Will Price, Director of Engineering, PGP Security, Inc. has been alerted and is looking into it - he expects to report back to PGP-USERS mailing list Thursday.
If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.
From the authors original message:
PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
PGP-5.0i UNIX (not vulnerable)
PGP-5.5.3i WINDOWS (VULNERABLE)
PGP-6.5.1i WINDOWS (VULNERABLE)
GnuPG-1.0.1 UNIX (not vulnerable)
And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?
NO! The problem is that ANYONE can create an ADK on the end of your existing PGP public key!
See below a message from A.Back. Basically GnuPG is NOT a victim of this "attack".
> -----Original Message-----
> From: Adam Back [mailto:adam@cypherspace.org]
> Sent: 24 August 2000 15:12
> To: Ross.Anderson@cl.cam.ac.uk
> Cc: ukcrypto@maillist.ox.ac.uk; ietf-openpgp@imc.org
> Subject: Re: Serious bug in PGP - versions 5 and 6
>
>
>
> Ross Anderson writes on uk-crypto:
> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> >
> > [...]
> >
> > He's written a paper on his work and it's at
> >
> > http://senderek.de/security/key-experiments.html
> >
> > Since NAI joined the Key Recovery Alliance, PGP has supported
> > "Additional Decryption Keys" which can be added to a public key.
> >
> > The sender will then encrypt the session key to these as well as to
> > your main public key. The bug is that some versions of PGP respond
> > to ADK subpackets in the non-signed part of the public key data
> > structure. The effect is that GCHQ can create a tampered version of
> > your PGP public key containing a public key whose corresponding
> > private key is also known to themselves, and circulate it. People
> > who encrypt traffic to you will encrypt it to them too.
>
> Amazing, and really unfortunate. Those of us who invested large
> amounts of effort in ensuring the ADK subpackets were not included in
> the ietf openPGP standard can be pleased we succeeded -- otherwise
> gnuPG and other implementations may now also have contributed to this
> risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440
> says about them is:
>
> 10 = placeholder for backward compatibility
>
> At the time I was suggesting that if PGP really must insist on
> creating software to escrow communications (the primary argument being
> that people didn't want to lose access to the stored mail as opposed
> to being able to have designated third parties snooping mail in
> transit) they should use storage key escrow.
>
> My main premise was that communication key escrow is too risky because
> an outside attacker gets the plaintext:
>
http://www.cypherspace.org/~adam/cdr/
"Keys used to encrypt email which is transmitted over the Internet are
more valuable to an attacker than keys used to encrypt stored files
because of the relative ease with which an attacker can obtain copies
of emailed ciphertext. Stored encrypted files in contrast are
protected by all the physical security systems the company is relying
on to protect it's paper files, plaintext data stored on disks, and
backup tapes. [...]"
There was also lots of political discussion of how unwise it was for
PGP to create a escrow infrastructure which could as easily be used by
governments as by SEC companies to archive their employees
communications.
And people quoting Phil Zimmermann a few years earlier complaining
about ViaCrypt's PGP4 for business variant which had "escrow" in the
form of a third party "encrypt-to-self" config file setting.
And I believe I recall the NSA or some other US government body
picking up on the CMR / ADK mechanism and holding it up as evidence
against the claim that key recover was complex... "see PGP did it,
this works".
> It's of scientific interest because it spectacularly confirms a
> prediction made by a number of us in the paper on `The Risks of Key
> Recovery, Key Escrow, and Trusted Third-Party Encryption'
> that key escrow would make it
> much more difficult than people thought to build secure systems.
Yes. It really highlights the truth in the statement about the
new risks introduced by adding key escrow.
This doesn't apply at all to GnuPG - it doesn't recognise the ADK packet (and it shouldn't - RFC2440 specifies that this packet is simply "placeholder for backward compatibility".
(PS: This isn't flamebait - I don't use either Linux or BSD in anger...)
Do you have a citation for the 260 copies of OpenBSD used for "most sensitive data" BTW?
This story details that the NSA (the people who dictate what platform is used for greater than Secret data) are progressing with Linux as a new secure platform. Though this doesn't mean BSD will not be considered, it's fairly indicative.
