terminal emulation, of if you can't, try VT-100.
Free access to PGP. If busy or no answer, try again later.
Log in with your own name, or if someone else already used that, try
a variation on your name or pseudonym. You can request access to
crypto software on line, and if you qualify legally under the ITAR,
you can download on the first call.
For free access: log in with your own name, answer the questions, then
select [Q]uestionaire 3 from the [M]ain menu.
(303) 772-1062 Longmont, Colorado number - 2 lines.
(303) 938-9654 Boulder, Colorado number forwarded to Longmont number
intended for use by people in the Denver, Colorado area.
Hieroglyphics Voodoo Machine (Colorado)
Jim Still (aka Johannes Keppler), sysop.
DOS, OS2, and Mac versions.
For free access for PGP, DLOCK, Secure Drive, etc., log in as "VOO DOO"
with the password "NEW" (good for 30 minutes access to free files).
Exec-Net (New York)
Host BBS for the ILink net.
The Ferret BBS (North Little Rock, Arkansas)
(501) 791-0124 also (501) 791-0125
Special PGP users account:
login name: PGP USER
This information from: Jim Wenzel <[email protected]>
Other BBS -- check your local BBS. Chances are good that it has any release
that is at least a month old if it has much of a file area at all.
Try PC WORLD soft/lib. (key word PGP). Make sure you get ALL of the files,
including the documentation. Somebody apparently split up the .ZIP file just
to make life more difficult.
OTHER FTP SITES
These other ftp sites don't have the "export control" hoops to jump through
that most North American sites have in deference to archaic laws.
This site has most, if not all, of the current PGP files.
/pub/dcosenza -- Some crypto stuff, sometimes includes PGP.
/pub/gbe/pgpfaq.asc -- frequently asked questions answered.
/pub/qwerty -- How to MacPGP Guide, largest steganography ftp site as
well. PGP FAQ, crypto FAQ, US Crypto Policy FAQ,
Steganograpy software list. MacUtilites for use with
MacPGP. Stealth1.1 + other steganography programs.
Send mail to [email protected] with the subject
"Bomb me!" to get the PGP FAQ and MacPGP guide if you
don't have ftp access.
/pub/cypherpunks/pgp (DOS, MAC)
ftp.tu-clausthal.de (220.127.116.11) (Atari ST/E,TT,Falcon)
/pub/atari/misc/pgp/pgp26uib.lzh (2.6ui ttp, 2.3a docs)
/pub/atari/misc/pgp/pgp26uis.lzh (2.6ui sources)
/pub/atari/misc/pgp/pgp26ui.diffs (Atari diffs for 2.6 sources)
Also, try an archie search for PGP using the command:
archie -s pgp26 (DOS & Unix Versions)
archie -s pgp2.6 (MAC Versions)
For those individuals who do not have access to FTP, but do have access
to e-mail, you can get FTP files mailed to you. For information on
this service, send a message saying "Help" to [email protected]
You will be sent an instruction sheet on how to use the ftpmail
Another e-mail service is from nic.funet.fi. Send the following mail message
to [email protected]:
This will deposit the two zipfiles, as 15 batched messages, in your mailbox
with about 24 hours. Save and uudecode.
For the ftp sites on netcom, send mail to [email protected] containing
the word HELP in the body of the message.
IS MY COPY OF PGP GOOD?
If you find a version of the PGP package that does not include the PGP User's
Guide, something is wrong. The manual should always be included in the
package. PGP should be signed by one of the developers (Philip Zimmermann,
Jeff Schiller, Viacrypt, etc.). If it isn't, the package is suspect and
should not be used or distributed. The site you found it on should remove it
so that it does no further harm to others. To be really sure, you should get
PGP directly from MIT or check the signatures with a version of PGP that you
trust. The copies of PGP on ftp.csn.net/mpj, ftp.netcom.com/pub/mpj, and the
Colorado Catacombs BBS are direct copies of the ones on MIT, except that the
ones on the BBS include a BBS advertisement (automatically added by the
system when it virus scans new files) in the outer .zip files.
OTHER PGP DOCUMENTATION
PGP is rather counter-intuitive to a Mac user. Luckily, there's a
guide to using MacPGP in
There is a Frequently Asked Questions document in
For more information on the "time bomb" in PGP, see
These are suitable for most PGP versions. I am not aware of any
export/import restrictions on these files.
