What's New in PGP? Most of the following (exceptions are indicated by {{{text inserted here}}}) are all quoted from documentation that accompanies the indicated PGP software, starting with PGP 5.0: ****************************************************************** This new version has a lot of great new features. The older version of PGP (Version 2.6.2, released through MIT) was only for MS-DOS and Unix. This new version was designed from scratch to provide graphical user interface (GUI) environment. We have versions that run under Windows 95 and Windows NT, as well as a version for the Apple Macintosh. We also have a non-GUI version for Unix, starting with the Linux platform. The GUI really makes using the product a breeze, with seamless integration into email packages, starting with Qualcomm's popular Eudora package and Microsoft's Exchange and Outlook. Now using PGP to encrypt or decrypt your email is just a couple of mouse clicks away. The new code also adds some new encryption algorithms. Probably the most exciting is the introduction of new public key algorithms that will serve as an alternative to the RSA algorithm. The Diffie-Hellman and Hellman-Merkle patents expire this year, opening the door to royalty-free use of public key algorithms. Everyone will benefit from this, because the whole computer industry has been forced to work with a public key patent monopoly that stifled the use of public key algorithms for many years. Now the field is opening up. PGP offers Diffie-Hellman (the ElGamal variant of Diffie-Hellman) keys, and the NIST Digital Signature Standard (DSS) keys. With these new keys comes a range of new features, including improved speed and security. Also, there are now two separate key pairs for each user, one pair for encrypting/decrypting (Diffie-Hellman), and one pair for signing/verifying (DSS). These are presented to the user as if they were a single key pair,but in later releases we will give the user the capability to change his DH key without changing his DSS key. To get the full range of benefits, it would be helpful if as much of the PGP community as possible participates in this migration to the new public key algorithms. We also offer new block ciphers for bulk encryption, offering triple-DES and CAST as options, as well as continuing to support the IDEA cipher from earlier versions of PGP. We also offer a new signature hash algorithm, SHA-1, for computing digital signatures. This algorithm is superior to RSA's MD5. To use the new SHA hash algorithm, users will have to use DSS as their signature algorithm, because PGP's RSA signatures continue to use the MD5 hash for backward-compatibility reasons. A particularly exciting new feature is the integration with public key servers. Now PGP will look up public keys on a remote key server on the Internet, such as the one at MIT. When you generate a new public key, PGP will offer to upload it to the remote key server. Anyone will be able to get anyone else's public key whenever they need it. This will tie all PGP users everywhere together into a global community, with a nationwide public key infrastructure that no other encryption product can offer. This infrastructure will grow organically, like the Internet did. ****************************************************************** What's new in PGP Version 5.5 PGP Version 5.5 includes these new features: • You can create recipient groups, in which you select a group of people's keys and encrypt mail to all of them simultaneously. • New key server integration capabilities that you can use to automatically store, search, and synchronize keys. • New Key Search Window that you can use to locate keys on remote servers with the same user interface that you use to search your keyring. • New PGPtools that you can use to encrypt, sign, decrypt, verify, or wipe files from the Windows Explorer. • A PGP Wipe feature that overwrites files so that they cannot be recovered with software tools • A configurable View menu that provides information about the keys on your keyring. ****************************************************************** Major New features included in all PGP 6.0 releases: * Photographic User IDs. You may now add a photograph of yourself to your key. Selecting "Add - ->Photo" in the Keys menu will guide you through this process. On Win95/NT, BMP and JPEG files are accepted while PICT files are accepted on the Macintosh. For maximum quality, it is suggested that you crop the picture to 120x144 before adding it. If you do not do this, PGP will scale the picture down for you. Also, avoid compressing the picture prior to adding it. PGP will apply JPEG compression when adding pictures. Adding a picture will increase the size of your key by no more than a few kilobytes. Smaller pictures will have a lesser effect on the size of your key. * Designated Revokers. You may now specify that another public key on your keyring is allowed to revoke your key. This can be useful in situations where you are afraid of losing your private key, forgetting your passphrase, or in extreme cases such as a physical incapacity to use the key. In such cases, the third-party you designate will be able to revoke your key, send it to the server and it will be just as if you had revoked it yourself. * Secure communications with the PGP Certificate Server. PGP's implementation of TLS (the successor to SSL) is used for server operations. Any query sent to the server is done over a secure connection -- secure in the PGP context meaning always using 128 bit encryption along with server side authentication. This will prevent any traffic analysis of which keys you are retrieving from the server providing increased privacy. Adding keys to the server uses the same technique. * Secure deletion from the PGP Certificate Server. On servers configured to allow it, a long awaited and eagerly anticipated feature has been introduced. Users may be allowed to delete or disable their own keys on the server by authenticating themselves through TLS (Transport Layer Security). If you can authenticate with your own key, you may delete it. All of this is very simply automated by choosing the appropriate commands from the menu. The public server at ldaps://certserver.pgp.com is TLS-enabled. * Unknown Recipient Server Lookup. When decrypting a message, double clicking the "# Unknown Keys" entry will automatically perform a server lookup on all those keys to determine their identity. * Subkey Management. Every DH/DSS key is actually two keys: a DSS signing key and a