De facto standards: PGP
Recently, the use of the program called Pretty Good Privacy (PGP) by
Paul Zimmermann has exploded in the academic community.
The key features of this program are:
- Users are identified with their public keys. For most purposes,
the public key is identified by its lower 32 or 64 bits.
- Anyone can certify anyone else; what they seem to certify is
the association between a public key and a name string chosen
by the user; usually this string contains the user's name and
E-mail address.
- The culture around PGP has been that one must verify the
"fingerprint", an MD5 hash, of a key while talking to that
person (over the phone or face to face) before signing a
key/name pair.
- An ad hoc and constantly changing infrastructure has been built
up to allow people to look up other people's keys, with all
releveant certificates, using a variety of tools including FTP,
E-mail and the World Wide Web.
PGP is not a standard sanctioned by anybody; it is solely and only the
creation of Phil Zimmermann and the people who have worked with him;
it is a standard defined by its implementation.
The software is available legally as freeware in the whole world, for
personal, non-commercial use.
There is a web of patent issues
around the RSA algorithm (patented in the US, aggressive policing) and
the IDEA algorithm (patended worldwide, reasonably sane policing); US
and Canada citizens can get a commercial version with all the licenses
paid for from ViaCrypt; users outside the US and Canada cannot,
because PGP cannot be legally exported from the US.
The algorithms used in PGP are IDEA (a Swiss algorithm with an 128-bit
key) for symmetric encryption, with DES as an option, and RSA for the
public key encryption.
Harald.T.Alvestrand@uninett.no
Last modified: Fri Nov 3 10:40:36 1995