Internet Info 1993

home *** CD-ROM | disk | FTP | other *** search

/ Internet Info 1993 / Internet Info CD-ROM (Walnut Creek) (1993).iso / answers / alt / pgp-faq / part2 < prev next >

Wrap

Text File | 1994-04-18 | 44.1 KB | 1,157 lines

Newsgroups: alt.security.pgp,alt.answers,news.answers Path: bloom-beacon.mit.edu!hookup!swrinde!ihnp4.ucsd.edu!library.ucla.edu!csulb.edu!csus.edu!netcom.com!gbe From: gbe@netcom.com (Gary Edstrom) Subject: alt.security.pgp FAQ (Part 2/5) Message-ID: <gbe94Apr1717400205@netcom.com> Followup-To: poster Summary: Frequently Asked Questions (FAQ) for alt.security.pgp Keywords: pgp privacy security encryption RSA IDEA MD5 Supersedes: <gbe94Mar1310030204@netcom.com> Reply-To: gbe@netcom.com (Gary Edstrom) Organization: Sequoia Software X-Newsreader: TIN [version 1.2 PL1] References: <gbe94Apr1717400105@netcom.com> Date: Mon, 18 Apr 1994 00:51:06 GMT Approved: news-answers-request@mit.edu Expires: Sun, 31 Jul 1994 07:00:00 GMT Lines: 1137 Xref: bloom-beacon.mit.edu alt.security.pgp:11405 alt.answers:2463 news.answers:18188 Archive-name: pgp-faq/part2 Version: 9 Last-modified: 1994/4/17 -----BEGIN PGP SIGNED MESSAGE----- willing to go to great lengths to compromise your mail. Look at the amount of work that has been put into some of the virus programs that have found their way into various computer systems. Even when it doesn't involve money, some people are obsessed with breaking into systems. Just about week ago, I saw a posting on alt.security.pgp where the return address had been altered to say "president@whitehouse.gov". In this case, the content of the message showed that it was obviously fake, but what about some of those other not so obvious cases. ======== 4.16. Can I be forced to reveal my pass phrase in any legal proceedings? The following information applies only to citizens of the United States in U.S. Courts. The laws in other countries may vary. Please see the disclaimer at the top of part 1. There have been several threads on Internet concerning the question of whether or not the fifth amendment right about not being forced to give testimony against yourself can be applied to the subject of being forced to reveal your pass phrase. Not wanting to settle for the many conflicting opinions of armchair lawyers on usenet, I asked for input from individuals who were more qualified in the area. The results were somewhat mixed. There apparently has NOT been much case history to set precedence in this area. So if you find yourself in this situation, you should be prepared for a long and costly legal fight on the matter. Do you have the time and money for such a fight? Also remember that judges have great freedom in the use of "Contempt of Court". They might choose to lock you up until you decide to reveal the pass phrase and it could take your lawyer some time to get you out. (If only you just had a poor memory!) ======== 5. Message Signatures ======== 5.1. What is message signing? Let's imagine that you received a letter in the mail from someone you know named John Smith. How do you know that John was really the person who sent you the letter and that someone else simply forged his name? With PGP, it is possible to apply a digital signature to a message that is impossible to forge. If you already have a trusted copy of John's public encryption key, you can use it to check the signature on the message. It would be impossible for anybody but John to have created the signature, since he is the only person with access to the secret key necessary to create the signature. In addition, if anybody has tampered with an otherwise valid message, the digital signature will detect the fact. It protects the entire message. ======== 5.2. How do I sign a message while still leaving it readable? Sometimes you are not interested in keeping the contents of a message secret, you only want to make sure that nobody tampers with it, and to allow others to verify that the message is really from you. For this, you can use clear signing. Clear signing only works on text files, it will NOT work on binary files. The command format is: pgp -sat +clearsig=on <filename> The output file will contain your original unmodified text, along with section headers and an armored PGP signature. In this case, PGP is not required to read the file, only to verify the signature. ======== 6. Key Signatures ======== 6.1. What is key signing? OK, you just got a copy of John Smith's public encryption key. How do you know that the key really belongs to John Smith and not to some impostor? The answer to this is key signatures. They are similar to message signatures in that they can't be forged. Let's say that you don't know that you have John Smith's real key. But let's say that you DO have a trusted key from Joe Blow. Let's say that you trust Joe Blow and that he has added his signature to John Smith's key. By inference, you can now trust that you have a valid copy of John Smith's key. That is what key signing is all about. This chain of trust can be carried to several levels, such as A trusts B who trusts C who trusts D, therefore A can trust D. You have control in the PGP configuration file over exactly how many levels this chain of trust is allowed to proceed. Be careful about keys that are several levels removed from your immediate trust. ======== 6.2. How do