Diffie-Hellman encryption subkey. PGP 6.0 now provides the ability to create new encryption keys without sacrificing your master key and the signatures collected on it. You may also revoke old subkeys independent of the key itself. One of the most common uses of this feature is to create multiple subkeys which are set to be used during different periods of the key's lifetime. For instance, if you create a key which will expire in 3 years, you might then create 3 subkeys each of them used for one of the years in the lifetime of the key. This can be a useful security measure and provides an automatic way to switch to a new encryption key periodically. * Signature Expiration. You may now make signatures on other keys which expire after a given date. This is a very useful feature for Certificate Authorities, corporations hiring a contractor for a limited period, and other situations in which you wish to grant validity to the key for only a limited time period. * Toolbar. An iconic toolbar has been added to PGPkeys for easy access to the most frequently used key management functions. * Improved Application Integration. The PGP icon in the Windows system tray now allows in-place encrypt/decrypt/sign/verify in the application windows of most applications without the need for an explicit copy and paste by the user. Just turn on "Use Current Window" from the PGPtray menu. [Win32, this feature is accomplished by PGPmenu on the Macintosh] * Signature Reverification. The signatures on keys on your keyring are verified when they are added to your ring. It is possible, however, whether through data corruption or malicious tampering, for invalid signatures to exist. This command may be used to reverify that the signatures on the keys are valid. * Freespace Wipe. PGPtools now has the ability to wipe all freespace on your disks. This is an important addition to PGP's traditional file wiping feature. Modern operating systems commonly store large amounts of data in temporary files including at times data from files that have themselves been wiped. It is recommended that you periodically wipe the freespace of your drives to make sure data has not been left behind by the Operating System in places you don't know about. On Win32, PGP 6 supports wiping of NTFS, FAT16, and FAT32 volumes. On the Mac, PGP 6 supports HFS and even HFS Plus! * Improved Wiping. Both file and volume wiping now use a significantly enhanced set of patterns over multiple wipes specially tuned for the media types in use by today's computers. This work is based on extensive research by those familiar with exactly how the bits of your data are written to your hard drive, floppy disks, and other media. The methods used for wiping go well beyond U.S. military standards for data wiping. The full set of patterns for what we feel is about as good as wiping gets is obtained by setting the number of passes to 26. Of course, far fewer wipes are required for lower-security needs. * Outlook Express Plugin. An email plugin for Outlook Express 4 has been included. This was also included in late builds of 5.5. [Win32] * Outlook 98 Compatibility. The Exchange/Outlook plugin has been updated to work with Outlook 98. [Win32] * Column Resizing. PGPkeys has been enhanced to support resizing of columns. This can be very useful if you have User IDs with very long names. [Mac, this feature was in 5.5 on Win32] * Appearance Manager Savvy. PGP 6.0 is the first version of PGP (and quite frankly one of the first non-Apple produced applications) to be Appearance Manager savvy. The Appearance Manager is required and utlitized by PGP 6.0. We have tested this functionality with MacOS 8.1. Future versions of MacOS may require a maintenance release of PGP to be fully appearance savvy. [Mac] * Balloon Help and Improved AppleGuide. PGP 6.0 now sports balloon help along with improved support for AppleGuide online help. [Mac] * Artwork. Lots of new artwork, splash screens, and icons. All the key icons have been replaced. * Share Splitting. Any private key may now be split into shares among multiple "shareholders" using a cryptographic process known as Blakely-Shamir splitting. This technique is recommended for extremely high security keys. For instance, Network Associates keeps its corporate key split between multiple individuals. Whenever we need to sign with that key, the shares of the key are rejoined temporarily. The ability to use Split Keys has been integrated throughout the PGP product. The two most common uses for Split Keys are for the Corporate Signing Key Meta-Introducer and as the default Incoming or Outgoing ADK as both of these are generally considered extremely high security keys. To split a key, select the key pair to be split and choose "Share Split..." from the Keys menu. You will then be asked to setup how many different people will be required to rejoin the key. The shares will be saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, attempting to sign with it or decrypt with it will automatically attempt to rejoin the key. There are two ways to rejoin the key: Local and Network. Local requires that the shareholder is present at the computer rejoining the key. Network utilizes the secure network communications provided by PGP's new TLS (Transport Layer Security) implementation to provide a secure link over which to transmit key shares. This allows multiple individuals in distant locations to securely sign or decrypt with a Split Key. * Unknown Signer Lookup. Setting the "Verification" checkbox in the Server Prefs Panel will automatically lookup a signing key on the server when performing a verification of a signature if the signing key is not on your keyring. * Domain Restrictions on Trusted Introducers. A Meta-Introducer may now enter a particular e-mail domain when signed a Trusted Introducer into action. For instance, if the Security Officer of company.com wants to restrict the director of products to sign any key from "products.company.com", he may enter that domain as a restriction on the signature. That Trusted Introducer's signatures will then have an effect only on keys in that domain. ****************************************************************** NEW FEATURES IN 6.0.2 · PGP Version 6.0.2 includes a Secure Viewer feature known in previous versions of PGP (Version 2.x) as "For Your Eyes Only" or FYEO. A message encrypted with the Secure Viewer option is only viewable within the read-only Secure Viewer window. The recipient of the message is unable to save the message as plaintext. The Secure