Using GPG in the US

Jimmy Kaplowitz jkaplowitz at
Mon Nov 23 17:06:31 CET 1998

Thanks, Brian, and everyone else who responded to my questions. (I guess
that would be you, Casey :) The replies were very helpful. One further
question, though. What are the RSA and IDEA plugins, why can't I legally
use them in the US, and is there some legal way to get that
functionality with GPG in the US?

Again, thank you all so very much.

- Jimmy Kaplowitz
  jkaplowitz at

brian moore wrote:
> On Sun, Nov 22, 1998 at 09:51:47PM -0500, Jimmy Kaplowitz wrote:
> > I have a few questions. I tried to answer them for myself by checking
> > the archives and the PGP5-GPG HOWTO, but if they were answered there, it
> > wasn't clear to me. So if I'm asking a really common question, please
> > put up with me.
> Okey.
> > 1) Is it legal for me to use GPG in the US? I would think so, but all
> > the download servers are outside of the US, and I am not sure if I am
> > allowed to download from one of those. If it is legal to use GPG in the
> > US, from where can I legally download it?
> Yes, you can use it (just not the RSA and IDEA plugins) in the US.
> There are several problems that PGP has faced over the years:
>    1) Patented code in the RSA and IDEA algorithms.  Fortunately, last
>       year Diffie-Hellman expired and the ElGamal variation on it has
>       no patent claims.  There is a (non-credible, IMHO) claim that
>       the Digital Signature Standard is patented, but NIST says its
>       not and that it's freely available.  Since PGP5 moved to (mostly)
>       Elgamal and CAST5 the patent issue is moot.
>    2) Export laws.  Can't have the badguys like Werner having crypto, so
>       you can't export it.  (Unless it's on paper....)  That's why the
>       real work is not done in the US.  You can -import- it all you
>       want, just tell your friends abroad to get it themselves instead
>       of sending them a copy.
> Because of the export laws, no one in the US will put it up for FTP
> (where bad guys can get it).  So ftp it from Germany or the UK or
> wherever.  This keeps GPG free of both points above.
> > 2) Is there any way I can exchange encrypted messages with PGP users
> > without installing PGP myself to retrieve keys and fingerprints, and to
> > prepare them for import into gpg?
> Yep.  The only thing I use PGP for is compatibility testing.  The
> current release works quite well in getting along with PGP5.
> I use this script to grab keys:
> #!/bin/sh
> #
> # gpget -- fetch the key listed on the command line
> /usr/bin/GET\?op=get\&exact=on\&search=$1 | gpg --import
> (Okay, so it's stupid, but I couldn't make aliases do it right....)
> You may need to replace GET with 'lynx -dump' or some other web fetcher.
> GET comes with the Perl LWP module.  And, yep, that's grabbing keys from
> a PGP5 server.
> Using Mutt, PGP/GPG stuff is automatic.   My only problem is that Mutt
> doesn't let me use 'encryptself' so I can't read what I send unless I cc
> myself, but I may hack a patch for that.
> --
> Brian Moore                       | "The Zen nature of a spammer resembles
>       Sysadmin, C/Perl Hacker     |  a cockroach, except that the cockroach
>       Usenet Vandal               |  is higher up on the evolutionary chain."
>       Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster

More information about the Gnupg-devel mailing list