I sign a key? - From the command prompt, execute the following command: PGP -ks [-u userid] <keyid> A signature will be appended to already existing on the specified key. Next, you should extract a copy of this updated key along with its signatures using the "-kxa" option. An armored text file will be created. Give this file to the owner of the key so that he may propagate the new signature to whomever he chooses. Be very careful with your secret keyring. Never be tempted to put a copy in somebody else's machine so you can sign their public key - they could have modified PGP to copy your secret key and grab your pass phrase. It is not considered proper to send his updated key to a key server yourself unless he has given you explicit permission to do so. After all, he may not wish to have his key appear on a public server. By the same token, you should expect that any key that you give out will probably find its way onto the public key servers, even if you really didn't want it there, since anyone having your public key can upload it. ======== 6.3. Should I sign my own key? Yes, you should sign each personal ID on your key. This will help to prevent anyone from placing a phony address in the ID field of the key and possibly having your mail diverted to them. Anyone changing a user id to your key will be unable to sign the entry, making it stand out like a sore thumb since all of the other entries are signed. Do this even if you are the only person signing your key. For example, my entry in the public key ring now appears as follows if you use the "-kvv" command: Type bits/keyID Date User ID pub 1024/90A9C9 1993/09/13 Gary Edstrom <gbe@netcom.com> sig 90A9C9 Gary Edstrom <gbe@netcom.com> Gary Edstrom <72677.564@compuserve.com> sig 90A9C9 Gary Edstrom <gbe@netcom.com> ======== 6.4. Should I sign X's key? Signing someone's key is your indication to the world that you believe that key to rightfully belong to that person, and that person is who he purports to be. Other people may rely on your signature to decide whether or not a key is valid, so you should not sign capriciously. Some countries require respected professionals such as doctors or engineers to endorse passport photographs as proof of identity for a passport application - you should consider signing someone's key in the same light. Alternatively, when you come to sign someone's key, ask yourself if you would be prepared to swear in a court of law as to that person's identity. ======== 6.5. How do I verify someone's identity? It all depends on how well you know them. Relatives, friends and colleagues are easy. People you meet at conventions or key-signing sessions require some proof like a driver's license or credit card. ======== 6.6. How do I know someone hasn't sent me a bogus key to sign? It is very easy for someone to generate a key with a false ID and send e-mail with fraudulent headers, or for a node which routes the e-mail to you to substitute a different key. Finger servers are harder to tamper with, but not impossible. The problem is that while public key exchange does not require a secure channel (eavesdropping is not a problem) it does require a tamper-proof channel (key-substitution is a problem). If it is a key from someone you know well and whose voice you recognize then it is sufficient to give them a phone call and have them read their key's fingerprint (obtained with PGP -kvc <userid>). If you don't know the person very well then the only recourse is to exchange keys face-to-face and ask for some proof of identity. Don't be tempted to put your public key disk in their machine so they can add their key - they could maliciously replace your key at the same time. If the user ID includes an e-mail address, verify that address by exchanging an agreed encrypted message before signing. Don't sign any user IDs on that key except those you have verified. ======== 7. Revoking a key ======== 7.1. My secret key ring has been stolen or lost, what do I do? Assuming that you selected a good solid random pass phrase to encrypt your secret key ring, you are probably still safe. It takes two parts to decrypt a message, the secret key ring, and its pass phrase. Assuming you have a backup copy of your secret key ring, you should generate a key revocation certificate and upload the revocation to one of the public key servers. Prior to uploading the revocation certificate, you might add a new ID to the old key that tells what your new key ID will be. If you don't have a backup copy of your secret key ring, then it will be impossible to create a revocation certificate under the present version of pgp. This is another good reason for keeping a backup copy of your secret key ring. ======== 7.2. I forgot my pass phrase. Can I create a key revocation certificate? YOU CAN'T, since the pass phrase is required to create the certificate! The way to avoid this dilemma is to create a key revocation certificate at the same time that you generate your key pair. Put the revocation certificate away in a safe place and you will have it available should the need arise. You need to be careful how you do this, however, or you will end up revoking the key pair that you just generated and a revocation can't be reversed. After you have generated your key pair initially, extract your key to an ASCII file using the -kxa