I've often thought that Linux versions should include more crypto/security as standard (e.g. SSH, GPG, EFS, IPSEC (or even PPTP!), secure file deletion etc etc).
Rgds,
Sam
Re:New references on Echelon & NSA? (ooops)
on
Inside Echelon
·
· Score: 1
Apparently Duncan & J.Bamford are working on a new up to date book on Echelon & the NSA.
Bamfords previous book, Puzzle Palace is absolutely excellent, though was published in '83 so is largely out of date.
IMHO, the best current site for John Youngs Cryptome which is unfortunately currently down due to a DDOS attack!
New references on Echelon & NSA?
on
Inside Echelon
·
· Score: 1
Apparently Duncan & J.Bamford are working on a new up to date book on Echelon & the NSA.
EFF DVD Update: July 20, 2000 Universal City Studios v. 2600 Magazine
EFF Fights Movie Studios' Attempt to Monopolize DVD Players Johansen Shines on Witness Stand in Defense of his Software
Jon Johansen, the Norwegian teen-ager who created DeCSS, the software at the heart of this case, took the witness stand Thursday morning to testify for the defense. Johansen explained that he was attempting to build a DVD player for Linux when he and two other members of the group MoRE developed the code. He also explained that DeCSS was written as a Windows executable file because the project had to be tested first on Windows since Linux could not read a DVDs UDF files. This testimony blew a huge hole in both the movie studios' and the judge's reasoning who assumed that because the code was written for Windows it had nothing to do with developing a Linux DVD player, as EFF's defense team has claimed for months.
The courageous teen also revealed that the MPAA filed charges against Jon and his father Per, instigating the Norwegian Economic Crime Unit to ask Jon to answer questions at the police station in January 2000. His testimony revealed a flaw in the judge's thinking, who has previously stated in several opinions that the teen was arrested and has inferred guilt therefrom. Not only was Johansen never arrested for developing the software, the Norwegian government awarded Jon a prestigious award for his excellent grades in high school and his contribution to society for creating DeCSS. Although it did not come out in court today, the Norwegian parliament has also issued the young teen a formal apology for the treatment he has undergone as a result of publishing the code.
In stark contrast to the veracity and integrity Johansen displayed on the witness stand in the face of a powerful industry trying to crush him, the head of the MPAA's world-wide anti-piracy effort Mikhail Reider testified next. The MPAA investigator who was previously an intelligence officer for the DEA and FBI gave testimony replete with "I can't recall", "I don't know", and "I can't remember" to the most basic questions involving the MPAA's investigative efforts in this case, reminiscent of the Jack Valenti deposition. The credibility and truthfulness of this witness was called into further doubt when shown and asked about internal MPAA reports sent to her that contradicted her testimony and were obtained by EFF's defense team through discovery battles. At the conclusion of Reider's testimony, the Plaintiff's rested their case.
EFF's defense team called Edward Felton to the witness stand who is an expert on technology and testified for the Department of Justice in its case against Microsoft. Felton, who likened "hacking" to "tinkering" explained that the public is ultimately served by the disclosure of information learned from publishing the results of encryption research and security testing. He also testified to the expressive nature of object code and that he can read it and encourages his students to read and write it as part of their education. "In addition to executing it, you can learn a lot from it," stated one of the world's most highly respected computer experts.
Journalist and publisher of 2600 Magazine Eric Corley, who is more commonly known by his pen name, Emmanuel Goldstein took the stand in his own defense at the late afternoon and will return first thing Thursday morning at 9:00. Goldstein explained many of the important contributions to computer security, technology innovation, and the protection of privacy that his magazine was responsible for since its creation in 1984. He also described his extensive journalistic background which includes having been published in the NY Times and the Wall Street Journal among countless others and testifying before Congress on technology issues.
Judge Kaplan provided some sense of his thinking saying that Web publisher 2600.com had a reasonably strong case that the issuance a permanent injunction against it was a futile act due to the mass proliferation of the software. Fond of analogies, the judge stated the defense had a reasonably strong case for the proposition that the barn is unlocked and this horse is out. (See pulled quote from transcript below).
In response to questions regarding the movie studios' right to control who can make DVD players, the judge gave some indication that he believed the DMCA may over-rule antitrust law in the U.S., something to be found no where in the legislative history of the statute.
