Even though PGP 2.5 and later releases from MIT introduced many bug-fixes and improvements over 2.3a, many non-US users of PGP have been reluctant to upgrade to the new versions because they feel that the PGP developers have abandoned the international PGP community by adding a number of restrictions that are only necessary within the USA. That is why I decided to make PGP 2.6.i (and later 2.6.2i and 2.6.3i): to put an end to all the PGP "hack versions" that flourish, and by giving the non-US users of PGP a version that is more "digestible" than those offered by MIT, and at the same time let them benefit from all the improvements that the new versions have introduced over PGP 2.3a. PGP 2.6.3i is a "real" 2.6 version, as it is based on the code tree for PGP 2.6.2 and not 2.3a. This release fixes a number of bugs present in PGP 2.6.2(i), and adds some new features (see below).
This is to clearly distinguish it from other PGP versions. This is important because users within the USA should not use PGP 2.6.3i, and also because script files, shells and other PGP add-ons may need to know exactly how your copy of PGP will behave under different circumstances. If you compile your copy of PGP using the -DUSA option, you will get a version called 2.6.3 instead.
PGP 2.3a and earlier versions use a special library for all the RSA encryption/decryption routines, called MPILIB, and written by Philip R. Zimmermann (PRZ), the original author of PGP. However, starting with version 2.5, all official releases of PGP have been using the RSAREF library from RSADSI Inc, a US company that holds the patent on the RSA algorithm in the USA. This change was made in order to make PGP legal to use within the USA.
Please observe that PGP 2.6.3i does NOT use RSAREF, but rather PRZ's original MPILIB library, which is functionally identical to RSAREF and slightly faster on most platforms. Because 2.6.3i uses MPILIB rather than RSAREF, this PGP version is also able to verify key signatures made with PGP 2.2 or earlier versions. This is not true for MIT PGP, because the RSAREF library only understands the new PKCS signature format introduced in PGP 2.3.
The use of the MPILIB library is the main reason why PGP 2.6.3i is probably illegal to use within the USA. If you are in the USA, you should compile the source code using the -DUSA option and link it with the RSAREF library rather than MPILIB.
PGP 2.6.2 contains a "feature" that will cause it to generate keys and messages that are not readable by PGP 2.3a and earlier versions. This is the "legal kludge", and was introduced to encourage users in the USA to upgrade from PGP 2.3a.
PGP 2.6.3i provides you with a way to disable the "legal kludge". This means that messages and keys generated with PGP 2.6.3i can be used and understood by all existing 2.x versions of PGP. To disable the legal kludge, uncomment the following line in your config.txt file so that it reads:
legal_kludge = offThis option may also be set on the command line: "pgp +le=off
Because of a bug in PGP 2.6.2, this version would not let you generate keys bigger than 2047 bits on some platforms. This problem has been corrected in PGP 2.6.3i.
PGP 2.6.3i also fixes a number of other bugs found in PGP 2.6.2, most notably the signature bug for keys over 2034 bits, as reported by ViaCrypt. PGP 2.6.3i will also let you clearsign messages in 8-bit character sets, such as Russian, Japanese, Korean etc. Many other bugs have also been corrected, see pgp262i.dif and pgp263i.dif for details.
Version 2.6.3i adds some new functionality to PGP, while maintaining compatibility with older versions, e.g.:
pgp -eat filename.txt user1 user2 -@moreusers.txtThe file moreusers.txt is a normal text file with one key ID or user ID on each line.
PGP 2.6.3i has been modified in order to let it compile "out of the box" for such platforms as Amiga, Atari, VMS, IBM mainframes running MVS and Windows NT/Windows 95. Furthermore, the Macintosh port of PGP is now integrated into the main source distribution. PGP 2.6.3i will also compile under MS-DOS using Borland C (MIT PGP 2.6.2 only supports Microsoft C).