option. Next, create a key revocation certificate and extract the revoked key to another ASCII file using the -kxa option again. Finally, delete the revoked key from your public key ring using the - kr option and put your non-revoked version back in the ring using the -ka option. Save the revocation certificate on a floppy so that you don't lose it if you crash your hard disk sometime. ======== 8. Public Key Servers ======== 8.1. What are the Public Key Servers? Public Key Servers exist for the purpose of making your public key available in a common database where everybody can have access to it for the purpose of encrypting messages to you. While a number of key servers exist, it is only necessary to send your key to one of them. The key server will take care of the job of sending your key to all other known servers. As of 1-Feb-94 there are about 3,088 keys on the key servers. ======== 8.2. What public key servers are available? The following is a list of all of the known public key servers active as of the publication date of this FAQ. I try to keep this list current by requesting keys from a different server every few days on a rotating basis. Any changes to this list should be posted to alt.security.pgp and a copy forwarded to me for inclusion in future releases of the alt.security.pgp FAQ. Changes: 17-Apr-94 Updated information on pgp-public-keys@io.com 17-Apr-94 Added ftp: alex.sp.cs.cmu.edu:/links/security/pubring.pgp 13-Apr-94 Sorted these modification dates from newest to oldest. 06-Mar-94 Added information on <sled@drebes.com> 05-Mar-94 Changed FTP status on pgp-public-keys@sw.oz.au from "Unknown" to "None". 05-Feb-94 Added pgp-public-keys@io.com plus note on finger server. 01-Feb-94 Verified that pgp-public-keys@kiae.su is still operational. 24-Jan-94 Added message announcing WWW access to public keyserver on martigny.ai.mit.edu 24-Jan-94 Verified the existance of pgp-public-keys@sw.oz.au and corrected its address. 21-Jan-94 Added pgp-public-keys@ext221.sra.co.jp to list. 20-Jan-94 Added pgp-public-keys@kub.nl to list. 17-Jan-94 Added pgp-public-keys@jpunix.com to key servers no longer operational. Internet sites: pgp-public-keys@demon.co.uk Mark Turner <mark@demon.co.uk> FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp Verified: 10-Apr-94 pgp-public-keys@fbihh.informatik.uni-hamburg.de Vesselin V. Bontchev <bontchev@fbihh.informatik.uni-hamburg.de> FTP: ftp.informatik.uni-hamburg.de:/pub/virus/misc/pubkring.pgp Verified: 10-Apr-94 public-key-server@martigny.ai.mit.edu Brian A. LaMacchia <public-key-server-request@martigny.ai.mit.edu> FTP: None Verified: 10-Apr-94 pgp-public-keys@pgp.ox.ac.uk Paul Leyland <pcl@ox.ac.uk> FTP: None Verified: 11-Apr-94 pgp-public-keys@dsi.unimi.it David Vincenzetti <vince@dsi.unimi.it> FTP: ghost.dsi.unimi.it:/pub/crypt/public-keys.pgp Verified: 10-Apr-94 pgp-public-keys@kub.nl Teun Nijssen <teun@kub.nl> FTP: None Verified: 10-Apr-94 pgp-public-keys@ext221.sra.co.jp Hironobu Suzuki <hironobu@sra.co.jp> FTP: None Verified: 11-Apr-94 pgp-public-keys@sw.oz.au Jeremy Fitzhardinge <jeremy@sw.oz.au> FTP: None Verified: 8-Mar-94 pgp-public-keys@io.com Sysop: pgpkeys@wasabi.io.com FTP: wasabi.io.com:/pub/pgpkeys NNNNNN.asc for individual keys KV pgp -kv listing KVV pgp -kvv listing KXA.asc full keyring (pgp -kxa listing) pgpkeys.tar.Z all the above (for other archive sites) (This site does *not* hold a binary keyring) Verified: 10-Apr-94 Server does not support "Last <n>" command finger <userid>@wasabi.io.com - Returns all names matching <userid> finger <keyid>@wasabi.io.com - Returns armored key matching <keyid> finger @wasabi.io.com - Returns help for finger server Note: site name may change at some time in the future: if wasabi.io.com doesn't exist, try pgp.io.com ... pgp-public-keys@kiae.su <blaster@rd.relcom.msk.su> FTP: Unknown Verified: 15-Apr-94 sled@drebes.com (See the message below on how to use this server) Public Key Ring also available from: ftp: alex.sp.cs.cmu.edu:/links/security/pubring.pgp The following key servers are no longer in operation: pgp-public-keys@junkbox.cc.iastate.edu pgp-public-keys@toxicwaste.mit.edu pgp-public-keys@phil.utmb.edu pgp-public-keys@pgp.iastate.edu pgp-public-keys@jpunix.com BBS sites: Unknown =============== From: bal@zurich.ai.mit.edu (Brian A. LaMacchia) Newsgroups: alt.security.pgp Subject: Announcing WWW access to public keyserver on martigny.ai.mit.edu Date: 22 Jan 94 00:19:37 Announcing a new way to access public keyservers... The public keyserver running on martigny.ai.mit.edu may now be accessed via a World Wide Web client with forms support (such as Mosaic). In your favorite WWW client, open the following URL to start: http://martigny.ai.mit.edu/~bal/pks-toplev.html Access to keys on the server is immediate. You can also submit new keys and/or signatures in ASCII-armored format to the server. New keys are processed every 10 minutes (along with server requests that arrive by e- mail). The martigny.ai.mit.edu keyserver currently syncs directly with these other keyservers: pgp-public-keys@demon.co.uk pgp-public-keys@pgp.ox.ac.uk pgp-public-keys@ext221.sra.co.jp pgp-public-keys@kub.nl NOTE! This service is experimental, and has limited options at present. I expect to be making changes to the server over the next few weeks to make it more useful. I would appreciate