PRZ on 2048-bit keys, etc.

Philip Zimmermann prz at acm.org
Tue Sep 27 00:42:03 PDT 1994


Folks, a lot of people seem to be eager to generate 2048-bit keys with
various not-from-me versions of PGP that have been hotwired to allow
2048-bit keys to be generated.

MIT PGP 2.6.1 was supposed to allow 2048-bit keys, but not generate
them.  Because of yet another bug, the new intended feature of
accepting 2048-bit keys does not really work for 2.6.1.  That
particular feature was added late, and not really tested before the
release.  We are preparing a 2.6.2 release this week to fix this
problem, and maybe a few others.  PGP 2.6.2 will accept, but not
generate, bigger keys.

Why, you may ask, did I go through the trouble of making (well, OK,
trying to make) 2.6.1 accept bigger keys, but not actually generate
them?  I'm glad you asked.  Because this is part of a carefully phased
keysize upgrade path.  You see, from PGP 2.0 on up, each version of PGP
that had to introduce a new data format to support a new feature was
done in this same manner.  A new format is first read by the new
release, but not generated.  Then, in the next release after that, the
new format is generated.  This allows time for the new software (that
accepts the new format) to be thoroughly propagated through the user
community before the new format is actually generated by the even newer
software released later.  This makes life easier for all PGP users,
by preserving interoperability as much as possible.

This means that any two consecutive releases of PGP are bidirectionally 
compatible.  My intent was to get a thorough deployment of PGP software
that could accept bigger keys before anyone was actually generating any
bigger keys.  I do it this way to serve the interests of the PGP user 
community.

PGP development has always worked this way, and no one complained
before.  Now it seems that people everywhere are all too eager to
release their very own hacked version that screws up my efforts to
preserve interoperability.  They make all kinds of changes without
talking to me first, to find out why I do things this way, before
dashing ahead with what they think the rest of the PGP users need.  My
phone number is in the PGP documentation.  It would be so easy for code
developers to simply pick up the phone and call me, and maybe find out
why a particular PGP feature (or bug) is in there, when I intend to fix
it, or if indeed it should be fixed at all.  I would prefer that people
call me before they create and release mutant strains of PGP.  A little
direct human contact by phone goes a long way in defusing
misunderstandings about PGP.

I would urge that people not generate 2048-bit keys until 2.6.2 has
been in circulation for at least a couple of months, to give it time to
spread through the user community.  I will release a new version later
that actually generates 2048-bit keys, for the diehards that want them,
and the new software will offer many other improvements as well.

I urge that people use the releases of PGP that I make and publish
through MIT.  The development process includes participation of the
user community, and I take seriously everyone's suggestions for what
should be included in PGP.  I do not work in a vaccuum here in
Boulder.  I do not make many public statements about PGP export issues,
because my lawyers won't let me, but that should not be interpreted as
insensitivity to the needs of the PGP user community.  There is still
an ongoing criminal investigation concerning export of PGP, and I am
still the target.  Some militant Europeans may think I don't care about
PGP usage outside the USA.  At least one guy in Europe has demanded
that I make statements about and get involved in export-related issues
of PGP, and says I've "sold out" (Really?  Sold out to whom?  And for
how much?).  I haven't sold out.  But I also don't enjoy the freedom of
speech that other Americans enjoy.  Of course, none of these remarks
I'm making here should be interpreted to mean that I approve of anyone
violating US export law.

And, BTW-- for those of you who get all paranoid whenever I post
something on the newsgroups that is not digitally signed with PGP --
Look, sometimes I just don't feel like signing everything I say.  There
is another email encryption protocol, PEM, which makes you sign every
message, because PEM is designed for accountability for every remark
you make, and assigning blame.  PGP doesn't require you to sign every
encrypted message, because PGP doesn't try to put you under oath every
time you open your mouth.  In my circumstances, maybe I just don't feel
like making every little note I write be a signed affidavit.


 -Philip Zimmermann
  prz at acm.org







More information about the cypherpunks-legacy mailing list