De facto standards: PGP

Recently, the use of the program called Pretty Good Privacy (PGP) by Paul Zimmermann has exploded in the academic community.

The key features of this program are:

Users are identified with their public keys. For most purposes, the public key is identified by its lower 32 or 64 bits.
Anyone can certify anyone else; what they seem to certify is the association between a public key and a name string chosen by the user; usually this string contains the user's name and E-mail address.
The culture around PGP has been that one must verify the "fingerprint", an MD5 hash, of a key while talking to that person (over the phone or face to face) before signing a key/name pair.
An ad hoc and constantly changing infrastructure has been built up to allow people to look up other people's keys, with all releveant certificates, using a variety of tools including FTP, E-mail and the World Wide Web.

PGP is not a standard sanctioned by anybody; it is solely and only the creation of Phil Zimmermann and the people who have worked with him; it is a standard defined by its implementation.

The software is available legally as freeware in the whole world, for personal, non-commercial use.
There is a web of patent issues around the RSA algorithm (patented in the US, aggressive policing) and the IDEA algorithm (patended worldwide, reasonably sane policing); US and Canada citizens can get a commercial version with all the licenses paid for from ViaCrypt; users outside the US and Canada cannot, because PGP cannot be legally exported from the US.

The algorithms used in PGP are IDEA (a Swiss algorithm with an 128-bit key) for symmetric encryption, with DES as an option, and RSA for the public key encryption.

Harald.T.Alvestrand@uninett.no

Last modified: Fri Nov 3 10:40:36 1995