Thursday morning, Emmanuel Goldstein will complete his testimony with the cross examination of him by Proskaur lawyer Leon Gold. EFF's defense team also expects to call Matt Pavlovich, a developer of open source DVD player tools and Professor Peterson of Princeton University's Computer Science department to the stand.
>From trial transcript of July 20, 2000, Pages 670-1 17 Now, it seems to me also that what the MPAA wants is 18 a legal determination that unlocking this barn was illegal, 19 and so the next guy who considers unlocking another barn is 20 going to have something serious to think about. I suspect you 21 are also asking me to issue an injunction against the guy who 22 unlocked this barn not to unlock it again even though there is 23 no horse in it. So, you know, I don't know that this witness 24 has any light to shed on that subject.
Page 674: 6 courts have said for 300 years, at least that courts of 7 equity ought not to use the equitable power of injunction to 8 try to accomplish the impossible or to perform something which 9 is entirely futile, and therefore, in the exercise of 10 discretion, given the broad prevalence of this particular 11 utility, this time the court declines to issue the injunction 12 because it would do no practical good.
Transcript of today's hearing: http://www.eff.org/IP/Video/MPAA_DVD_cases/20000 720_ny_trial_transcript.html
An index of the DVD updates can be found at: http://www.eff.org/IP/Video/dvd_updates_archive. html
You can subscribe to EFF's mailing list to receive the regular DVD updates. To subscribe, email and put this in the body: subscribe cafe-news
EFF's archive of MPAA v 2600 litigation: http://www.eff.org/IP/Video/MPAA_DVD_cases/
RELATED COVERAGE: Norwegian Teenager Appears at Hacker Trial He Sparked By Carl Kaplan, NY Times http://www.nytimes.com/library/tech/00/07/cyber/ cyberlaw/21law.html (This is one of the best articles yet written about this case).
DVD-Hacker Trial Judge Says Horsefeathers to Movie Studios' Injunction Demands By Greg Lindsay, Inside.com http://www.inside.com/story/Story_Cached/0,2770, 7070_7,00.html
PGP v7 (for NT & 9x at least...) will solve this problem. It catches the normal OS delete requests and substitutes this with a user-definable number of over-rights. Sexy, huh?
Time Warner says that it needs "effective protection, both technological and legal, against unauthorized uses of copyrighted works".
They had better resort to legal protection then, because any technical measure that is "acceptable to the market" is going to be reverse engineered in a country not prohibiting such "hacking".
To quote Digital Copyright Protection by P.Wayner: "The best place to begin in this book is with the bad news: there is no absolute way to prevent people from copying digital versions of your text, your music, your movie...".
All "unbreakable" copyright protection systems rely on a trusted oracle either:
Locally to the user (e.g. in tamperproof hardware).
Externally connected (e.g. via the Internet, via a phoneline etc).
Option 2. clearly isn't viable in the market (think DIVX!), so 1. seems the only workable option. The problem is, of course, that DVD drives are by now widely distributed - you can't really hardwire the functionality into existing players.
It would appear that the horse has well and truly bolted for a technical solution.....
D.S. was (until mid-98) a very common (and unpopular...) poster to comp.security.pgp.discuss. He's been quiet recently mainly due to the fact that the c.s.p.d regulars upset him to often:)
Have a look at Deja for some of his final posts - they are quite amusing:)
It would appear to be great - but only as long as you live outside of the US. We need to remember that the core algorithm (see note below!) in both SSL and S/MIME is RSA. RSA is still patented (but only in the US...) so Mozilla will have to be careful to ensure that RSA is appropriately licensed (not an easy task - note the PGP hassle). Roll on 20/9/00 when the RSA patent finally expires, eh? Of course, RSALabs have then indicated that RSA is a tradename and as such will have to be licensed:( (Note:) ElGamal / DH has now become the "MUST" algorithm in these two RFCs, but RSA remains a "SHOULD". AFAIK, all current implementations (and CAs etc) still only support RSA - so ElGamal / DH are f'cking useless anyway....
Slashdot Mirror
GPG doesn't suffer from this problem. It is stable, useable and uses the same ciphers (and more...) that NAI/PGP uses.
