PGP/GPG NGO Security Team Mini-FAQ Contents:

• What is PGP?
• What do "PGP" & "GPG" stand for?
• What is the NGO Security Team?
• Can I report bugs here?
• Can I subscribe to the NGO Security Team list?
• Do I have to be a rocket scientist to ask questions?
• I live in Iran: Can you help me?
• Can you people answer questions about PGP for my computer?
• Will you answer questions about PGPfone too?
• I have not read any PGP Documentation. Will you still help me?
• Can you please send me a copy of the PGP software?
• Is it legal for me to use PGP?
• I lost my secret key/passphrase! Can you delete my key from the keyservers for me?
• Does the NGO Security Team have a PGP public key?
• Does the PGP 6.0.2 email plugin for Outlook Express work with OE v5?
• I have a version of PGP that ends in "CKT": what does "CKT" mean?
• I installed PGP 6.5.1, but I can't find PGPdisk! Where is PGPdisk?
• Why does a "keyring file corrupt or not valid" error prevent me launching PGPkeys 6.5.1i?
• I can't get GPG to import my PGP keys; why?

  What is PGP/GPG?  

PGP is perhaps the oldest and most popular of all personal security software programs on the Internet. PGP exists in several versions, some free and some commercial.

PGP helps you (1) maintain your privacy (by encrypting your email or files so that only you or your designated recipient can read them) and (2) authenticating yourself to others (by making digital signatures to prove you wrote a particular piece of email or created a specific document). PGP (and GPG) should not be confused with OpenPGP, which is not a piece of software, but rather a standards specification that guides the development of PGP, GPG and other OpenPGP-compliant applications so that they are (mostly) interoperable.

  What does "PGP" stand for?  

"PGP" is an acronym for "Pretty Good Privacy." "GPG", the Gnu Project's free and open-source implementation of the OpenPGP specifications that PGP applications are based on, stands for "Gnu Privacy Guard". In another way, "PGP" also stands for the international, borderless, apolitical human right to freedom of speech, challenging oppressors everywhere to back down in the face of an active, connected democratic citizenry. PGP 2.0 and higher (including PGPi and GPG) have been developed and improved internationally by many volunteer privacy activists since v1.0 was first developed by Philip Zimmermann in 1991. A US company now owns the registered trademark "PGP" and develops commercial versions and related software for big companies or people who don't mind paying for technical support. Following the longstanding PGP tradition, they also release the full source code for review so that PGP can be trusted and they release freeware versions of the commercial PGP software for which they do not offer technical support (the freeware may also lack some business-oriented features). PGP.com is not responsible for development of GPG and various other OpenPGP-compliant applications.

  What is the PGP Freeware NGO Security Team?  

The PGP Freeware NGO Security Team's volunteers help US and Canadian citizens who are having difficulty using the PGP freeware for non-commercial, personal or academic purposes (as per the freeware license). In plain language, if you don't make money with the information you're using PGP to protect, you're allowed to use the freeware and you're eligible to ask us for freeware support. Examples include: sending private (i.e. not job-related) email to your friends or sending personal information securely while purchasing things on the Internet (not to be confused with secure web-browsers that use SSL/Secure Socket Layer).

Besides the fact(s) that we're all Pretty Nice People, and we collectively know a lot about PGP and we try hard not to make people feel dumb for asking questions about a very "deep" topic (cryptography), there are two nice things about the NGO Security Team:

   It's FREE! (However, if you have the commercial version of PGP you should make use of PGP.com's technical support first. After all you've paid for it, and our resources are limited.)

   It's pretty easy! There's a handy form for requesting help (see Step 2).

  Can I report bugs here?  

No! the NGO Security Team is NOT for submitting PGP bug reports, it is also NOT an appropriate place to send suggestions about how you want PGP to be improved (feature requests, etc). Send such comments or reports to the developers of the version of the software you are using. You can also subscribe to various public discussion lists such as PGP-Users or post your opinions to an appropriate Usenet newsgroup, such as alt.security.pgp.

  Can I subscribe to the NGO Security Team list?  

Not exactly The NGO Security Team itself is not a conventional "subscription" list (i.e., open for the general public to subscribe to). NGO Security Team members are referred to us by other PGP experts and join by invitation only, based on their reputation in the cryptography/PGP community and their ability to help others. The NGO Security Team is also not a software robot to which you can send command-messages such as "help" or "info". If you're interested in joining the team, that's great; get in touch with us.

