Dear PGP User Well, finally. After more than three years, we finally have the long-awaited PGP Version 5.0 ready for release (formerly known as 3.0). You hold in your hand one of 12 volumes (over 6000 pages!) of the printed copy of the complete source code to PGP for Personal Privacy, Version 5.0. In keeping with my own long-standing tradition from the days before I started this company, our source code is being openly published to facilitate peer review. This allows everyone to assure themselves that there are no hidden back doors that might compromise security. We are pleased to be able to publish these books without having to fight an extensive legal battle. As you may know, while a printed book or other printed material setting forth encryption source is not itself subject to U.S. Export Administration Regulations, (see EAR §734.3(b)(2)), the U.S. government says it is considering whether and to what extent scannable encryption source or object code in printed form should be subject to regulations. We think this is rather remarkable in light of the ruling by U.S. District Court Judge Marilyn Hall Patel who said, "Source code ... is speach afforded by the full protection of the First Amendment." Bernstein v. United States Dept. of State, 922 F. Supp. 1426, 1428-30 (N.D.Cal. 1996). In any event, according to both the export regulations and the court, the publication of this book is perfectly legal. It's taken longer than expected to produce this code and these books, for a variety of reasons, not the least of which was the three-year criminal investigation I was under from the US government. That really slowed things down. It cut off nearly all access to my volunteer labor force that had been so instrumental in the development of PGP versions 2.0 and above. For those of you unfamiliar with the case, the US government was taking the position that encryption software should not be exported without a license from the State Department. Since PGP was published for free on the Internet in 1991 and subsequently spread all around the world, the government assumed that the law must have been broken. That triggered the creation of a mostly pro-bono legal defense team, a legal defense fund, and three years of almost daily press interviews. The press was overwhelmingly against prosecuting and the cryptographic policy issue was drawing the wrath of the whole computer industry. However, the investigation was closed without indictments in January 1996. Shortly after that, I started my own company, PGP, Incorporated. We hired a team of full-time engineers to develop products like this new product, PGP for Personal Privacy, Version 5.0. This new version has a lot of cool new features. The older version of PGP (Version 2.6.2, released through MIT) was only for MS-DOS and Unix(tm). This new version was designed from scratch to provide a graphical user interface (GUI) environment. These volumes contain source code and tools that can be used to build versions that run under Windows 95 and Windows NT, as well as a version for Apple Macintosh. We also have a non-GUI version for Unix, starting with the Linux platform. The GUI really makes the product a breeze, with seamless integration into email packages, starting with Qualcomm's popular Eudora, Microsoft's Exchange, and Microsoft Outlook. Now using PGP to encrypt or decrypt your mail is just a couple of mouse clicks away. The new code also adds some new encryption algorthms. Probably the most exciting is the introduction of a new public key algorithm that will serve as an alternative to the RSA algorithm. The Diffie-Hellman and Hellman-Merkle patents expire this year, opening the door to royalty-free use of public key algorithms. Everyone will benefit from this, because the whole computer industry has been forced to work with a public key patent monopoly that stifled the use of public key algorithms for many years. Now the field is opening up. PGP offers Diffie-Hellman (the ElGamal variant of Diffie-Hellman) keys, and the NIST Digital Signature Standard (DSS) keys. With these new keys comes a range of new features, including improved speed and security. Also, there are now two separate key pairs for each user, one pair for encrypting/decrypting (Diffie-Hellman), and one pair for signing/veryfying (DSS). Today these are presented to the user as if they were a single key pair. In later releases we will give the user the capability to change his DH key without changing his DSS key. To get the full range of benefits, it would be helpful if as much of the PGP community as possible participates in this migration to the new public key algorithms. Our new code also implements new block ciphers for bulk encryption, offering triple_DES and CAST as options, as well as continuing to support the IDEA cipher from earlier versions of PGP. We also offer a new signature hash algorithm, SHA-1, for computing digital signatures. The old hash algorithm, MD5, developed by RSA Data Security Inc, has been discovered to have serious weaknesses and is no longer recommended to make digital signatures. To use the new SHA hash algorithm, users will have to use DSS as their signature algorithm, because PGP's RSA signatures continue to use the MD5 hash for backward compatability reasons. A particularly exciting new feature is the intigration with public key servers. Now PGP will look up public keys on a remote server on the Internet, such as the one at MIT. When you generate a new public key, PGP will offer to upload it to the remote key server. Anyone will be able to get anyone else's public key whenever they need it. This will tie all PGP users everywhere together into a global community, with a nationwide public key infrastructure that no other encryption product can offer. This infrastructure will grow organically, like the Internet did. I hope that you will agree that this new release of PGP was worth the wait. Sincerely, Philip Zimmermann Chief Technology Officer, Pretty Good Privacy, Inc.