I was shocked to receive an E-mail from Phill Zimmermann. Here is my reply to his E-mail. From: Philip Zimmermann <prz@acm.org>

Tom, I hear that you are distributing a modified version of PGP that uses a different customized encryption algorithm of your own design.

I have pieced together a multiple cipher that consists of the chain IDEA-TRAN-IDEA-TRAN-IDEA. Where IDEA is the same IDEA (128 bit key + 64 bit IV) algorithm that pgp uses and TRAN is a byte transposition across the 4K buffer block (each tran uses 32 bit key). Thus giving this multiple cipher a keyspace of 640 bits. I have made modifications to pgp that will let a user _optionally_ use this alogrithem instead of the single IDEA cipher. This change was made to show pgp versitility and usefullness in transporting an unweildly large conventional key with ease. On decrypting, the modification detects which type of key is in the RSA packet and then invokes the proper algorithm. Please note that the origional cipher algorithems are intact and are used as the default method.

If you read the "Snake Oil" section of the PGP User's Guide, then you know how I feel about amateur cryptographer's encryption algorithms that have not been subjected to extensive peer review.

Well, It is true that I am _not_ being paid for this software. It is my hobby. And I don't care how you feel about my hobby. Please feel free to make any constructive comments about the algorithm.

PGP's reputation, and my repuitation (which is tied to PGP), depends of people trusting the quality of encryption algorithms and protocols that I have carefully selected for PGP, using all of my knowledge and experience. If someone were to put a new encryption algorithm into PGP without my permission, it could serve to tarnish the reputation that PGP has earned over the years.

I am a little confused about this statement. The following (2) paragraphs came from the a pgp.c source file. So, I don't see that my small changes can damage your reputation. (c) Copyright 1990 by Philip Zimmermann. All rights reserved. The author assumes no liability for damages resulting from the use of this software, even if the damage results from defects in this software. No warranty is expressed or implied. All the source code I wrote for PGP is available for free under the "Copyleft" General Public License from the Free Software Foundation. A copy of that license agreement is included in the source release package of PGP.

Accordingly, I do not approve of anyone modifying the cryptographic characteristics of PGP. PGP and Pretty Good Privacy are my trademarks, and their good name is trusted the world over because of the care that I have exercised in selecting its algorithms.

I believe that you have released the pgp software under the Free Software Foundation "Copyleft" License.

If you'd like to write your own cryptographic utility, using your own algorithms and protocols, I have no problem with that. But I do not want my program, my documentation, my name, and my trademarks, to be used for products that may have flawed algorithms.

Let me show you a paragraph from the "Copyleft" License that you released the pgp program under. The license agreements of most software companies try to keep users at the mercy of those companies. By contrast, our General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. The General Public License applies to the Free Software Foundation's software and to any other program whose authors commit to using it.

I also have no problem with you modifying PGP for your own private use, if you like to experiment with new algorithms of your own design. But I do not want you to distribute such a program to others, if it uses my code, my manuals, my name, and my trademarks. It could hurt my reputation and PGP's reputation.

I guess that I will have to quote (2) more paragraphs from the "Copyleft" License that you released the pgp program under. When we speak of free software, we are referring to freedom, not price. Specifically, the General Public License is designed to make sure that you have the freedom to give away or sell copies of free software, that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

If I am misinformed on this subject, please let me know and accept my apology for assuming too much. Otherwise, I'd like you to remedy the situation. Please let me know what has happened and what we can do about it.

I believe that you may by misinformed. I hope that I have made my position clear. You relesased the pgp program under the "Copyleft" License. I have the right to change the software or use pieced of it. I am protected from you trying to deny me those rights.

Sincerely, Philip Zimmermann prz@acm.org

Sincerely, Tom Rollins <trollins@debbie.telos.com>