any bug reports, comments or suggestions you might have. --Brian LaMacchia bal@martigny.ai.mit.edu public-key-server-request@martigny.ai.mit.edu =============== Date: Sat, 5 Mar 1994 11:44:53 -0800 From: Stable Large Email Database <sled@drebes.com> To: gbe@netcom.com Subject: Sled Info ----------------------------------- SLED : Stable Large Email Database ----------------------------------- SLED is an attempt to provide a reasonable mechanism to maintain and search email addresses for individuals and companies that make up the on-line community. SLED is intended for those who have one or more mailboxes that are generally checked on a daily basis, and are addressable from the internet. --- What does it provide? --- I. Timely maintenance of current email address: Over a period of time a person may have many different email addresses, which come and go with the changing of jobs, internet providers, schools, and so on. Maintenance also means pruning the list for those who no longer interact on-line (and are perhaps dead). II. Realistic search parameters: Current email databases such as whois & netfind provide a search granularity that is useful only if you already know the person's email address. The data set is crafted by each individual user. It can contain entries for schools, occupations, research areas, nick names, and so on. See note below on how this data is kept private. III. Protection against the enemy: SLED is intended to provide a high quality data set which provides flexibility in searching, but yields protection against the enemies of large address books. The enemy can be one of the following. - Head Hunters/Body shops - Anonymous and Fake user accounts - Commercial Junk mailers IV. A repository for PGP public keys: SLED provides an alternative to the huge, very public "public key" rings on some of the foreign key servers. (If you don't know what PGP is, don't worry.) The public keys retrieved from SLED are signed by 'sled'. A key is signed by 'sled', after the check clears, an exchange of encrypted messages occurs, and fingerprints are compared. SLED uses ViaCrypt PGP. --- How? --- It costs a few $$, and it requires the use of snail mail ( USPS ) at least once. There are several reasons for charging a small (very small in this case) fee for this service. 1. Authoritative ID. For your data to be included in the database we require that you write a personal check. For the initial sign-up, we verify that the name on the check matches the name in the database. A signed check which clears the banking system provides very good authentication. A semantic note: we don't actually wait for the check to clear. We get the check, eyeball the data, update the computer and then send the check to the bank. If the check turns out to be bogus we go back and zap you. (So you see, there is a way to get a couple days of free time.) 2. By charging a small fee, we can help offset the cost of the resources used to maintain & back up the database. With the fee structure, no one will get rich or poor, but there is an increased likelihood that this database will be around for years. 3. By tacking on a few dollars to the initial fee, we hope to discourage people who would fail to maintain their data, and then drop out of the database, then re-join, then drop out, then re-join. 4. Every 5 months (or so), we email an invoice (typically for $5.00 US) for the next 5 months of service. This invoice must be printed and sent to us, with a check, via US mail. This procedure keeps all data reasonably current ( +/- 5 months), which is about as good as it's going to get for such a remote service. The point being, you can not just write a check for $50.00 and be covered for the next 4 years. If you have PGP, you will only be subjected to this procedure every 10 months, as verification can be accomplished via a signed email message. --- Well, how much does it cost? --- Fee to add your data to the database: $4.00 US Fee to maintain your data: $1.00 US / per month --- Trivia --- - The database is meant to be hold REAL names, no aliases, anonymous, or otherwise bogus id's. - In order to search the database, users must themselves exist in the database. - The dataset you enter for yourself can never viewed as a whole. You are encouraged to enter data for previous & current schools, occupations & other organizations/institutions, but a match on a single item will not reveal the others. For example, you used to work at AT&T, and now you work for IBM. If an old friend was trying to track you down, they might search on parts of your First and Last Name and AT&T. If you were found, it would only show your one line entry corresponding to AT&T. The point being that although your data might be read as a personal resume, it won't be shown that way. Of course that won't stop your nosy friend from sending you email asking where you are working now. - People keep asking why the database doesn't have fields for phone & address. No! That kind of data is too personal for a large database like this. If you want someone's address, send them email and ask for it. - The searching criteria make it really hard to use this database for something like head hunting or generating a junk mail list (this is by design). --- Interface --- The interface is via email. This allows the database to span all services (cis, prodigy, aol,...) which have gateways to the internet. Also, it allows each user to craft their data with their own editor, in a flexible time frame. Searching the database via email, while very functional, is a bit more kludgy than is desirable. A searcher accessible via telnet will probably not be put on-line, rather the next step will be a Mosaic searcher/browser. --- How To Start --- Send Mail to: - sled@drebes.com subject 'info' for a (this) text - sled@drebes.com subject 'add' to add yourself to SLED - sled@drebes.com subject 'change' to alter your data - sled@drebes.com subject 'search' to search the SLED - bugs@drebes.com To report a bug. - comments@drebes.com To send a comment that isn't quite a bug. --- The End --- =============== 8.3. What is the syntax of the key server commands? The remailer expects to see one of the following commands placed in the subject field. Note that only the ADD command uses the body of the message. - ------------------------------------------------------------- ADD Your PGP public key (key to add is body of msg) (-ka) INDEX List all PGP keys the server knows about (-kv) VERBOSE INDEX List all PGP keys, verbose format (-kvv) GET Get the whole public key ring (-kxa *) GET <userid> Get just that one key (-kxa <userid>) MGET <userid> Get all keys which match <userid> LAST <n> Get all keys uploaded during last <n> days - ------------------------------------------------------------- If you wish to get the entire key ring and have access to FTP, it would be a lot more efficient to use FTP rather than e-mail. Using e-mail, the entire key ring can generate a many part message, which you will have to reconstruct into a single file before adding it to your key ring. ======== 9. Bugs ======== 9.1 Where should I send bug reports? Post all of your bug reports concerning PGP to alt.security.pgp and forward a copy to me for possible inclusion in future releases of the FAQ. Please be aware that the authors of PGP might not acknowledge bug reports sent directly to them. Posting them on USENET will give them the widest possible distribution in the shortest amount of time. The following list of bugs is limited to version 2.2 and later. For bugs in earlier versions, refer to the documentation included with the program. ======== 9.2 Version 2.3 for DOS has a problem with clear signing messages. Anyone using version 2.3 for DOS should upgrade to version 2.3a. ======== 9.3 Version 2.2 for DOS has a problem of randomly corrupting memory, which can (and sometimes does) make DOS trash your hard disk. ======== 10. Related News Groups alt.privacy.clipper Clipper, Capstone, Skipjack, Key Escrow alt.security general security discussions alt.security.index index to alt.security alt.security.pgp discussion of PGP alt.security.ripem discussion of RIPEM alt.society.civil-liberty general civil liberties, including privacy comp.compression discussion of compression algorithms comp.org.eff.news News reports from EFF comp.org.eff.talk discussion of EFF related issues comp.patents discussion of S/W patents, including RSA comp.risks some mention of crypto and wiretapping comp.society.privacy general privacy issues comp.security.announce announcements of security holes misc.legal.computing software patents, copyrights, computer laws sci.crypt methods of data encryption/decryption sci.math general math discussion talk.politics.crypto general talk on crypto politics ======== 11. Recommended Reading ======== > The Code Breakers The Story of Secret Writing By David Kahn The MacMillan Publishing Company (1968) 866 Third Avenue, New York, NY 10022 Library of Congress Catalog Card Number: 63-16109 ISBN: 0-02-560460-0 This has been the unofficial standard reference book on the history of cryptography for the last 25 years. It covers the development of cryptography from ancient times, up to 1967. It is interesting to read about the cat and mouse games that governments have been playing with each other even to this day. I have been informed by Mats Lofkvist <d87- mal@nada.kth.se> that the book has been reissued since its original printing. He found out about it from the 'Baker & Taylor Books' database. I obtained my original edition from a used book store. It is quite exhaustive in its coverage with 1164 pages. When I was serving in the United States Navy in the early 1970's as a cryptographic repair technician, this book was considered contraband and not welcome around my work place, even though it was freely available at the local public library. This was apparently because it mentioned several of the pieces of secret cryptographic equipment that were then in use in the military. > The following list was taken from the PGP documentation: Dorothy Denning, "Cryptography and Data Security", Addison-Wesley, Reading, MA 1982 Dorothy Denning, "Protecting Public Keys and Signature Keys", IEEE Computer, Feb 1983 Martin E. Hellman, "The Mathematics of Public-Key Cryptography," Scientific American, Aug 1979 Steven Levy, "Crypto Rebels", WIRED, May/Jun 1993, page 54. (This is a "must- read" article on PGP and other related topics.) Ronald Rivest, "The MD5 Message Digest Algorithm", MIT Laboratory for Computer Science, 1991 Available from the net as RFC1321. ---------------- Also available at ghost.dsi.unimi.it and its mirror at nic.funet.fi:/pub/crypt/ghost.dsi.unimi.iti