Viewer uses a special font that prevents TEMPEST attacks. For more information on Secure Viewer, please see the What's New section in the PGP User's Guide .pdf file. · Forcing the Recipient Dialog to appear can now be accomplished by holding down a modifier key in the email plugin to show the Recipient Dialog even in cases where the recipients are all valid. This key varies by plugin, but is either Shift or Control. · The Outlook plugin now supports Personal Distribution lists. · PGPtray now works with files copied to the clipboard from Explorer. It previously only worked with copied text. ****************************************************************** NEW FEATURES IN 6.5.1 1.PGPnet. PGPnet is a landmark product in the history of PGP. PGPnet secures all TCP/IP communications between itself and any other machine running PGPnet. PGPnet has been successfully tested with Cisco routers(requires Cisco IOS 12.0(4) or later with IPSec TripleDES), Linux FreeS/WAN, and many others. 2.Self-Decrypting Archives. You may now encrypt files or folders into Self-Decrypting Archives (SDA) which can be used by users who do not even have PGP. The archives are completely independent of any application, compressed and protected by PGP's strong cryptography. 3.Integrated PGP Command Line. This version incorporates the popular command line version of PGP for Windows platforms. This product provides you a convenient way to integrate PGP with other Windows applications and automated processes on your desktop system. Please note that this is intended for single user/workstation use. For use on servers, customers are required to purchase the PGP Command Line/Batch Server product. Please contact your local Network Associates Sales representative for more information. 4.Automated Freespace Wiping. PGP's Freespace Wipe feature now allows you to use the Windows Task Scheduler to schedule periodic secure wiping of the freespace on your disk. 5.Hotkeys. The Use Current Window feature has been significantly enhanced by the addition of Hotkeys. By pressing the configured key combination, the Encrypt/Decrypt/Sign functions can be automatically invoked in zero clicks without using PGPtray. 6.Fingerprint Word List. When verifying a PGP public key fingerprint, you can now choose to view the fingerprint as a word list instead of hexadecimal characters. The word list in the fingerprint text box is made up of special authentication words that PGP uses and are carefully selected to be phonetically distinct and easy to understand without phonetic ambiguity. 7.Support for Outlook 2000 and Outlook Express 5.0. This version of PGP adds support for sending and receiving encrypted e-mail in Microsoft Outlook 2000 and Outlook Express 5.0. 8.HTTP Proxy Support. If you are behind a corporate firewall with an HTTP proxy server, PGP now supports accessing HTTP keyservers through the proxy. To use this feature, you must configure the proxy server address in your Internet Explorer preferences. 9.Smart Word Wrapping. The word wrapping in PGP now automatically rewraps paragraphs and even quoted paragraphs resulting in much cleaner signed messages. ****************************************************************** PGP version 6.5.2 enhancements 1.Support for Windows 2000 operating systems This release of PGP introduces support for Microsoft's latest releases of Windows. All PGP functionality is available in Windows 2000 except PGPnet. PGPnet will support Windows 2000 in future releases of PGP. 2.Windows 2000 IPSec interoperability PGPnet running on non-Windows 2000 systems can establish VPN connections with the built-in Windows 2000 IPSec client. (The Windows 2000 system must be running the Windows 2000 High Encryption Pack.) 3.Intel Pentium III Random Number Generator (RNG) support If your computer is equipped with the Intel RNG, PGP will use the random data generated by the chip in addition to our own entropy collection whenever random data is needed for key generation and encryption. The Intel RNG is currently only available with select Pentium III chipsets, including the Intel 810 chipset. 4.Automatic email plug-in pre-selection PGP will now automatically pre-select email plug-ins to install on your system based on what messaging applications are installed. Nevertheless, you are still able to change the selected plug-ins at install time. ****************************************************************** (6.5.3) FIXES IN THIS RELEASE 1.In some situations, it was not possible to Decrypt/Verify a message after browsing your hard drive with the Microsoft Outlook browser. This has been corrected. 2.PGP can now decrypt files that originally did not have a file extension. 3.PGPnet now supports Multi-Tech PCMCIA Cards on Windows NT. Previously, this card was only supported on Windows 95 and Windows 98. 4.PGP and CyberCop Scanner can now be installed on the same Windows NT computer. 5.Problems with some 16 bit applications crashing while PGPtray is running may be resolved. 6.PGP will now permit the selection of the destination directory if the source directory is read-only or full. ****************************************************************** {{{6.5.8 addresses the ADK Security Flaw in PGP versions 5.5 through 6.5.3}}} ****************************************************************** PGP Desktop Security Version 7.0 ReadMe * Enterprise-Class Manageability * 1. Easy pre-configuration and optional "lock down" of PGP product settings. This release takes PGP to the next level of enterprise manageability by introducing several new instrumental features that give administrators more control over PGP deployments in their environments. Using the updated PGPadmin utility, administrators can pre-configure all settings within PGP 7.0 (ranging from cryptographic policies to Personal Firewall settings) prior to deploying PGP to their end users. Administrators can also specify, on a very granular level, which settings in PGP are "locked down" from user modification. "Locked down" settings appear grayed out in the GUI to end users, and are protected in storage using cryptographic methods. 2. Automated configuration updating. PGP 7.0 introduces a valuable feature that helps administrators keep product configuration information on deployed PGP clients up-to-date. Computers protected by PGP 7.0 can automatically download updated configuration information on a scheduled basis from any PGP Keyserver 7.0 or standard LDAP v2 or v3 compliant directory. Updates can be downloaded using standard LDAP or LDAPS (LDAP over SSL - which provides configuration data over a strongly authenticated and encrypted connection). 