The language files for MIT PGP 2.6.2 had not been updated for a long time. This has been fixed in this version. PGP 2.6.3i comes with a combined translation file for German, French and Spanish. Additional language modules may be downloaded from:
http://www.ifi.uio.no/pgp/modules.shtml ftp://ftp.ifi.uio.no/pub/pgp/lang/All the other text and documentation files for PGP 2.6.3i have also been brought up to date, with the exception of PRZ's original PGP Users's Guide from PGP 2.6.2, which is included unmodified in the various distribution archives.
The PGP 2.6.3i source code distribution contains two new tools for use with PGP, called Stealth and PGPSort. Take a look in the contrib/ subdirectory for details. The binary distributions now contain pre- compiled versions of PGPSort and MD5Sum.
PGP 2.6.3i is based on the source code for PGP 2.6.2, whereas PGP 2.6ui is based on the source code for 2.3a. This means that 2.6.3i contains a lot of bug-fixes that are not present in 2.6ui, and it also adds a number of new features that are lacking in 2.6ui.
PGP 2.6ui has an option to allow you to choose which message format to use when generating keys and messages. This is the version_byte option, and can be set both in the config.txt file and on the command line:
version_byte = 2 (use backwards-compatible format, default) version_byte = 3 (use new 2.6 format)In PGP 2.6.3i, the same is accomplished using the legal_kludge flag:
legal_kludge = off (use backwards-compatible format) legal_kludge = on (use new 2.6 format, default)
PGP 2.6ui has an option to let you "forge" the version number in the ASCII armored files produced by PGP. In PGP 2.6.3i, the armor_version option is NOT supported, as this is a feature that is heavily misused. If you must change the version number of your keys and messages, you can do so in the language.txt file instead.
The ITAR regulations classifies cryptography in the same category as munitions, and so it is very likely that exporting PGP from the USA is considered illegal by US authorities. In the case of PGP 2.6.3i, large portions of the code were written inside the USA, and later exported to the rest of the world. However, this is not a problem, because it is the _export_ that is illegal, not the _use_ of the program. Once the software is (illegally) exported, anyone may use it legally. (I didn't export it, and I strongly recommend that you won't do it either.) As long as you make sure that you get your copy of PGP 2.6.3i from somewhere outside the USA, then you should be on the safe side.
This is not a problem either, because PGP 2.6.3i is not intended for use in the USA (which just happens to be the only country in the world where the RSA patent is valid, and still the validity of this patent is somewhat dubious). If you are inside the USA, you should compile the source using the -DUSA option and link it with the RSAREF library, which will give you a version that identifies itself as PGP 2.6.3.
The second point in the MIT license for PGP 2.6.2 explicitly forbids anyone to remove the so-called "legal kludge". Still, this is exactly what PGP 2.6.3i does. However, it should be clear that this limitation only refers to the RSAREF versions of PGP. PGP 2.6.3i, on the other hand, does not use RSAREF, and so this point becomes irrelevant. If you still feel uncomfortable about this, take a look at the file przon26i.asc which is included in the distribution archive. This file contains a statement by Phil Zimmermann on PGP 2.6.i, the predecessor to PGP 2.6.3i.
1.. 10 users 120 SFr. per copy 11.. 20 users 80 SFr. per copy 21..100 users 60 SFr. per copyFor more information, contact:
Ascom Systec AG
IDEA Licensing
Gewerbepark
CH-5506 Maegenwil
Switzerland
Phone : +41 62 889 59 54
Fax : +41 62 889 59 54
Email : idea@ascom.ch
PGP: Pretty Good Privacy
by Simson Garfinkel
O'Reilly & Associates 1994
ISBN 1-56592-098-8
430 pp. $24.95
Protect Your Privacy: The PGP User's Guide
by William Stallings
Prentice Hall PTR 1995
ISBN 0-13-185596-4
302 pp. $19.95
Applied Cryptography: Protocols, Algorithms, and Source Code in C
2nd Edition
by Bruce Schneier
John Wiley & Sons 1996
ISBN 0-471-11709-9
E-Mail Security with PGP and PEM: How to Keep Your Electronic Mail Private
by Bruce Schneier
John Wiley & Sons 1995
ISBN 0-471-05318-X
PGP main page
Meine Homepage
UNIX-AG Homepage