is: IDEA_chapter.3.ZIP, a postscript text from the IDEA designer about IDEA. Xuejia Lai, "On the Design and Security of Block Ciphers", Institute for Signal and Information Processing, ETH-Zentrum, Zurich, Switzerland, 1992 Xuejia Lai, James L. Massey, Sean Murphy, "Markov Ciphers and Differential Cryptanalysis", Advances in Cryptology- EUROCRYPT'91 Philip Zimmermann, "A Proposed Standard Format for RSA Cryptosystems", Advances in Computer Security, Vol III, edited by Rein Turn, Artech House, 1988 Bruce Schneier, "Applied Cryptography: Protocols, Algorithms, and Source Code in C", John Wiley & Sons, 1993 Paul Wallich, "Electronic Envelopes", Scientific American, Feb 1993, page 30. (This is an article on PGP) ======== 12. General Tips > Some BBS sysops may not permit you to place encrypted mail or files on their boards. Just because they have PGP in their file area, that doesn't necessarily mean they tolerate you uploading encrypted mail or files - so *do* check first. > Fido net mail is even more sensitive. You should only send encrypted net mail after checking that: a) Your sysop permits it. b) Your recipient's sysop permits it. c) The mail is routed through nodes whose sysops also permit it. > Get your public key signed by as many individuals as possible. It increases the chances of another person finding a path of trust from himself to you. > Don't sign someone's key just because someone else that you know has signed it. Confirm the identity of the individual yourself. Remember, you are putting your reputation on the line when you sign a key. ======================================================================== Appendix I - PGP add-ons and Related Programs ======================================================================== Much of this section was taken from an old FAQ supplied to me for the development of this list. This section will hopefully grow to contain a list of every utility that has been written. I would appreciate it if the authors of the various utilities could send me mail about their latest version, a description, if source code is available, and where to get it. I will then include the information in the next release of the FAQ. If you have a utility, but don't know how to make it widely available, send mail to David Vincenzetti <vince@dsi.unimi.it> who is crypto collection maintainer at ghost.dsi.unimi.it. That ftp-site is weekly mirrored at nic.funet.fi in area: /pub/crypt/ghost.dsi.unimi.it ======================================================================== > There are utilities in the source code for PGP. Get pgp23srcA.zip and unpack with 'pkunzip -d pgp23srcA.zip' to get them all come up nicely sorted in subdirectories. ======== Amiga ======== PGP Mail Integration Project ======== TITLE PGP Mail Integration Project VERSION Release 1 AUTHOR Peter Simons <simons@peti.GUN.de> DESCRIPTION Pretty Good(tm) Privacy (PGP), from Phil's Pretty Good Software, is a high security cryptographic software application for MSDOS, Unix, AmigaOS, and other computers. PGP allows people to exchange files or messages with privacy and authentication. All in all, PGP is a very useful and important program. However it is a little bit...uh... overkill for the average Joe Dow to install this rather complex package, just to encrypt his few e-mail, which are not so private anyway. PGP comes with dozens of options, switches and configuration possibilities, far too many to 'just install and run'. This has prevented many potential users from using PGP for their private mail. This is what the PGP Mail Integration Project wants to change. In our opinion man-kind should stay superior and leave the 'dirty-work' to the machines. :-)) Our idea was to integrate PGP, as far as possible, into common UUCP packages so the user needn't care starting about PGP himself. Outgoing or incoming mail should be en-/decrypted automatically and the software should do all the basics of controlling PGP. This archive contains the Amiga versions of PGPSendmail and PGPRMail, which incorperate public key encryption into the ordinary SLIP or UUCP setup. Full source in C and an AmigaGuide manual is included in the distribution. SPECIAL REQUIREMENTS none HOST NAME Any Aminet host, i.e. ftp.uni-kl.de (131.246.9.95). DIRECTORY /pub/aminet/comm/mail/ FILE NAMES PGPMIP.lha PGPMIP.readme DISTRIBUTABILITY GNU General Public License ======== PGPAmiga-FrontEnd ======== Date: Tue, 22 Feb 94 21:10:31 +0100 From: simons@peti.gun.de To: gbe@netcom.com Subject: PGPAmiga-FrontEnd available A beta version of PGPAmiga-FrontEnd is available via BMS from peti.GUN.de. If you can't bms, just contact me via email and I will send you an uuencoded copy. This program is a graphical front end, controlling PGPAmiga. You can de-/encrypt., sign and much more, using a comfortable GUI. ======== Archimedes ======== PGPwimp ======== From: Peter Gaunt Current Version: 0.12 Where Available: ftp.demon.co.uk:/pub/archimedes Information Updated: 21-Dec-93 A multi-tasking WIMP front-end for PGP (requires RISC OS 3). Operates on files - it has no hooks to allow integration with mailers/newsreaders. ======== RNscripts4PGP ======== From: pla@sktb.demon.co.uk (Paul L. Allen) Current Version: 1.1 Where Available: ftp.demon.co.uk:/pub/archimedes Information Updated: 12-Dec-93 A collection of scripts and a small BASIC