What you probably want to do is join the PGP-Users List, which IS a general, public mailing list that you may find very helpful.

  Do I have to be a rocket scientist to ask questions?  

Heck No! The NGO Security Team will attempt to answer any question about PGP. People have sent us questions ranging from "crypto-newbie" right on up to "ultra-paranoid-cypherpunk-hacker." There's no such thing as a dumb question. The only questions we won't at least attempt to answer are the ones that have nothing to do with PGP (or related software like GPG) Of course, it couldn't hurt if you are a rocket scientist...

  I live in Iraq: Can you help me?  

Here's where we have to be careful: because of the extremely restrictive US regulations concerning the "export of cryptographic software or technical assistance to foreign nationals" [emphasis added], we may not be allowed to help you if you live in one of a number of certain countries the US is not happy with. We are as upset as you are about this situation, but even in such cases, we'll at least try to find you someone outside the USA who is permitted to help you. It's not illegal to ask for help... well, not yet anyway.

UPDATE: US export restrictions have been eased somewhat, so as long as you do not live somewhere that the US has labelled a "terrorist-supporting nation" like Iraq, we may be able to answer certain questions. We'll decide these cases on an individual basis, so please answer the Help Form questions in Step 3 truthfully.

  Can you people answer questions about PGP for my SuSe Linux, DEC Alpha and Amiga computers? [as examples]  

Quite possibly. We have volunteers who run PGP on different hardware platforms and Operating Systems, so there's usually someone who can help you with your particular setup. If we can't help for some reason, we'll try to help you find someone who can.

  Will you answer questions about PGPfone too?  

No, sorry. PGPfone is a commercial secure telephony product that is not directly related to PGP. New versions are supposedly coming, but we are not holding our breath. Meanwhile, you can read the beta version's documentation on the Web.

  I have not read any of the PGP Documentation or ReadMe files. Will you still help me?  

No. We require you to take some responsibility and read some of the basic documentation and/or one of the many FAQs we list in Step 2 before you submit your questions. Please remember that we are a small volunteer group, and while we'll still be nice to you if you ignore this requirement, we'll also tell you to go read the Documentation and come back later if you ask very basic questions you could have answered by yourself. Please look at the documentation so that you can save yourself (and us) some valuable time.

  Can you please send me a copy of the PGP software?  

No. We quite possibly are not allowed to send you the PGP software. There are various licensing and regulatory reasons why this is so, but you can easily obtain it on your own. PGP is regulated by the US Government as a "dual-use munition". If we sent it to you, we might be investigated for "illegal weapons exports." Please do not ask us to send you any cryptographic software. If you are interested, read the applicable US Commerce Department Export Administration Regulations (EAR) or contact the Electronic Frontier Foundation or the CryptoRights Foundation for information on how to change international laws and restore personal privacy rights for all world citizens.

UPDATE: As of 2000, the export regulations have been considerably eased and PGP as well as GPG and other related software are available from numerous Web sites, including:

• http://www.pgp.com/ — commercial version of PGP
• http://web.mit.edu/network/pgp.html — US freeware version of PGP
• http://www.pgpi.org/ — international freeware version of PGP
• http://www.gnupg.org/ — Gnu Privay Guard

  Is it legal for me to use PGP?  

We're not your lawyers, but as far as we know, PGP is completely legal for US and Canadian citizens to use for any normal, legal electronic communications purpose. The use of PGP in other countries may be subject to varying local controls, regulations and/or laws, possibly involving legal or criminal penalties. Examples include: Burma (a.k.a. Myanmar), where you can be shot for using a fax machine (much less using PGP on a laptop); contrast this with the Netherlands (a.k.a. Holland), where you are generally free to use PGP however and whenever you like. The politics of cryptography change regularly, so feel free to ask, and keep an eye on your own government's crypto-policy matters.

  Can you delete my key from the keyservers for me? I lost my secret key/passphrase!  

