Folks, a lot of people seem to be eager to generate 2048-bit keys with various not-from-me versions of PGP that have been hotwired to allow 2048-bit keys to be generated. MIT PGP 2.6.1 was supposed to allow 2048-bit keys, but not generate them. Because of yet another bug, the new intended feature of accepting 2048-bit keys does not really work for 2.6.1. That particular feature was added late, and not really tested before the release. We are preparing a 2.6.2 release this week to fix this problem, and maybe a few others. PGP 2.6.2 will accept, but not generate, bigger keys. Why, you may ask, did I go through the trouble of making (well, OK, trying to make) 2.6.1 accept bigger keys, but not actually generate them? I'm glad you asked. Because this is part of a carefully phased keysize upgrade path. You see, from PGP 2.0 on up, each version of PGP that had to introduce a new data format to support a new feature was done in this same manner. A new format is first read by the new release, but not generated. Then, in the next release after that, the new format is generated. This allows time for the new software (that accepts the new format) to be thoroughly propagated through the user community before the new format is actually generated by the even newer software released later. This makes life easier for all PGP users, by preserving interoperability as much as possible. This means that any two consecutive releases of PGP are bidirectionally compatible. My intent was to get a thorough deployment of PGP software that could accept bigger keys before anyone was actually generating any bigger keys. I do it this way to serve the interests of the PGP user community. PGP development has always worked this way, and no one complained before. Now it seems that people everywhere are all too eager to release their very own hacked version that screws up my efforts to preserve interoperability. They make all kinds of changes without talking to me first, to find out why I do things this way, before dashing ahead with what they think the rest of the PGP users need. My phone number is in the PGP documentation. It would be so easy for code developers to simply pick up the phone and call me, and maybe find out why a particular PGP feature (or bug) is in there, when I intend to fix it, or if indeed it should be fixed at all. I would prefer that people call me before they create and release mutant strains of PGP. A little direct human contact by phone goes a long way in defusing misunderstandings about PGP. I would urge that people not generate 2048-bit keys until 2.6.2 has been in circulation for at least a couple of months, to give it time to spread through the user community. I will release a new version later that actually generates 2048-bit keys, for the diehards that want them, and the new software will offer many other improvements as well. I urge that people use the releases of PGP that I make and publish through MIT. The development process includes participation of the user community, and I take seriously everyone's suggestions for what should be included in PGP. I do not work in a vaccuum here in Boulder. I do not make many public statements about PGP export issues, because my lawyers won't let me, but that should not be interpreted as insensitivity to the needs of the PGP user community. There is still an ongoing criminal investigation concerning export of PGP, and I am still the target. Some militant Europeans may think I don't care about PGP usage outside the USA. At least one guy in Europe has demanded that I make statements about and get involved in export-related issues of PGP, and says I've "sold out" (Really? Sold out to whom? And for how much?). I haven't sold out. But I also don't enjoy the freedom of speech that other Americans enjoy. Of course, none of these remarks I'm making here should be interpreted to mean that I approve of anyone violating US export law. And, BTW-- for those of you who get all paranoid whenever I post something on the newsgroups that is not digitally signed with PGP -- Look, sometimes I just don't feel like signing everything I say. There is another email encryption protocol, PEM, which makes you sign every message, because PEM is designed for accountability for every remark you make, and assigning blame. PGP doesn't require you to sign every encrypted message, because PGP doesn't try to put you under oath every time you open your mouth. In my circumstances, maybe I just don't feel like making every little note I write be a signed affidavit. -Philip Zimmermann prz@acm.org