program which integrate PGP with the ReadNews mailer/newsreader. Provides encryp, decrypt, sign signature- check, add key. ======== DOS / MS Windows ======== AutoPGP PGPSORT ======== From: Stale Schumacher <staalesc@ifi.uio.no> Date: Wed, 13 Apr 1994 12:51:57 +0200 To: gbe@netcom.com Subject: PGP utilities for FAQ Gary, I have a couple of PGP utilities that you may want to include in your FAQ: APGP20B5.ZIP: AutoPGP v2.0b5: Automatic QWK email encryption with PGP PGPSORT.ZIP : Utility to sort PGP public key rings (BP7 source included) Both programs are for MS-DOS, and will soon be available at most ftp sites that carry PGP. Note that AutoPGP is still in beta, and that I am interested in beta testers. I quote from the AutoPGP documentation: - ------------------------------------------------------------------------ AutoPGP 2.0b5 ============= Automatic e-mail encryption with PGP by Stale Schumacher (C) 1993, 1994 Felix Shareware Revised 1994/04/10 AutoPGP is a fully automatic e-mail encryption package for use with PGP 2.3a and an offline mail reader. It enables you to write encrypted messages and read decrypted messages from within your favourite QWK mail reader, using the highly secure and widely acclaimed Pretty Good Privacy software package by Philip Zimmermann - the new standard in public key encryption. AutoPGP combines the ease and comfort of reading and writing e-mail in an offliner with the security of public key encryption. You don't need any previous experience with PGP or any other encryption software, as AutoPGP will handle all interfacing with PGP automatically. If you are already familiar with the concepts of offline mail reading, you will soon get acquainted to AutoPGP, even if you have never used PGP before. Features of AutoPGP 2.0 include: * Full QWK support. You may use AutoPGP in conjunction with any offline mail reader which conforms to the QWK/REP packet specifications. AutoPGP also supports XBoard and Offliner, two popular Norwegian offline readers that use the PCBoard and MBBS grab formats rather than QWK. * Easy installation. An intuitive, easy-to-use installation program will configure AutoPGP correctly for the first-time user. The installation program will automatically detect many popular offline readers, and configure AutoPGP for use with these readers. It will also find the correct paths to PKZIP, ARJ and PGP, set DOS environment variables and update your AUTOEXEC.BAT file if necessary. * Automatic, seamless operation. When correctly set up, AutoPGP will automatically decrypt, encrypt and sign messages, verify signatures and add new public keys to your public key ring, all with a minimum of interaction from the user. * Advanced functions not found in any other PGP front-end utility. AutoPGP lets you: + encrypt and/or sign only part(s) of a message + insert your own or other users' public keys anywhere in a message + include PGP ASCII armoured files in a message + decrypt incoming messages + verify signatures on incoming messages + add new public keys found in incoming messages to your keyring + extract PGP ASCII armoured files from incoming messages + choose which public keys to use from an alphabetic list of userids + and much more! - ------------------------------------------------------------------------ I have also translated PGP into Norwegian. The Norwegian language module LANGUAGE.TXT will soon be available by ftp, or directly from me. I can be contacted at: email: staalesc@ifi.uio.no www : http://www.ifi.uio.no/~staalesc Best regards, Stale <staalesc@ifi.uio.no> ======== HPACK79 PGP-compatible archiver ======== 114243 Nov 20 07:08 garbo.uwasa.fi:/pc/arcers/hpack79.zip 146470 Dec 3 01:01 garbo.uwasa.fi:/pc/doc-soft/hpack79d.zip 511827 Dec 3 14:46 garbo.uwasa.fi:/pc/source/hpack79s.zip 667464 Dec 5 16:43 garbo.uwasa.fi:/unix/arcers/hpack79src.tar.Z Where hpack79.zip is the MSDOS executable, hpack79d.zip is the Postscript documentation, hpack79s.zip is the source code, and hpack79src.tar.Z is the source code again but in tar.Z format (note that the latter is a tiny bit more recent that hpack79s.zip and contains changes for the NeXT). There is a (rather primitive) Macintosh executable somewhere on garbo as well, possibly /mac/arcers/hpack79mac.cpt. OS/2 32-bit versions of HPACK is available for anonymous FTP from the UK. `ftp.demon.co.uk' [158.152.1.65] in ~/pub/ibmpc/pgp Note: The OS/2 executables of hpack at ftp.demon.co.uk are out of date, version 0.78. Current 0.79 executables are available at ftp.informatik.tu-muenchen.de in /pub/comp/os/os2/crypt/hpack79{os2,src}.zip. HPACK is also available from: pgut1@cs.aukuni.ac.nz p_gutmann@cs.aukuni.ac.nz gutmann_p@kosmos.wcc.govt.nz peterg@kcbbs.gen.nz peter@nacjack.gen.nz peter@phlarnschlorpht.nacjack.gen.nz (In order of preference - one of 'ems bound to work) ======== MENU.ZIP ======== Menushell for MSDOS. (Requires 4DOS or Norton's NDOS) You can customize the menu for your own preferences. The name 'MENU' violates file naming conventions on ftp-sites, so I guess it's hard to find this program somewhere else. Exists at ghost.dsi.unimi.it area: /pub/crypt/ (ask archie about 4DOS, a comand.com replacement) ======== OzPKE ======== Date: 05-Mar-94 08:48 PST From: Don Moe [72407,1054] Subj: Info about OzPKE for PGP/OzCIS. Gary, Recently I downloaded your PGPFAQ from EFFSIG on