by Greg Rose
<ggr@qualcomm.com>

Greg, a member of the USENIX Board of Directors, manages the PGP key signing service for USENIX. He also runs the QUALCOMM's Australian development office. He's been involved with the use and deveopment of UNIX since 1974.

Everything You Probably Didn't Want to Know About PGP at the Moment

There is a publicly, and internationally, available privacy program called PGP (Pretty Good Privacy). PGP uses public key cryptographic techniques to allow messages to be exchanged between people across public networks while both protecting the privacy of the contents and guaranteeing authenticity of the sender.

One of the major problems currently confronting the electronic commerce world is how to guarantee the authenticity of a transaction. Cryptographically, this is easy ­ just use digital signatures. In the real world, though, the answer is not so simple. How do you know that the cryptographic key you are using belongs to the entity (person, company, computer) you would like to think it belongs to? Or how do you send a secret message to someone when you are not sure that it isn't his evil twin's key?

One answer to the problem is to have trusted parties who introduce other parties to you. This is what the PGP documentation calls the "Web of Trust." It is a web because each party in it can introduce other parties whom you may or may not already know. Using a telephone analogy, you would say secret things on the phone only if someone you trust had given you the telephone number, not if you had just looked it up in the phone book.

Another answer to the problem is to have Certification Authorities, forming a hierarchical structure. When you get a public key, you would also get a list of certificates. For example, J. Smith's public key might come with a certificate from Widgets Inc. stating that he works for them. In turn, Widgets Inc. would need a certificate from someone stating that it is a Delaware corporation.

(Trust management and public key infrastructures are the subject of an upcoming USENIX workshop or stream and are hot research topics at the moment.)

USENIX has a service we run (at conferences) in which members can present identification while at the conference and subsequently have their PGP keys signed by USENIX, effectively "introducing" them to other PGP users. This service has been running for about 20 months now, and it has had some ups and downs, but generally it seems to provide a useful function. To find out more about the service, see <www.usenix.org/pgp/pgpintro.html>.

When we started doing this, Phil Zimmermann, the principal author of PGP, was under the cloud of indictment by the US Government for making PGP available in such a way that it was exported (by someone else unknown) in contravention of government regulations. Events since then have moved quickly. First, the indictment was dropped. Phil formed a company, PGP Inc., to try to recoup some of his devastating losses from previous years. In a funny sort of reverse buyout, PGP Inc. and Viacrypt, which had been marketing PGP commercially with a license to use the RSA public key encryption algorithms, merged. Recently, as PGP momentum gained, PGP Inc. and McAfee (antivirus software) merged to form Network Associates. Phil appears to have regained his losses.

When we started doing this, there was one kind of PGP (2.6 was its approximate number), which supported one kind of public key, based on the RSA (Rivest, Shamir, and Adelman) cryptosystem. Aye, them were the days. There was an effort going on to expand and extend PGP to support better user interfaces, more algorithms, a programming interface, and so on ­ this was going to be version 3.0. But like a lot of ambitious upgrades, it was a long time coming. In the meantime, Viacrypt had a new business product and needed a number. It couldn't use 3.0 because the development was well known, so it used 4.0. Then, after the merge, when the 3.0 functionality largely became available, it didn't make sense to call it 3.0, so it called it 5.0 instead. But much of it is what was projected two years ago. I'm going to say "old" and "new" a lot, and I hope you'll understand what I mean.

(Warning and disclaimer: I'm trying to be as factual as I can while summarizing history. However, at times, my opinion will also come through, and I want to stress that it is my very own opinion, not that of USENIX, the editor, or the board of directors.)

It is to be expected that when you introduce new algorithms and data formats, there will be some compatibility issues. Most companies try to minimize them. (Don't take me wrong. I think PGP Inc. tried to minimize them, too. Its "issues" were, perhaps, different from ours, though. The main issue was owing royalties to its biggest competitor for giving away a free product.) The new (PGP 5-based) products now support a number of algorithms, but most visibly, there is a different kind of public key based on the Diffie-Hellman (or El Gamal, I don't want to go into that) cryptosystem for encryption and the Digital Signature Standard for authentication. These have the major benefit that they are (now) unencumbered by intellectual property, whereas the patent for RSA doesn't run out until 2000.