The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).
Will Price, Director of Engineering, PGP Security, Inc. has been alerted and is looking into it - he expects to report back to PGP-USERS mailing list Thursday.
If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.
From the authors original message:
PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
PGP-5.0i UNIX (not vulnerable)
PGP-5.5.3i WINDOWS (VULNERABLE)
PGP-6.5.1i WINDOWS (VULNERABLE)
GnuPG-1.0.1 UNIX (not vulnerable)
And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?
NO! The problem is that ANYONE can create an ADK on the end of your existing PGP public key!
See below a message from A.Back. Basically GnuPG is NOT a victim of this "attack".
... "see PGP did it,
> -----Original Message-----
> From: Adam Back [mailto:adam@cypherspace.org]
> Sent: 24 August 2000 15:12
> To: Ross.Anderson@cl.cam.ac.uk
> Cc: ukcrypto@maillist.ox.ac.uk; ietf-openpgp@imc.org
> Subject: Re: Serious bug in PGP - versions 5 and 6
>
>
>
> Ross Anderson writes on uk-crypto:
> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> >
> > [...]
> >
> > He's written a paper on his work and it's at
> >
> > http://senderek.de/security/key-experiments.html
> >
> > Since NAI joined the Key Recovery Alliance, PGP has supported
> > "Additional Decryption Keys" which can be added to a public key.
> >
> > The sender will then encrypt the session key to these as well as to
> > your main public key. The bug is that some versions of PGP respond
> > to ADK subpackets in the non-signed part of the public key data
> > structure. The effect is that GCHQ can create a tampered version of
> > your PGP public key containing a public key whose corresponding
> > private key is also known to themselves, and circulate it. People
> > who encrypt traffic to you will encrypt it to them too.
>
> Amazing, and really unfortunate. Those of us who invested large
> amounts of effort in ensuring the ADK subpackets were not included in
> the ietf openPGP standard can be pleased we succeeded -- otherwise
> gnuPG and other implementations may now also have contributed to this
> risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440
> says about them is:
>
> 10 = placeholder for backward compatibility
>
> At the time I was suggesting that if PGP really must insist on
> creating software to escrow communications (the primary argument being
> that people didn't want to lose access to the stored mail as opposed
> to being able to have designated third parties snooping mail in
> transit) they should use storage key escrow.
>
> My main premise was that communication key escrow is too risky because
> an outside attacker gets the plaintext:
>
http://www.cypherspace.org/~adam/cdr/
"Keys used to encrypt email which is transmitted over the Internet are
more valuable to an attacker than keys used to encrypt stored files
because of the relative ease with which an attacker can obtain copies
of emailed ciphertext. Stored encrypted files in contrast are
protected by all the physical security systems the company is relying
on to protect it's paper files, plaintext data stored on disks, and
backup tapes. [...]"
There was also lots of political discussion of how unwise it was for
PGP to create a escrow infrastructure which could as easily be used by
governments as by SEC companies to archive their employees
communications.
And people quoting Phil Zimmermann a few years earlier complaining
about ViaCrypt's PGP4 for business variant which had "escrow" in the
form of a third party "encrypt-to-self" config file setting.
And I believe I recall the NSA or some other US government body
picking up on the CMR / ADK mechanism and holding it up as evidence
against the claim that key recover was complex
this works".
> It's of scientific interest because it spectacularly confirms a
> prediction made by a number of us in the paper on `The Risks of Key
> Recovery, Key Escrow, and Trusted Third-Party Encryption'
> that key escrow would make it
> much more difficult than people thought to build secure systems.
Yes. It really highlights the truth in the statement about the
new risks introduced by adding key escrow.
Adam
This doesn't apply at all to GnuPG - it doesn't recognise the ADK packet (and it shouldn't - RFC2440 specifies that this packet is simply "placeholder for backward compatibility".
(PS: This isn't flamebait - I don't use either Linux or BSD in anger...)
Do you have a citation for the 260 copies of OpenBSD used for "most sensitive data" BTW?
This story details that the NSA (the people who dictate what platform is used for greater than Secret data) are progressing with Linux as a new secure platform. Though this doesn't mean BSD will not be considered, it's fairly indicative.