No! Sorry, but the public keyserver system doesn't work that way: once you've put a public key into the public by uploading it to a keyserver, it's permanently public until it either expires or is revoked by You the Owner (even then it's still public, but no-one can encrypt to it anymore, unless they have an old pre-revocation version of the key). Only the owner of a key, who has both the secret and public halves of the keypair AND the passphrase can use the PGP software to issue a "revocation," in the form of a "KRC" (Key Revocation Certificate), and then post the KRC to the keyservers in the same way the original key was uploaded. The NGO Security Team cannot delete a key for you, and even if we could delete it from one server, most servers propagate keys to each other in a global network so that public keys are as widely available as possible, so your key would just return to that server from another one within a day or so. When making a new keypair for the first time, here is our advice:

1. Consider it a "training" key and set an expiration date. You can generate a "permanent" key when you're more experienced with PGP.
2. Do not immediately upload your new public key to a public keyserver.
3. Do not forget your passphrase! Never ever forget your passphrase!
4. Back up your keyrings securely and confirm that you can use the backup.
5. After backing up your keypair, generate a KRC.
Store the KRC somewhere safe in case you ever need to revoke that key publicly (e.g. you may forget your passphrase or lose your secret keyring to a hard disk error). To do this you may need to backup your keyring files, revoke the key (making sure NOT to send it or allow the application to automatically send it to the keyservers), export the revoked key with its KRC to a separate file, then store that file securely; lastly, quit the application and replace your (just now modified) keyrings with the originals you backed up to re-enable your "pre-emptively revoked" key again. If you do lose your key/passphrase, you then upload the revocation to the keyserver and generate a brand new key.

  Does the NGO Security Team have a PGP public key?  

No. You can use the Form to send the exported ASCII text of your public key (if you have one already) to the Team for testing purposes, but it's not required at first. Individual team members who reply to your help request may at some point furnish you with their personal keys so that you can encrypt messages to them, however, in the last few years, we have not found it necessary post a Team key.

  Does the PGP 6.0.2 email plugin for Outlook Express work with OE v5?  

No. Microsoft changed things in OE5 that broke PGP 6.0.2 compatibility with OE4. For intergrated plugin functionality with OE5, you need to use PGP 6.5.1. However, the rest of PGP 6.0.2i works fine with OE5, and you could do everything you need to with PGP in OE5 using the Clipboard. UPDATE: PGP.com's new PGP 8.x may restore this functionality.

  I have a version of PGP that ends in "CKT": what does "CKT" mean?  

"CKT" stands for Cyber Knights Templar, a volunteer European group that produces special versions of PGP with "extended" capabilities (e.g. very large keysizes). We will try to help you if you use a CKT version, but since they do non-standard things, we may not be able to solve your problem. We normally recommend that users obtain standard versions, since interoperability is a very desirable property with cryptography software. You can also contact the CKT group using the contact information they provide with their versions of the software.

  I installed PGP 6.5.1, but I can't find PGPdisk! Where is PGPdisk?  

PGP freeware version 6.5.1 does not include PGPdisk. However, PGP freeware versions 6.0.2 and 6.0.2i do, so if you want PGPdisk, you need to downgrade to PGP 6.0.2. Note that PGPdisk is commercial software (not freeware!) that was generously included temporarily in the 6.0.2 freeware to correct a previous bug.

  Why does a "keyring file corrupt or not valid" error prevent me from launching PGPkeys 6.5.1i? 

For a few days in early November 1999, a damaged PGP 6.5.1i installer for Windows was available for download from the international PGP freeware site. This installer did install PGP correctly, but copied a damaged default secret keyring file (secring.pkr) to the target hard disk. The damaged installer was discovered and replaced with a new installer, which has been available for download after 1999-11-07 (and may well have been superceded by an even newer version by the time you read this.) You should download the 6.5.1i or later version again so you have a "good" installer to work with if you ever need to uninstall or reinstall PGP, but here's how to fix your immediate problem:

1. Locate the default keyrings the installer placed on your hard disk (filenames "pubring.pkr" and "secring.skr").
2. Delete the "secring.skr" file. NOTE: If you haven't yet created a PGP Public Key, you don't risk losing any important keys.
3. Launch PGPkeys again. If the same error comes up, repeat steps 1 & 2 but this time, delete both "secring.skr" and "pubring.pkr"), then launch PGPkeys.

PGPkeys will now detect that you have no keyring files and will create new files for you using its internal routines, rather than using the default keyring(s) the damaged installer copied to your hard disk during installation.

 I can't get GPG to import my PGP keys; why?  

GNU Privacy Guard (as of Nov. 2002, at least) does not understand the PGP 7.x + "extensions" such as pictures, and will treat keys with such extensions as invalid. To get around this problem, you must export a copy of your keys (including the secret key, if you intend to import this into GPG) by telling PGP to not include these extensions. GPG should then be able to import these keys successfully.

Thank you for reading through this brief FAQ. If you still have a question about PGP for the NGO Security Team, proceed to the help team procedures page.