3. "Shrink-to-fit" pre-configured packages of PGP. PGP 7.0 includes a new space-saving feature that creates smaller pre-configured packages of PGP based on what components administrators choose to deploy to their end users. The updated PGPadmin utility will automatically remove all unneeded components from pre-configured packages of PGP, therefore reducing overall package size. This minimizes download times when deploying PGP to end users. 4. Improved multi-user support on Windows NT/2000 systems. This release introduces improved support for multiple users using a single Windows NT/2000 system by storing all user-specific information (keyring, PGP configuration data, random data pool, etc.) in each user's Windows profile area. Computer specific information, such as VPN settings, are stored in a central location on the system. * Personal Firewall / Personal IDS / VPN * 5. Flexible, enterprise-class Personal Firewall and Personal IDS (Intrusion Detection). This release introduces PGP's robust Personal Firewall and Personal IDS technology. PGP creates a dual-layer security perimeter around any computer it protects. Utilizing IDS technology from Network Associates' leading CyberCop family of intrusion protection solutions, PGP provides protection from common attacks, including SYN floods, Ping floods, Smurf, Bonk, Ping of Death, Back Orifice, Teardrop, and so on. PGP provides flexible packet filtering Personal Firewall technology as the second line of defense for computers it protects. The product comes with six specific pre-defined levels of protection, each with its own associated list of packet filtering rules. Administrators can also create customized rules prior to deploying PGP, as well as keep them up-to-date using PGP's new automatic configuration update feature. 6. Automatic blocking of attacks and hostile network traffic. PGP 7.0 can optionally block attacks as soon as they are detected. Additionally, PGP can optionally block all further network traffic from machines identified as being hostile (for an administrator specified period of time). 7. Powerful intruder tracing provides useful tracking information. Utilizing PGP's intruder tracing feature, users and administrators can obtain very detailed information about systems that originated the attack. 8. Customizable user alerting for Intrusion Detection events. PGP 7.0 allows administrators to configure when and how users are notified about attacks against their computers. Responses range from being completely silent to playing a sound and blinking the PGP systray icon. 9. SMTP-based administrator alerting for cyberattacks. This release provides optional SMTP-based alerting to warn administrators of attacks occurring against computers protected by PGP 7.0. 10. Next generation client-to-client and client-to-server VPNs. PGP 7.0 includes revolutionary peer-to-peer VPN capabilities that enable truly scalable, enterprise-wide network encryption. If enabled, PGP 7.0 will attempt to communicate via IPsec whenever an IP-based connection is attempted to or from another network device. This behavior is controlled by administrators and can be enabled only in environments that require this level of security. 11. Simple point-and-click VPN connections via PGP systray. Users can now easily connect to VPN gateways and other VPN endpoints that administrators have configured within PGP to require a manual connection by simply selecting the appropriate link icon in the convenient PGP systray. 12. Support for new IKE/IPsec "mode-config" standard. PGP 7.0 users can now establish VPN connections to networks that are using Network Address Translation (NAT). When users connect to a VPN gateway that also supports this standard, users can automatically obtain a "virtual identity" (IP address along with DNS and WINS server information) which PGP will use when communicating with devices behind the VPN gateway, thus making the user seem like they are located inside the remote network. 13. Support for "split-tunnel" and "non split-tunnel" VPN connections. This release introduces a new "exclusive gateway" capability that allows administrators to optionally force all network traffic from a remote access user's system down a VPN tunnel to your corporate network (e.g., thus preventing split-tunnel VPN connections). This feature not only provides a higher level of network security, but it also provides administrators visibility and control over which web resources users access. 14. Simultaneous protection of multiple network adapters. This release adds support for binding to and protecting multiple network adapters simultaneously (dial-up, cable modem, DSL, LAN, ISDN, etc.), providing Personal Firewall, Personal IDS and VPN capabilities on all selected adapters. 15. Optimized VPN connection performance via new MTU path discovery capability. PGP now automatically determines the optimal packet size (MTU, Maximum Transmission Unit) for each VPN connection. This eliminates any packet fragmentation that may occur due to intermediate Internet routers that use smaller packet sizes than the user's ISP or your corporate network. * PGP Key and X.509 Certificate Support * 16. New RSA key format. PGP 7.0 introduces a new RSA key format that provides support for PGP's Additional Decryption Key (ADK), designated revoker, multiple encryption subkeys and photo ID features. Previously these features were only available to users with Diffie-Hellman keys. PGP will continue to support users who have RSA keys in the older key format (now called the RSA Legacy key format). 17. iPlanet (formerly Netscape) CMS 4.x support. PGP 7.0 includes support for effortlessly requesting, retrieving and using X.509 certificates issued from iPlanet CMS 4.x PKIs. 18. Microsoft Windows 2000 Certificate Services support. This release of PGP adds support for users to easily request, retrieve and use X.509 certificates issued from Microsoft Windows 2000 Certificate Services. 