I've often thought that Linux versions should include more crypto/security as standard (e.g. SSH, GPG, EFS, IPSEC (or even PPTP!), secure file deletion etc etc).
Rgds, Sam
Apparently Duncan & J.Bamford are working on a new up to date book on Echelon & the NSA.
Bamfords previous book, Puzzle Palace is absolutely excellent, though was published in '83 so is largely out of date.
IMHO, the best current site for John Youngs Cryptome which is unfortunately currently down due to a DDOS attack!
Apparently Duncan & J.Bamford are working on a new up to date book on Echelon & the NSA.
Bamfords previous book, is absolutely excellent, though was published in '83 so is largely out of date.
IMHO, the best current site for John Youngs Cryptome which is unfortunately currently down due to a DDOS attack!
EFF DVD Update: July 20, 2000
0 720_ny_trial_transcript.html
. html
/ cyberlaw/21law.html
, 7070_7,00.html
Universal City Studios v. 2600 Magazine
EFF Fights Movie Studios' Attempt to Monopolize DVD Players
Johansen Shines on Witness Stand in Defense of his Software
Jon Johansen, the Norwegian teen-ager who created DeCSS, the software at the heart of this case, took the witness stand Thursday morning to testify for the defense. Johansen explained that he was attempting to build a DVD player for Linux when he and two other members of the group MoRE developed the code. He also explained that DeCSS was written as a Windows executable file because the project had to be tested first on Windows since Linux could not read a DVDs UDF files. This testimony blew a huge hole in both the movie studios' and the judge's reasoning who assumed that because the code was written for Windows it had nothing to do with developing a Linux DVD player, as EFF's defense team has claimed for months.
The courageous teen also revealed that the MPAA filed charges against Jon and his father Per, instigating the Norwegian Economic Crime Unit to ask Jon to answer questions at the police station in January 2000. His testimony revealed a flaw in the judge's thinking, who has previously stated in several opinions that the teen was arrested and has inferred guilt therefrom. Not only was Johansen never arrested for developing the software, the Norwegian government awarded Jon a prestigious award for his excellent grades in high school and his contribution to society for creating DeCSS. Although it did not come out in court today, the Norwegian parliament has also issued the young teen a formal apology for the treatment he has undergone as a result of publishing the code.
In stark contrast to the veracity and integrity Johansen displayed on the witness stand in the face of a powerful industry trying to crush him, the head of the MPAA's world-wide anti-piracy effort Mikhail Reider testified next. The MPAA investigator who was previously an intelligence officer for the DEA and FBI gave testimony replete with "I can't recall", "I don't know", and "I can't remember" to the most basic questions involving the MPAA's investigative efforts in this case, reminiscent of the Jack Valenti deposition. The credibility and truthfulness of this witness was called into further doubt when shown and asked about internal MPAA reports sent to her that contradicted her testimony and were obtained by EFF's defense team through discovery battles. At the conclusion of Reider's testimony, the Plaintiff's rested their case.
EFF's defense team called Edward Felton to the witness stand who is an expert on technology and testified for the Department of Justice in its case against Microsoft. Felton, who likened "hacking" to "tinkering" explained that the public is ultimately served by the disclosure of information learned from publishing the results of encryption research and security testing. He also testified to the expressive nature of object code and that he can read it and encourages his students to read and write it as part of their education. "In addition to executing it, you can learn a lot from it," stated one of the world's most highly respected computer experts.
Journalist and publisher of 2600 Magazine Eric Corley, who is more commonly known by his pen name, Emmanuel Goldstein took the stand in his own defense at the late afternoon and will return first thing Thursday morning at 9:00. Goldstein explained many of the important contributions to computer security, technology innovation, and the protection of privacy that his magazine was responsible for since its creation in 1984. He also described his extensive journalistic background which includes having been published in the NY Times and the Wall Street Journal among countless others and testifying before Congress on technology issues.
Judge Kaplan provided some sense of his thinking saying that Web publisher 2600.com had a reasonably strong case that the issuance a permanent injunction against it was a futile act due to the mass proliferation of the software. Fond of analogies, the judge stated the defense had a reasonably strong case for the proposition that the barn is unlocked and this horse is out. (See pulled quote from transcript below).