So there is now a version of PGP, that uses new "free" keys. It would seem to be in everyone's best interests to use it. But, of course, the new keys are not understood by the old version. Here is where the complications set in, with a vengeance. The new free version of PGP can't use the old keys either, because they aren't "free." Actually, they can, but only if you get the program from MIT, which has a license to give away RSA for noncommercial purposes (or if you are overseas, but I'll come back to that). In particular, if you get a free version from PGP Inc., or anyone else, you don't get to use old keys, at least not all the time, for some meaning of the word "time," difficult to explain.

Another complication comes from the platform you are using. In those old days (two years ago), you had one command line interface no matter what you were running. It was pretty hokey, so people disguised it a lot, but it was there. Now you have a new UNIX command-line interface, with two separate programs and four names for invoking them (five if you count the backward compatible one that just tells you it isn't implemented yet) and (all the other ones) with almost completely incompatible arguments from the old one. There's no command-line interface at all for Windows and Macs, though. Who needs one (besides me, that is?)

Another complication comes from geopolitical boundaries. The old PGP was illegally exported from the United States by someone unknown (or "some-many," as new versions were generally exported within hours of becoming available), but it wasn't at all illegal for someone outside the US to use the exported version. So PGP became widespread around the world. When the new version was about to be released, PGP Inc. took advantage of a loophole to export it legally.

(There's a long story about that loophole. Phil Karn <http://people.qualcomm.com/karn> applied for an export license for the book Applied Cryptography by Bruce Schneier, which was granted, although it was already on sale around the world at the time. He then applied for an export license for the accompanying diskettes with source code, which was denied. He then started to sue the government. When the applicable regulations were changed from International Traffic in Arms Regulations [State Department] to Export Administration Regulations [Commerce Department], published books and papers became explicitly exempted. This appears to be intended to derail Karn's case or perhaps is an admission that it was silly in the first place. So to export PGP legally, PGP Inc. published it in book form, in a scannable font, with checksums on every page, and gave away copies that [surprise] were scanned in in Europe! See <http://www.pgpi.com/>, where the "i" means "International," not "Inc.")

As I write this, the Windows version has just been scanned in and is available, but until now, it has been only the UNIX beta version. But the beta was incompatible with the released version in the US in a number of nontrivial ways. And the freely available versions in the US were only for the Windows and Macintosh platforms, not UNIX. For intellectual property reasons (not export laws), you cannot run the international version in the US. So there were more incompatibilities; the international versions supports both kinds of keys, but the US ones don't unless you pay for them.

And then came Eudora. I need another disclaimer. I work for QUALCOMM, but these are not statements for, against, or on behalf of the company which gives away or sells Eudora. These are still my personal comments. Eudora is tightly integrated with PGP, using a plugin interface. When you get the free Eudora, you can get free PGP with it (but without RSA support). Alternatively, you can upgrade it to support RSA keys for $5. (Note that this is the cheapest way, in the US, to get full crypto functionality with PGP, although I don't think you get all of the noncrypto features.) So, generally speaking, Eudora users (and there are a lot of them) can use PGP easily, but only with the new keys. It's really easy to use. When you install the plugin, it walks you through making a key, and it can communicate automatically with key servers and so on. Many of these users don't understand the issues the USENIX Key Signing-Service was intended to address and generally can't interact with the older, more knowledgeable PGP users anyway.

The large influx of less "sophisticated" users, less likely to go to Cypherpunks meetings or key signing parties, made us feel it was important to upgrade the USENIX PGP Key signing Service to support the new keys. This was not a trivial matter due to the aforementioned incompatibilities (and the not-aforementioned but nevertheless plentiful bugs). This is a good place to apologize for the delays in getting the service back up and running. But it is done now. Either type of key can be signed; the query engine supports and returns both kinds. In addition to the RSA master and signature keys, there are both kinds of communication keys. Fingerprints for all these keys appear with the contact information for USENIX somewhere in every issue.

There is also an end in sight. PGP-MIME is now on a standards track at the IETF, and there are commercial certification authorities starting to serve PGP keys. We estimate that within a couple of years there will be no need for the USENIX PGP Key signing Service. We hope that it has been useful and will continue to be so for a while yet.