19. Key reconstruction feature helps users recover from lost or forgotten passphrases. PGP 7.0 introduces a new, optional key reconstruction feature that leverages PGP's cryptographic key splitting technology to provide a secure means for users to recover their private keys. This enables users who have forgotten their PGP passphrase to regain access to their encrypted data after answering five questions whose answers only the user would know. 20. Automatic X.509 certificate retrieval upon successful certificate request. After users step through a simple wizard that generates their encryption and signing keypairs at install time, PGP can automatically submit an X.509 certificate request to a pre-configured X.509 RA/CA. This release adds a feature that will automatically poll the associated LDAP directory for the user's certificate. Once the user's certificate is located, it is automatically downloaded and configured as the primary authentication method for PGP's integrated VPN client. 21. Support for using X.509 certificates for secure email. This release gives customers the choice of what type of keys/certificates to use for exchanging secure email (e.g., PGP keys and/or X.509 certificates). PGP 7.0 users can also concurrently send an encrypted email to users with PGP keys as well as other users with X.509 certificates. 22. Automatic X.509 certificate lookup from LDAP directories. If the X.509 certificate of a secure email recipient is not cached locally on the senders PC, PGP can now automatically search an administrator pre-defined list of LDAP directories for that user's certificate. Users can also use the PGPkeys application to perform manual searches of LDAP directories for X.509 certificates. 23. Support for storing and searching for PGP keys on LDAP servers. Extending support for storing PGP keys on servers other PGP Certificate Servers and PGP Keyservers, PGP can now store and retrieve PGP keys from any standard LDAP v2 or v3 compliant directory. 24. Silent keyring maintenance. PGP now performs automatic, unattended keyring maintenance such as key synchronization, trusted introducer updates, CRL downloading, etc. without displaying any non-critical dialog boxes. 25. PGPkeys is able to open to multiple keyrings at once. Users can now open and manage multiple keyrings at a time, thus simplifying keyring management. 26. A new automatic backup feature allows the user to automatically back up keyrings to the keyring directory or another directory when any changes are made to the keyring. PGP no longer creates a series of backups in the keyring folder. Automated keyring backup is now entirely in the user's control. * Entropy and Cryptographic Algorithms * 27. Continuous entropy collection. PGP now continuously collects random data from mouse movements and keystrokes (whether a PGP-related window is open or not), and stirs that random data into the PGP entropy pool. 28. Twofish support. PGP introduces the option of encrypting email, disks, files and ICQ instant messages using Twofish, a relatively new, but well regarded 256-bit cipher. Twofish is one of five finalists for NIST's new Advanced Encryption Standard (AES). * Single Sign On * 29. Improved overall ease-of-use via new centralized passphrase caching. PGP 7.0 simplifies users' lives by only requiring them to enter their passphrase once to one of the many PGP components, and then the user can launch any of the other PGP modules without needing to enter their passphrase again (unless configured to do so by the administrator). * Instant Messaging Plug-In * 30. PGP 7.0 secures the next generation of interpersonal communications by introducing integration with ICQ 99b and ICQ 2000a. Users can now safely share instant messages via PGP's world-renowned encryption and digital signature capabilities, which have been extended to this exciting platform. Users can secure all the methods of communication and data sharing capabilities of ICQ by leveraging the PGP ICQ plug-in for instant message protection and PGP's Dynamic Peer-to-Peer VPN capabilities for securing file transfer, chat and all other direct client-to-client communications. * Email Plug-Ins * 31. Lotus Notes 5.x client support. This release extends PGP's broad messaging platform coverage to another critical platform used in many enterprises today. This new plug-in exploits many of the new interface capabilities of Lotus Notes 5.x, thus making PGP even easier to use. This release of PGP also continues support for Lotus Notes 4.5.x and 4.6.x clients. 32. Rich text support in Outlook plug-in. The PGP plug-in for Outlook 97, 98 and 2000 now supports preserving rich text formatting of digitally signed and/or encrypted messages. * Disk and File Encryption * 33. Mount PGPdisks as folders on Windows 2000 systems. PGP 7.0 includes many enhancements to its transparent disk encryption component, PGPdisk. As an alternative to mounting PGPdisks as a separate virtual drive on a user's system, PGP now supports mounting PGP disks as a virtual folder on Windows 2000 systems with NTFS-formatted drives. 34. Control access to PGPdisks using only PGP keys. Users can now use the new PGPdisk Editor tool to effortlessly add or remove users' public keys to the access list for a PGPdisk. Users can also add passphrases as an alternative method to control access to PGPdisks; however, PGPdisk no longer requires a master/administrative passphrase at the time of creation. 35. Automatic mounting of PGPdisks at logon. Users now have the option having their PGPdisks automatically mount during the startup process. 36. Re-encrypt PGPdisks without PGPdisk re-creation. This release adds the ability for users (or administrators) to re-encrypt all data on a PGPdisk. This feature provides an additional level of protection in environments requiring a higher level of security. PGPdisks can either be re-encrypted using a new CAST encryption key, or they can be converted to using Twofish encryption. * Disk, File and Freespace Wiping * 37. Automatic wipe upon file delete. Users now have the option of having files automatically wiped as soon as they are deleted. On Windows systems with the Recycle Bin enabled, files are wiped once they are "emptied" from the Recycle Bin. 38. Significantly improved disk wiping time. This release incorporates new technology for wiping file slack space and disks that is significantly faster than previous versions of PGP. ****************************************************************** (PGP Desktop Security Version 7.0.1) ENHANCEMENTS IN THIS RELEASE 1. AES support. This release of PGP adds support for the new Advanced Encryption Standard algorithm (Rijndael). AES is the new NIST standard algorithm for the highest security with a 256-bit symmetric key size. 2. IKE Aggressive Mode support. PGPnet now supports the Aggressive Mode standard for IKE. This enables users to use usernames/passwords in combination with dynamic addresses to establish a secure VPN connection. 