In response to questions regarding the movie studios' right to control who can make DVD players, the judge gave some indication that he believed the DMCA may over-rule antitrust law in the U.S., something to be found no where in the legislative history of the statute.
Thursday morning, Emmanuel Goldstein will complete his testimony with the cross examination of him by Proskaur lawyer Leon Gold. EFF's defense team also expects to call Matt Pavlovich, a developer of open source DVD player tools and Professor Peterson of Princeton University's Computer Science department to the stand.
>From trial transcript of July 20, 2000, Pages 670-1
17 Now, it seems to me also that what the MPAA wants is
18 a legal determination that unlocking this barn was illegal,
19 and so the next guy who considers unlocking another barn is
20 going to have something serious to think about. I suspect you
21 are also asking me to issue an injunction against the guy who
22 unlocked this barn not to unlock it again even though there is
23 no horse in it. So, you know, I don't know that this witness
24 has any light to shed on that subject.
Page 674:
6 courts have said for 300 years, at least that courts of
7 equity ought not to use the equitable power of injunction to
8 try to accomplish the impossible or to perform something which
9 is entirely futile, and therefore, in the exercise of
10 discretion, given the broad prevalence of this particular
11 utility, this time the court declines to issue the injunction
12 because it would do no practical good.
Transcript of today's hearing:
http://www.eff.org/IP/Video/MPAA_DVD_cases/2000
An index of the DVD updates can be found at:
http://www.eff.org/IP/Video/dvd_updates_archive
You can subscribe to EFF's mailing list to receive the regular
DVD updates. To subscribe, email
and put this in the body: subscribe cafe-news
EFF's archive of MPAA v 2600 litigation:
http://www.eff.org/IP/Video/MPAA_DVD_cases/
RELATED COVERAGE:
Norwegian Teenager Appears at Hacker Trial He Sparked
By Carl Kaplan, NY Times
http://www.nytimes.com/library/tech/00/07/cyber
(This is one of the best articles yet written about this case).
DVD-Hacker Trial Judge Says Horsefeathers to Movie Studios' Injunction Demands
By Greg Lindsay, Inside.com
http://www.inside.com/story/Story_Cached/0,2770
PGP v7 (for NT & 9x at least...) will solve this problem. It catches the normal OS delete requests and substitutes this with a user-definable number of over-rights. Sexy, huh?
Time Warner says that it needs "effective protection, both technological and legal, against unauthorized uses of copyrighted works".
They had better resort to legal protection then, because any technical measure that is "acceptable to the market" is going to be reverse engineered in a country not prohibiting such "hacking".
To quote Digital Copyright Protection by P.Wayner: "The best place to begin in this book is with the bad news: there is no absolute way to prevent people from copying digital versions of your text, your music, your movie...".
All "unbreakable" copyright protection systems rely on a trusted oracle either:
Option 2. clearly isn't viable in the market (think DIVX!), so 1. seems the only workable option. The problem is, of course, that DVD drives are by now widely distributed - you can't really hardwire the functionality into existing players.
It would appear that the horse has well and truly bolted for a technical solution.....
Pretty young lady? WTF!
Have you ever seen a picture of her?!!?!
D.S. was (until mid-98) a very common (and unpopular...) poster to comp.security.pgp.discuss. He's been quiet recently mainly due to the fact that the c.s.p.d regulars upset him to often :)
Have a look at Deja for some of his final posts - they are quite amusing :)
It would appear to be great - but only as long as you live outside of the US. We need to remember that the core algorithm (see note below!) in both SSL and S/MIME is RSA. RSA is still patented (but only in the US...) so Mozilla will have to be careful to ensure that RSA is appropriately licensed (not an easy task - note the PGP hassle). Roll on 20/9/00 when the RSA patent finally expires, eh? Of course, RSALabs have then indicated that RSA is a tradename and as such will have to be licensed :( (Note:) ElGamal / DH has now become the "MUST" algorithm in these two RFCs, but RSA remains a "SHOULD". AFAIK, all current implementations (and CAs etc) still only support RSA - so ElGamal / DH are f'cking useless anyway....