* _UK:_ ftp://black.ox.ac.uk/src/security/pgp_german.txt
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_german.txt
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/PGP_german_docs.lha
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.italian.tar.gz
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-msgs-japanese.tar.gz
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp23ltk.zip
* _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26ru.zip (MIT version)
* _RU:_ ftp://ftp.kiae.su/unix/crypto/pgp/pgp26uir.zip (ui version)
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp26ru.zip
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp-lang.spanish.tar.gz
* _UK:_ ftp://black.ox.ac.uk/src/security/pgp_swedish.txt
* _US:_ ftp://ftp.csn.net/mpj/public/pgp/pgp_swedish.txt
There are many more sites. You can use archie and/or other "net-surfing"
tools to find a more up-to-date listing, if desired.
WHAT IS ALL THIS NONSENSE ABOUT EXPORT CONTROLS?
For a detailed rant, get ftp://ftp.csn.net/mpj/cryptusa.zip
The practical meaning, until the law is corrected to make sense, is that you
are requested to get PGP from sites outside of the USA and Canada if you are
outside of the USA and Canada. If you are in France, I understand that you
aren't even supposed import it. Other countries may be worse.
It is illegal to export PGP from the USA to any country except Canada, even
if that version of PGP originated outside of the USA. Don't do it. Don't
ask me to do it. The law is not rational, but it exists, and the Federal
Government has no sense of humor. On the other hand, if you should discover
a copy of PGP in some place other than the USA, then you are bound by the
laws of both that country and your own country with respect to what you can
do with it, not necessarily by U. S. Law. Your laws may be more or less
restrictive, and may possibly refer to U. S. Law through some sort of treaty.
If you live in a place where you can freely distribute and use PGP, then I
applaud your government.
In spite of the best efforts of MIT and the other primary developers and
distributors of PGP not to violate the International Traffic in Arms
Regulations, MIT PGP has been observed to migrate to many foreign sites.
Whoever is responsible for this export is responsible for their own actions
and is not encouraged or endorsed by myself, Philip Zimmermann, or MIT. This
doesn't necessarily mean that we agree with the law, or even that the law
itself is Constitutional. It just means that becoming a test case is not
WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN THE USA?
MIT PGP is only for noncommercial use because of restrictions on the
licensing of both the RSA algorithm (attached to RSAREF) and the IDEA
algorithm. PKP/RSADSI insist that we use RSAREF instead of the mpi library
for reasons that make sense to them.
For commercial use, use Viacrypt PGP, which is fully licensed to use both the
RSA and IDEA algorithms in commercial and corporate environments.
WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST IN CANADA?
MIT PGP is only for noncommercial use because of restrictions on the
licensing of the IDEA algorithm. Because the RSA algorithm isn't patented in
Canada, you are free to use the mpi library instead of RSAREF, if you want
to, thus freeing yourself of the RSAREF license.
For commercial use, use Viacrypt PGP, which is fully licensed to use the IDEA
algorithm in commercial and corporate environments.
WHAT INTELLECTUAL PROPERTY RESTRICTIONS EXIST OUTSIDE NORTH AMERICA?
MIT PGP is only for noncommercial in areas where there is a patent on
software implementations of the IDEA algorithm. Because the RSA algorithm
isn't patented outside of the USA, you are free to use the mpi library
instead of RSAREF, if you want to, thus freeing yourself of the RSAREF
For commercial use, you cannot buy Viacrypt PGP, but you can arrange to
license your use of IDEA directly from ETH Zurich. If software
implementations of IDEA are not covered by a patent in your country, then you
can use the freeware versions of PGP, provided that you compile it with the
mpi library instead of RSAREF.
WHAT IS THE "TIME BOMB" IN MIT PGP 2.6?