3. IKE Extended Authentication support. PGPnet now supports the Extended Authentication draft standard (Version 6+). This provides the ability to use legacy authentication methods such as RADIUS and SecurID when establishing VPN connections with compatible gateways. 4. Enable/Disable VPN. This release enables administrators to disable the VPN portion of PGPnet. This provides administrators the flexibility of using third-party VPN clients (such as the Nortel Extranet Access client) with PGP's market-leading Personal Firewall and Personal Intrusion Detection features. 5. Windows ME Support. PGP now supports Microsoft Windows Millenium Edition. 6. Optional reboot upon silent install. The PGPadmin utility now gives administrators the choice of whether or not PGP, upon completing silent installation on user machines, will automatically reboot. 7. RSA 4096 support. The new RSA V4 key type now supports the full range of key sizes supported by DH/DSS keys up to 4096 bits. ****************************************************************** (PGP Desktop Security Version 7.0.4) ENHANCEMENTS IN THIS RELEASE 1. Cisco/Altiga VPN client support. This release introduces compatibility with the Cisco VPN client version 1.1, and the Altiga VPN client version 2.5. Other third-party VPN clients supported by PGP include the Nortel VPN client. Note: The Cisco/Altiga VPN clients are not supported on Windows 95. 2. AES support. This release of PGP adds support for the new Advanced Encryption Standard algorithm (Rijndael). AES is the new NIST standard algorithm for the highest security with a 256-bit symmetric key size. 3. IKE Aggressive Mode support. PGPnet now supports the Aggressive Mode standard for IKE. This enables users to use usernames/passwords in combination with dynamic addresses to establish a secure VPN connection. 4. IKE Extended Authentication support. PGPnet now supports the Extended Authentication draft standard (Version 6+). This provides the ability to use legacy authentication methods such as RADIUS and SecurID when establishing VPN connections with compatible gateways. 5. Enable/Disable VPN. This release enables administrators to disable the VPN portion of PGPnet. This provides administrators the flexibility of using third-party VPN clients (such as the Nortel Extranet Access client or the Cisco/Altiga VPN client) with PGP's market-leading Personal Firewall and Personal Intrusion Detection features. 6. Windows ME Support. PGP now supports Microsoft Windows Millenium Edition. 7. Optional reboot upon silent install. The PGPadmin utility now gives administrators the choice of whether or not PGP, upon completing silent installation on user machines, will automatically reboot. 8. RSA 4096 support. The new RSA V4 key type now supports the full range of key sizes supported by DH/DSS keys up to 4096 bits. ****************************************************************** (PGP Desktop Security Products Version 7.1) NEW FEATURES Modularity 1.PGP Desktop Security has been split into four products: PGPmail - Email and File Security PGPdisk - Disk Security PGPvpn - IPsec Virtual Private Networking PGPfire - Personal Firewall and Personal IDS PGP Desktop Security is also available in the traditional form with all of the products integrated together. Each of the products can be installed and uninstalled in any combination to automatically combine the functionality. Smart Card Support 2.PGP now provides full support for smart cards. Smart cards allow private key storage on secured hardware. Decryption and signing operations using private keys stored on smart cards occur on the smart card itself. Keys can also be generated on the card, and the cards do not allow the private keys to be read off the card. The smart card features have been integrated into PGP's core functionality and thus are available in all of the PGP products whenever key pairs are used. 3.Three smart card types have been certified for this release: Rainbow's iKey 20XX Schlumberger's Cryptoflex GemPlus GemSafe Enterprise For best results, we recommend using these cards. PGP also provides more generic support for any type of smart card that provides full PKCS#11 compatibility. 4.PGP's smart card implementation is fully compatible with certificates placed on cards by Windows 2000 or Netscape Communicator. Personal Firewall / Personal IDS / VPN 5.Application-level firewall. PGP's enterprise-class Personal Firewall and Personal IDS (Intrusion Detection System) now supports the ability to specify applications associated with each firewall rule, and sports a significantly improved user interface. 6.Firewall rule learning. PGP can now be told to watch your network traffic and write firewall rules dynamically for you. 7.Notifications of unknown network traffic. PGP can now ask you whether you want to allow or deny applications from communicating over the network as they occur, and will automatically modify your firewall rules as appropriate based on your answers. 8.Firewall rule sets can now be exported and imported. 9.VPN IP Range support. In addition to the past support for VPN Subnets, PGP now supports Ranges. For many networks, especially extremely large networks, Ranges are a much superior way to specify the configuration of the network. 10.Sniffer-format intrusion packet captures. Packets which cause the intrusion detection system to fire are now automatically captured and logged. They can later be analyzed using packet analysis tools such as Sniffer. 11.Automatic IP Address block ownership tracing. When tracing Intruders, PGP will now provide information about the ownership of the IP Address block from which the intrusion originated. 