CompuServe and enjoyed reading it. As the author of a utility program, OzPKE, which links PGP with the OzCIS automated access program, I would like to inform you about my program. Here an exerpt from the documentation file: - ---------------- "This utility program, OzPKE, works in conjunction with Steve Sneed's automated CompuServe access program OzCIS (v2.0a) and ViaCrypt PGP program (v2.4) to assure secure communications via electronic mail. Alternative similar encryption programs are also supported. "The goal is to simplify public key encryption of outgoing and decryption of incoming messages and files passing through the CompuServe Information System. Both direct electronic mail and forum messages as well as file attachments are supported. OzPKE handles encryption of outgoing messages and files as well as decryption of incoming messages and received files. "Although the user could use whatever public-key encryption software he chooses, provided it supports command-line operation, the recommended program is ViaCrypt PGP system since OzPKE makes use of PGP's public keyring file and specific features of that program. "The program OzPKE contains no encryption or decryption algorithms or routines and relies entirely on the external encryption software to perform that task." - ---------------- OzPKE is available on EFFSIG lib 15 and OZCIS lib 7. Version 1.3 was just recently additionally uploaded EURFORUM lib 1. ======== PBBS (Scheduled for release summer 1994) ======== Public Bulletin Board System (PBBS) ver 1.0 is a privacy-oriented host BBS application designed with the "anonymous movement's" diverse needs in mind. PBBS is a compact application at 75K, allowing it to be run off of a floppy disk if desired, and requires no telecommunications experience to operate. Installation of PBBS takes about 2 minutes flat, and is easy to set up and maintain. Don't let the size fool you however, it packs a powerful set of Zmodem, Ymodem, and Xmodem assembly-language protocols, supports speeds up to 57,600 bps, door support, full ANSI-emulation, and many more features! Public BBS is an eclectic and powerful BBS and also the first bulletin board system designed to work with Pretty Good Privacy (PGP), the public-key encryption program. A unique Post Office within PBBS allows users to send each other private "postcards" or to upload and download PGP-encrypted messages to other user's mail boxes. PBBS also contains a comprehensive public message base with "anonymous" read, write, and reply options. PBBS has a built in emergency self-destruct sequence for the sysop that desires an extra level of security. The ESD option will completely shred all PBBS- related files on disk, assuring the sysop that his or her BBS will not be compromised in any way. Look for Public BBS to be released on all Internet sites and FidoNet BBS's as PBBS10.ZIP. PBBS will change the face of cyber- fringe telecommunications forever! Questions or comments please e-mail James Still at <still@kailua.colorado.edu>. ======== PGP-Front ======== From: Walter H. van Holst <121233@pc-lab.fbk.eur.nl> Current Version: Where Available: ghost.dsi.unimi.it:/pub/crypt nic.funet.fi:/pub/crypt Information Updated: 09-Jan-94 "PGP-Front is an interactive shell for Phill Zimmerman's Pretty Good Privacy and is available since November 1993 on some of the biggest FTP-sites. It features an easy to use interface for those who don't want to learn all PGP flags by heart but still want to make use of its versatility. The most used options of PGP are supported, including most key-management options. An improved version is under development and will feature support for some of the advanced options of PGP and a lot of extra configuration options for PGP- Front itself. System requirements for this beta-version: - - 80286 or better (will be lifted in version 1.00) - - MS/PC-DOS 3.11 or better - - Enough memory to run PGP plus an extra 512 bytes for PGP-Front, thanks to Ralph Brown. Any feedback on this project will be appreciated, Walter H. van Holst <121233@pc-lab.fbk.eur.nl>" ======== PGP-NG.ZIP ======== At nic.funet.fi; /pub/crypt/pgp-ng.zip. A norton Guide database for PGP ver 2.0. Easy to find info for programmers about all the functions in the source code, and users can more easily find their subject. Is any update for the current version planned? Ask archie about the 2 Norton guide clones that are out on the net. ======== PGPSHELL ======== Date: 12-Jan-94 From: James Still <still@kailua.colorado.edu> Subject: PGPShell Version 3.0 - -------------------------------------------------------------------- FOR IMMEDIATE RELEASE - -------------------------------------------------------------------- PGPSHELL VERSION 3.0 PROGRAM RELEASE PGPShell, a front-end DOS program for use with Philip Zimmermann's Pretty Good Privacy (PGP) public-key encryption software, has just been upgraded and released as version 3.0. PGPShell incorporates easy to use, mouse-driven menus and a unique Key Management Screen to easily display all public key ring information in -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLbHXHkHZYsvlkKnJAQE1ZgP7BH7zYdMn2RNW8XLS5amusGoUbCE7M8yP 9tZ9EIS7VplEHJAluM+DYkReY5vmtBL0/bXiw8EOmk/IMK/NIqXJ9BfQOyWrYCCS X0KZ/sdO2iq8P3gQJ2qpUrqIwlSwosT4fh7gnUFNrDpZhIZR6hSpDmS5ouiIddNV 9KRJYTjmrxk= =gICo -----END PGP SIGNATURE-----