Using GPG in the US

brian moore bem at cmc.net
Sun Nov 22 19:55:27 CET 1998


On Sun, Nov 22, 1998 at 09:51:47PM -0500, Jimmy Kaplowitz wrote:
> I have a few questions. I tried to answer them for myself by checking
> the archives and the PGP5-GPG HOWTO, but if they were answered there, it
> wasn't clear to me. So if I'm asking a really common question, please
> put up with me.

Okey.

> 1) Is it legal for me to use GPG in the US? I would think so, but all
> the download servers are outside of the US, and I am not sure if I am
> allowed to download from one of those. If it is legal to use GPG in the
> US, from where can I legally download it?

Yes, you can use it (just not the RSA and IDEA plugins) in the US.
There are several problems that PGP has faced over the years:
   1) Patented code in the RSA and IDEA algorithms.  Fortunately, last
      year Diffie-Hellman expired and the ElGamal variation on it has
      no patent claims.  There is a (non-credible, IMHO) claim that
      the Digital Signature Standard is patented, but NIST says its
      not and that it's freely available.  Since PGP5 moved to (mostly)
      Elgamal and CAST5 the patent issue is moot.
   2) Export laws.  Can't have the badguys like Werner having crypto, so
      you can't export it.  (Unless it's on paper....)  That's why the
      real work is not done in the US.  You can -import- it all you
      want, just tell your friends abroad to get it themselves instead
      of sending them a copy.

Because of the export laws, no one in the US will put it up for FTP
(where bad guys can get it).  So ftp it from Germany or the UK or
wherever.  This keeps GPG free of both points above.

> 2) Is there any way I can exchange encrypted messages with PGP users
> without installing PGP myself to retrieve keys and fingerprints, and to
> prepare them for import into gpg?

Yep.  The only thing I use PGP for is compatibility testing.  The
current release works quite well in getting along with PGP5.

I use this script to grab keys:
#!/bin/sh
#
# gpget -- fetch the key listed on the command line

/usr/bin/GET http://pgpkeys.mit.edu:11371/pks/lookup\?op=get\&exact=on\&search=$1 | gpg --import

(Okay, so it's stupid, but I couldn't make aliases do it right....)

You may need to replace GET with 'lynx -dump' or some other web fetcher.
GET comes with the Perl LWP module.  And, yep, that's grabbing keys from
a PGP5 server.

Using Mutt, PGP/GPG stuff is automatic.   My only problem is that Mutt
doesn't let me use 'encryptself' so I can't read what I send unless I cc
myself, but I may hack a patch for that.

-- 
Brian Moore                       | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker     |  a cockroach, except that the cockroach
      Usenet Vandal               |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster




More information about the Gnupg-devel mailing list