Using GPG in the US
jkaplowitz at softhome.net
Mon Nov 23 17:06:31 CET 1998
Thanks, Brian, and everyone else who responded to my questions. (I guess
that would be you, Casey :) The replies were very helpful. One further
question, though. What are the RSA and IDEA plugins, why can't I legally
use them in the US, and is there some legal way to get that
functionality with GPG in the US?
Again, thank you all so very much.
- Jimmy Kaplowitz
jkaplowitz at softhome.net
brian moore wrote:
> On Sun, Nov 22, 1998 at 09:51:47PM -0500, Jimmy Kaplowitz wrote:
> > I have a few questions. I tried to answer them for myself by checking
> > the archives and the PGP5-GPG HOWTO, but if they were answered there, it
> > wasn't clear to me. So if I'm asking a really common question, please
> > put up with me.
> > 1) Is it legal for me to use GPG in the US? I would think so, but all
> > the download servers are outside of the US, and I am not sure if I am
> > allowed to download from one of those. If it is legal to use GPG in the
> > US, from where can I legally download it?
> Yes, you can use it (just not the RSA and IDEA plugins) in the US.
> There are several problems that PGP has faced over the years:
> 1) Patented code in the RSA and IDEA algorithms. Fortunately, last
> year Diffie-Hellman expired and the ElGamal variation on it has
> no patent claims. There is a (non-credible, IMHO) claim that
> the Digital Signature Standard is patented, but NIST says its
> not and that it's freely available. Since PGP5 moved to (mostly)
> Elgamal and CAST5 the patent issue is moot.
> 2) Export laws. Can't have the badguys like Werner having crypto, so
> you can't export it. (Unless it's on paper....) That's why the
> real work is not done in the US. You can -import- it all you
> want, just tell your friends abroad to get it themselves instead
> of sending them a copy.
> Because of the export laws, no one in the US will put it up for FTP
> (where bad guys can get it). So ftp it from Germany or the UK or
> wherever. This keeps GPG free of both points above.
> > 2) Is there any way I can exchange encrypted messages with PGP users
> > without installing PGP myself to retrieve keys and fingerprints, and to
> > prepare them for import into gpg?
> Yep. The only thing I use PGP for is compatibility testing. The
> current release works quite well in getting along with PGP5.
> I use this script to grab keys:
> # gpget -- fetch the key listed on the command line
> /usr/bin/GET http://pgpkeys.mit.edu:11371/pks/lookup\?op=get\&exact=on\&search=$1 | gpg --import
> (Okay, so it's stupid, but I couldn't make aliases do it right....)
> You may need to replace GET with 'lynx -dump' or some other web fetcher.
> GET comes with the Perl LWP module. And, yep, that's grabbing keys from
> a PGP5 server.
> Using Mutt, PGP/GPG stuff is automatic. My only problem is that Mutt
> doesn't let me use 'encryptself' so I can't read what I send unless I cc
> myself, but I may hack a patch for that.
> Brian Moore | "The Zen nature of a spammer resembles
> Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
> Usenet Vandal | is higher up on the evolutionary chain."
> Netscum, Bane of Elves. Peter Olson, Delphi Postmaster
More information about the Gnupg-devel