According to Jeffrey I. Schiller, PGP 2.6 will issue broken messages, unreadable by earlier legal versions of PGP (Viacrypt's 2.4 in USA and Canada, and any version outside backward-crypto-land) In summary, how do we make our fixes to this obvious bug stick? (Institutional paranoia on) To me, this change is an obvious step in satisfying the TLA's desire for a segmented crypto market to slow widespread use of strong crypto. On the one side, we have misapplied ITAR regulations preventing export of a worldwide standard. On the other side, we have a wrongly-granted patent preventing use of an imported worldwide standard. PGP is a de-facto worldwide standard, and they're trying to break it. (Institutional paranoia off) From the keyboard of: Adam Shostack <adam@bwh.harvard.edu>
And 2.4 is legal, if the 2.6 code doesn't recognize that, well, then that code is buggy & will need to be fixed. :)
Adam has the right idea. The question is, how do we make such a fix stick? In order to beat the "canonical release" advantage of the broken 2.6, we'll need to spread the word widely (at least until a 2.6-compatible PGP is released and ported to the full range of current platforms by our outside compatriots). Some suggestions for after we create such patches: Letters to computer magazines (Infoworld, Wired, PC Week, etc.) Add entry to PGP FAQ about communicating with non-USA/Canada PGP users Add entry to PGP WWW pages in UK Weekly postings of the patches to alt.security.pgp (from outside NA) Monthly postings of the patches to alt.sources.patches (from outside NA) Press releases in other appropriate newsgroups, repeated Come up with others, particularly for the non-net world. :-) Richard