
I'd appreciate comments on this from readers of this echo.  I don't need
to tell you that contributions will be gratefully accepted... :-)  I
started this when no one replied to my posts about the existence of such
a FAQ, but ran out of steam before I got all the stuff in I wanted, so I
figured I'd post what I had & see what questions & answers folks
contributed...


DRAFT                      FOR COMMENT ONLY                      DRAFT


                        NoiseNet Privacy Echo
                     Frequently-Asked Questions
                          23 December 1993
                   'Copyleft' Rob Szarka (1:320/42)
                       mrnoise@econs.umass.edu


1.  Why this FAQ?

While more than one excelent privacy-related FAQ is available on the
Internet, this FAQ is intended to be posted to the NoiseNet Privacy
Echo, Fidonet Public Keys Echo, & other appropriate amateur networks.
I will attempt to keep it a good deal shorter than the comparable
Internet versions to preserve bandwidth & allow frequent posting,
while providing information of particular concern to BBS users.

Please send pertinent information to me at the addresses above, or
search your nodelist for 'Szarka' or 'Mr. Noise'.  I can also be reached
in NOISE_PRIVACY, PUBLIC_KEYS, or on my BBS at +1-203-886-1441.  This
document is CopyLeft 1993 by Robert Szarka.  Unattributed quotations
throughout are from the PGP documentation by Phil Zimmerman.

The following people have contributed to this FAQ:

christopher.baker@f14.n374.z1.fidonet.org


2.  What is PGP?  What is public-key cryptography?

PGP (Pretty Good Privacy) is a free public-key cryptography program
written by Phil Zimmerman.  To use such a program, you must first
generate a 'key pair', consisting of a 'public key' & 'secret key'.
You then distribute the public key, which allows others to encrypt a
message so that it can be decoded only with your secret key;  the secret
key, & the passphrase that you use with it, must be kept secure.  The
PGP documentation gives an excellent discussion of the subject, & it is
recommend reading even if you're just interested & never intend to use
the program.


3.  Is PGP illegal?  What is ViaCrypt PGP?

There are two issues here:  export controls & patent infringement.

Technically, it is illegal to export the executable versions of PGP from
the United States.  The government takes the view that cryptography has
military applications, & is thus a 'munition'.  Never mind that the most
recent versions of PGP originated in Europe & were *imported* to the
U.S.;  our government has never been what you could call open-minded
about things like this.  People are working to change this situation, &
you should certainly contact your Congresscritters to support their
efforts.  Source code is a murkier matter.  It ought to be exportable
under the technical data exception to the law, but the government is
currently investigating (i.e., harrassing) folks for doing so.

Public Key Partners also contends that PGP violates their patent on the
RSA algorithmn used as part of PGP (the text is encrypted using IDEA, but
the IDEA key is then encrypted using RSA).  (Note that the U.S. is the
only country that allows patents on algorithms, so PGP is still legal is
the rest of the world!)  Zimmerman, & others, tried to obtain a license
for PGP, but to no avail.

In November, ViaCrypt (+1-602-944-1543) released a commercial version of
PGP (at an introductory price of $100) under their license with Public
Key Partners.  ViaCrypt PGP is compatible with PGP & solves the legal
questions for businesses & others that don't want to chance violating
the law.  (Note that government employees can use the RSA algorithim for
official business anyway, as it was developed with tax dollars.)


4.  Where do I get PGP?  Is it available for (insert your OS here)?

(being compiled)

Many sysops make PGP available for FREQ using the following magic names:

PGPFILES        PGP/privacy/encryption filelist.

PGP             Current version of MSDOS PGP executables and docs.

PGPSRC          Current version of PGP source files.

PGPALL          Both MS-DOS executables and source.

PGPAMIGA        Amiga version of PGP.

PGPATARI        Atari version of PGP.

PGPMAC          Macintosh version of PGP.

PGPOS2          OS/2 version of PGP.


5.  Where do I get public keys?

Those on Fidonet should pick up the PKEY_DROP echo, intended for the
posting of public keys.  In addition, many sysops make public keys
available via FREQ using the following magic names:

PGPKEY          The sysop's PGP public key.  (Make the filename
                distinctive with your node number or name.)

KEYRING         Complete public keyring.  (Make the filename
                similarly distinctive.)

PEMKEY          PEM public-key

PEMRING         PEM public-keyring


6.  How do I clearsign a message with PGP?

(to be added)


7.  How can I help the cause?

Phil Zimmerman has not yet been sued or charged with a crime, but
there's no telling what will happen tommorrow--sooner or later this
thing has got to come to a head.  The Electronic Frontier Foundation has
already stepped forward to provide moral & financial support, and you can
do your part by mailing a contribution to Zimmerman's lawyer for his
defense:

        Philip Dubois, Esq.
        2305 Broadway
        Boulder, CO  80304
        +1-303-444-3885

Zimmerman, & the others who have stepped forward to help with PGP's
development over the years, have done us a great service.  They deserve
our support.  One idea that I'm trying here at Sea of Noise is to
earmark 10% of contributions to the BBS for Zimmerman's defense; I hope
other sysops will join me.


DRAFT                      FOR COMMENT ONLY                      DRAFT