12.PGPfire is now compatible with the CheckPoint SecuRemote VPN client. Enhanced Exchange Server Support 13.Exchange server identities, which are similar to ""/o=Acme/ou=HR/cn=Recipients/cn=JBob", can now be automatically added as a second PGP user ID when generating keys. The Outlook email plugin will automatically lookup identities of this form as well. This feature makes sending email using the Outlook plugin in an Exchange Server environment even more seamless. Large File Support 14.PGP now supports file encrypt/decrypt/sign/verify operations on files greater than 2.5 Gigabytes. ****************************************************************** CHANGES IN VERSION 7.1.1 PGPmail and PGPdisk may now be used through Windows Terminal Services. This release incorporates all patches and hotfixes released since 7.1, and fixes other reported customer issues. {{{The following fixes are not in the documentation:}}} Outlook fix: http://www.securiteam.com/windowsntfocus/5RP032K60C.html. PGPdisk appears properly in Windows XP Windows Explorer. Fixes PGP 7.1 problem of keyrings not being able to be stored on PGPdisk volume. {{{The following are reported by Will Price}}} * Fixed bug where adding a userid was not copying old self-sig preferences. * Fixed bug in PGPAddKeys where "isEmpty" function pointer was not getting copied correctly, causing sporadic problems with resulting keyset. * Fix problem preventing the verification of V4 signatures on messages when 1-pass signatures are used. Only relevant for GPG compatibility. * Fix output in partial-body-length mode when data is a multiple of 4096 bytes. Last packet was going out as partial-body-length instead of a normal packet as required. This would only happen when encrypting/signing to/with V4 keys on files of exactly the wrong length. ****************************************************************** About PGP 8.0 for Windows Building on top of the solid PGP technology base, PGP 8.0 for Windows includes PGP Mail, PGP Disk, and PGP Admin, offering numerous improvements as well as the following new features: * Full Windows XP (including SP1) and Office XP compatibility * Full server-side support for the Lotus Notes plug-in * Support for Novell GroupWise 5.5 and 6.0 messaging client * Significantly expanded Unicode support * Directory integration with iPlanet Directory Server, Microsoft Active Directory, Novell eDirectory/NDS, and OpenLDAP * PGP Admin can now preconfigure automatic creation of PGP Disk volumes * Enhanced Smart Card functionality including support for Aladdin eTokens, Rainbow iKeys, Schlumberger cards and readers, GemPlus cards and readers, and more ****************************************************************** Regarding 8.0.2: Changes Since PGP 8.0 Changes to PGP since the release of version 8.0 include: * A revoked self-signature on a user ID is now represented as a revocation for the user ID. Revoked user IDs are removed from the list of recipients prior to display. * The MDC extensions to OpenPGP are now generated on messages when appropriate. * The private key S2K calculation now uses the improved methodology from the latest OpenPGP draft when appropriate. * Key Reconstruction issues with PGP Keyserver 7.X have been resolved. * Schemas for PGP Admin policy distribution via Microsoft Active Directory are now included in PGP Enterprise. * Microsoft Outlook: Issues with the body text of decrypted email messages have been corrected. * Microsoft Outlook: You now receive a warning if your editor is not set correctly. * Microsoft Outlook: Permissions issues on Public Folder messages have been resolved. * PGPkeys: Permissions issues with viewing photo IDs have been corrected. * SDK: Passphrase dialogs that accepted excess typing due to UTF8 support have been corrected. * SDK: Generating RSA keys with a keysize of ~3000 now works properly in all cases. * Plugins: Word wrapping is now functional in all cases. * Lotus Notes: The plugin now supports Lotus Notes R6 in addition to all previous versions of Lotus Notes back through 4.5. * ICQ: The plugin now supports ICQ versions up through ICQ 2003a. * PGPdisk: The AES algorithm at 256 bits has been added as a cipher to the PGPdisk algorithm choices. Disks created with this algorithm are also compatible with the Mac OS X version of PGP. * PGPdisk: Issues with handling of passphrases in PGPdisk causing compatibility problems with older PGPdisks have been resolved. * PGPdisk: Issues with storing keyrings inside a PGPdisk while simultaneously including an ADK user on the PGPdisk have been resolved. * Windows Terminal Services: Support for running in a Windows Terminal Services environment has been improved. * Windows Server 2003: Preliminary support for running under Windows Server 2003. As the final release of Windows Server 2003 was not available at the time of this release, running PGP 8.0.2 on that OS is not officially supported. * Smart Cards: Support for additional PKCS 11 compatible Smart Cards and Biometric devices has been added. ****************************************************************** Regarding 8.0.3: Changes to PGP since the release of version 8.0.2 include: * PGP 8.0.3 contains compatibility fixes for running alongside PGP Universal Satellite. Please make sure not to attempt installation of PGP 8.0.2 or lower over PGP Universal Satellite. * PGP 8.0.3 is now compatible with Office 2003 and Windows Server 2003. * Support for GroupWise 6.5 has been added. * Outlook attachment decryption now preserves the original filename in cases where the encrypted file was renamed to preserve security of the filename such as from PGP universal. * Issues with imported X.509 certificate validity in the absence of a self-signature have been corrected. * Support for automatically detecting attempts to spoof signature verification text blocks has been added. * Freespace wipe on non-NTFS volumes would sometimes not succeed. This has been fixed. * Automatic download of ADKs from keyservers in the Notes plugin has been fixed. Various other fixes have been made to this plugin. ****************************************************************** About PGP 8.1 for Windows Building on top of the solid PGP technology base, PGP 8 for Windows includes PGP Mail, PGP Disk,and PGP Admin, offering numerous improvements as well as the following new features: * Windows XP (including SP2) and Office XP compatibility * Windows Server 2003 and Office 2003 compatibility * Full server-side support for the Lotus Notes plug-in * Support for Novell GroupWise 5.5 through 6.5.1 messaging client * Significantly expanded Unicode support * Directory integration with iPlanet Directory Server, Microsoft Active Directory, Novell eDirectory/NDS, and OpenLDAP * PGP Admin can now preconfigure automatic creation of PGP Disk volumes * Enhanced Smart Card functionality including support for Aladdin eTokens, Rainbow iKeys,Schlumberger cards and readers, GemPlus cards and readers, and more Changes to PGP since the release of version 8.0.3 include: * Automatic update notification has been added. A notification will be displayed if a PGP update is released. * Outlook 2003: errors in some scenarios claiming out of memory and other issues associated with the new Cached Exchange Mode feature of Outlook 2003 have been fixed. * Outlook: Warnings have been added to detect a complex sequence of events when S/MIME is enabled and attachments are encrypted by PGP. * Outlook: Improved compatibility with international