As a concession to the RSA patent holders (in return for endorsement of the
legality of the freeware MIT PGP 2.6), MIT placed an inducement in MIT PGP
2.6 to encourage upgrade from the alledgedly patent-infringing PGP 2.3a to
the MIT version. The nature of this inducement is a change in a packet ID
byte that causes PGP 2.3a and earlier to reject messages created by MIT PGP
2.6 after 1 September 1994. Altering MIT PGP 2.6 to bypass this annoyance
(though technically an easy change to the LEGAL_KLUDGE), invalidates the
blessing of Public Key Partners on the licence of MIT PGP 2.6. Therefore, it
is a bad idea. On the other hand, it is trivial to hack PGP 2.3a to accept
these packets, and that (plus a few other bug fixes) is essentially what PGP
2.6ui is. None of the versions of PGP greater than 2.3 have problems reading
the old packet ID values, so for maximum compatibility, the ideal is to write
the old value and accept either value.
Unfortunately, this time bomb has a negative effect on Viacrypt PGP 2.4, as
well, which never infringed on anyone's patents. Viacrypt's solution was to
issue PGP 2.7, which, by default acts just like MIT PGP 2.6, but has a
config.txt option (explained in the release) that allows compatibility with
both PGP 2.4 and PGP 2.6. Naturally, this also allows compatibility with PGP
The time bomb is annoying for those who still wish to use PGP 2.3a, and for
those who use Viacrypt PGP 2.4 and don't want to spend US$10 to upgrade to
Viacrypt PGP 2.7, but considering the magnitude of the concession made by
Public Key Partners in legitimizing the freeware PGP for use in the USA, it
was worth it.
For more information on the time bomb, see ftp://ftp.csn.net/mpj/pgpbomb.asc
ARE MY KEYS COMPATIBLE WITH THE OTHER PGP VERSIONS?
If your RSA key modulus length is less than or equal to 1024 bits (I don't
recommend less, unless you have a really slow computer and little patience),
and if your key was generated in the PKCS format, then it will work with any
of the current PGP versions (MIT PGP 2.6, PGP 2.6ui, or Viacrypt PGP 2.7). If
this is not the case, you really should generate a new key that qualifies.
Philip Zimmermann is aware of the desire for longer keys in PGP by some PGP
fans (like me), but wants to migrate towards that goal in an orderly way, by
first releasing versions of PGP in for all platforms and for both commercial
(Viacrypt) and freeware (MIT) flavors that ACCEPT long keys, then releasing
versions that can also GENERATE long keys. He also has some other neat key
management ideas that he plans to implement in future versions.
These are the most annoying:
MIT PGP 2.6 -- the function xorbytes doesn't. Replace the = with ^= to fix
it. The effect of this bug is that RSA keys aren't quite as
random as they should be -- probably not a practical problem,
but worth fixing if you are going to compile the code
yourself. Fixed in 2.6.1.
MIT PGP 2.6 -- DON'T SET PGPPASS when editing your keys, because if you do,
and if you don't change your pass phrase, the key is lost.
(If this happens, rename your backup keyring files to the
primary files before you do anything else). Fixed in 2.6.1.
PGP 2.6ui -- Conventional encryption -c option doesn't use a different IV
every time, like it is supposed to. (PGP 2.3a had this
problem, too). Fixed in 2.6 and 2.6.1.
HOW DO I PUBLISH MY PGP PUBLIC KEY?
There are lots of ways. One way is to use a key server. Send mail to one of
these addresses with the single word "help" in the subject line to find out
how to use a key server.
FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp (Updated daily)
There is also an experimental public key server at
Another way is to upload it to the PGP public keys area of the Colorado
Catacombs BBS (303-772-1062). Another way is to just send it to your
correspondents. You could add it to your .plan file so that finger returns
your key. You could add it to some of your postings. No matter which way you
do it, you should have your key signed by someone who verifies that your key
belongs to you, so that you don't have someone else generating a key that has
your name on it, but that isn't yours.
Here is my public key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- -----END PGP PUBLIC KEY BLOCK-----
|\ /| | | |
| \/ |o| | Michael Paul Johnson Colorado Catacombs BBS 303-772-1062 |
| | | / _ | [email protected] aka [email protected] [email protected] |
| |||/ /_\ | ftp://ftp.csn.net/mpj/README.MPJ CIS: 71331,2332 |
| |||\ ( | ftp://ftp.netcom.com/pub/mpj/README.MPJ -. --- ----- ....|
| ||| \ \_/ |___________________________________________________________|
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----