Pretty Good Privacy version 2.6 - READ ME FIRST Notes by Perry Metzger Edited for 2.3a by Colin Plumb You are looking at the README file for PGP release 2.6.2. PGP, short for Pretty Good Privacy, is a public key encryption package; with it, you can secure messages you transmit against unauthorized reading and digitally sign them so that people receiving them can be sure they come from you. [Note: You will see references throughout this package to PGP release 2.6. Yet this release is 2.6.2. This isn't really a problem. PGP 2.6.2 is simply a bugfix release of PGP 2.6. All features in PGP 2.6 are also in PGP 2.6.2, just less buggy!] The files pgpdoc1.txt and pgpdoc2.txt contain documentation for the system. Before using PGP, PLEASE READ THE DOCUMENTATION. This tends to get neglected with most computer software, but cryptography software is easy to misuse, and if you don't use it properly much of the security you could gain by using it will be lost! Security is only as strong as the weakest link, and while the algorithms in PGP are some of the strongest known in the civilian world, there are things outside the program's control which can weaken your security as assuredly as forgetting to lock a vault door. Even if you are already familiar with public key cryptography, it is important that you understand the various security issues associated with using PGP. There are four archives in the PGP 2.6 release. You will usually only need one of them. They are: - pgp262.zip This is the MS-DOS executable release, which includes the executable, support files, and basic documentation. Note: This archive contains an inner zip file named PGP262I.ZIP. This internal zip file contains the actual PGP release. PGP262.ZIP contains it and PGP262I.ASC which is a detached signature generated by jis@mit.edu for PGP262I.ZIP. In this fashion you can verify that the release you received is authentic. Other signatures will be included in the future. - pgp262s.zip This is a source code release, which includes all the source code needed to compile PGP and examples of usage. This contains everything in pgp262.zip except the pgp.exe binary. It contains two internal ZIP files. PGP262SI.ZIP which contains the PGP source (and the .OBJ files for the two assembler modules so people without the assembler can still compile and link PGP) and RSAREF.ZIP which contains the RSAREF sources. There are also corresponding .ASC files so you can verify the integrity of the source release. - pgp262s.tar.gz This contains exactly the same files as pgp262s.zip, except that they use Unix rather than MS-DOS line end conventions. Note: It also contains a signature and two internal tar file so you can verify the integrity of the release you have. - pgp262s.tar.Z This is a UNIX compress version of pgp26src.tar.gz. - pgp262dc.zip This is the documentation for PGP only. This can be freely exported and is useful to tell people what PGP does. Note: It also contains a signature and an internal ZIP file so you can verify the integrity of the releaseyou have. While we welcome ports to other platforms, if you make your own archive for distribution, PLEASE INCLUDE THE MANUAL. It covers important security and legal issues which a new user must know. Assuming you have a code (non-documentation) release, the file SETUP.DOC contains information on how to install PGP on your system; this document is broken up into several sections, each dealing with a different operating system: PGP2.6 is known to run on MS-DOS and UNIX. It should also run on VMS and OS/2, but these have not been tested yet. Part of the information in SETUP.DOC might make more sense if you have already read the manuals. PGP2.6 is freeware; you are welcome to copy and distribute it provided that you do not export it from the U.S. and you follow the terms and conditions of the included RSAREF license. For details on what has changed since release 2.3a, doc/changes.doc. Release 2.4 was given to ViaCrypt only, and fixed a few minor bugs. MANIFEST for PGP 2.6.2 MSDOS executable release --------------------------------------------- Here is a list of files included in the PGP 2.6.2 MSDOS executable release file PGP262I.ZIP... CONFIG.TXT - User configuration parameter file for PGP ES.HLP - Online help file in Spanish FR.HLP - Online help file in French KEYS.ASC - Sample public keys you should add to your keyring LANGUAGE.TXT - Sample language file for French and Spanish MITLICEN.TXT - PGP 2.6 License from MIT PGP.EXE - PGP executable program PGP.HLP - Online help file for PGP README.DOC - This file you are reading RSALICEN.TXT - RSAREF license DOC\APPNOTE.DOC - Integrating PGP into Mailers (mostly UNIX oriented) DOC\BLURB.TXT - Brief description of PGP, for BBS indexes DOC\CHANGES.DOC - Changes since PGP 2.3 DOC\KEYSERV.DOC - Information (maybe out of date) on PGP Keyservers DOC\PGPDOC1.DOC - PGP User's Guide, Vol I: Essential Topics DOC\PGPDOC2.DOC - PGP User's Guide, Vol II: Special Topics DOC\POLITIC.DOC - Computer-related political groups DOC\SETUP.DOC - Installation guide For Clinical Paranoia Sufferers Only ------------------------------------ It is always possible that the PGP you have received has been tampered with in some way. This is a risk because PGP is used as a system to assure security, so those wishing to breach your security could likely do it by making sure that your copy of PGP has been tampered with. Of course, if you receive PGP in a binary distribution, it makes sense to check it for viruses, and if you receive PGP as source code, looking for signs of obvious tampering might be a good idea. However, it is very difficult to actually determine if the code has no subtle bugs that have been introduced and that the executable you are using has not been tampered with in any way. If you have a previous version of PGP which you already trust, the cryptographic signature on the executable will assure you that it has not been tampered with (with the possible exception of a "stealth virus" already existing on your system). If you are a really paranoid person, try getting a cryptographically signed copy of the software from someone you trust to have a good copy. It would also likely be good for you to pay special attention to the sections of the manual on "Vulnerabilities." You are going to read the manual, aren't you?