characters encrypted with the UTF8 character set such as those generated by PGP Universal. * Outlook Express: Improvements to compatibility with international characters have been made. * Novell GroupWise 6.5.1 is now a supported platform. * Some Unicode fixes have been applied for very long names. * Substring matching is no longer allowed for email addresses. Matches must be exact in order to bypass the recipient key confirmation dialog that appears when encrypting an email. * Some corrupt keys could cause the recipient key confirmation dialog when encrypting an email to abort. Such keys are now ignored. * PGP SDK: PGP 8.1.0 EN uses a newer version of the PGP SDK which includes various new features and fixes. The follow is an overview of the changes to the PGP SDK: * PGP SDK: Support for decoding BZip2 and ZLIB compression has been added. Encoding is also possible if you already have a key which claims to support it -- such as those generated by PGP Universal. * PGP SDK: S/MIME support has been added. This functionality is available only when used with PGP Universal Server and PGP Universal Satellite. * PGP SDK: Various TLS improvements including security improvements and support for additional algorithms such as RC4. * PGP SDK: Support for international characters in X.509 certificates. * PGP SDK: Various formatting fixes including a fix for a crash when encountering a key corrupted in a specific way. {{{The following is from a post to the PGP-Users list}}} [1] 8.1 can decrypt messages done using blowfish [2]8.1 recognizes signatures from gnupg signing subkeys ****************************************************************** New Features in PGP Desktop 9.0 for Windows Building on the base of proven PGP technology, PGP Desktop 9.0 for Windows includes numerous improvements and the following new features: • Easy-to-use, integrated user interface provides quick access to all of PGP Desktop’s powerful features. • PGP Messaging integrates with all major messaging systems providing fully automated message security with granular user-controlled policy. • Integration with PGP Universal, allowing PGP Desktop to work standalone as with prior versions or as a PGP Universal Satellite client in a PGP Universal environment. • Support for PGP Zip archives, which let you encrypt/sign files and directories into a single compressed, secure archive. • Automatic encryption of AOL® Instant Messenger™ (AIM) instant messaging sessions and file transfers with other PGP Desktop users. • Whole Disk Encryption provides non-stop encryption securing everything on your hard drive all the way down to the boot level. (Requires Windows XP SP 1 or 2.) • Support for advanced compression algorithms BZip2 and ZLib. ****************************************************************** New Features in PGP Desktop 9.0.1 for Windows Building on the base of proven PGP technology, PGP Desktop 9.0.1 for Windows includes numerous improvements and the following new features: • Easy-to-use, integrated user interface provides quick access to all of PGP Desktop’s powerful features. • PGP Messaging integrates with all major messaging systems providing fully automated message security with granular user-controlled policy. • Integration with PGP Universal, allowing PGP Desktop to work standalone as with prior versions or as a PGP Universal Satellite client in a PGP Universal environment. • Support for PGP Zip archives, which let you encrypt/sign files and directories into a single compressed, secure archive. • Automatic encryption of AOL® Instant Messenger™ (AIM) instant messaging sessions and file transfers with other PGP Desktop users. • Whole Disk Encryption provides non-stop encryption securing everything on your hard drive all the way down to the boot level. (Requires Windows XP SP 1 or 2.) • Support for advanced compression algorithms BZip2 and ZLib. {{{Microsoft Word can now be used as an email editor in Microsoft Outlook}}} ****************************************************************** {{{9.0.2 adds support for Whole Disk Encryption on Windows 2000}}} ****************************************************************** Changes from PGP Desktop 9.0.2 to 9.0.3 include: · Messaging: Improvements have been made to passphrase caching. Disabling the passphrase cache now works properly, and passphrase dialogs no longer appear when processing messages that are not encrypted or signed. [7700] · Messaging: The default messaging policies for new Messaging services have been changed to search the PGP Global Directory only instead of All Keyservers. This allows adding keyservers for searching manually rather than using every keyserver for every key lookup. [7908] · Messaging: The proxy architecture has been improved to provide even greater compatibility with third-party products that also inject themselves into the network stack. [6279, 7157, 7251, others] · Messaging: The “Automatically Detect Settings” option in Internet Explorer’s proxy settings could cause significant delays in sending email. This has been resolved. [7430] · Messaging with Outlook MAPI: Clear-signed messages with international characters would sometimes not produce proper character fidelity. This has been resolved. [7640] · Messaging with Outlook MAPI: Using the Resend message option in Outlook 2003 when Cached Exchange Mode is off no longer report a resource busy error. [7083] · Messaging with Outlook MAPI: When using the registry-based Outlook option to CheckAdminSettings, Outlook XP would crash when decrypting PGP/MIME messages. This has been resolved. [7730] · Messaging with Outlook MAPI: Performance when opening unencrypted and unsigned messages has been dramatically improved. [7742] · Messaging with Outlook MAPI: Outlook RTF format messages with embedded OLE objects could appear to have an empty message body in some cases. This has been resolved. [7780] · Messaging with Outlook MAPI: In some cases, Outlook 2000 was unable to decrypt and verify HTML and RTF format messages. This has been resolved. [7811] · Messaging with Outlook MAPI: Very large plain text messages sent from Outlook XP were not always formatted properly. This has been resolved. [8004] · Messaging with Lotus Notes: Signature annotations were often improperly reporting keys as unverified when using Lotus Notes. This has been resolved. [7538] · Messaging with Lotus Notes: Encrypting to users listed in a local Notes address book without an email address were not encrypted in some situations. Sending such email will now fail or otherwise follow policy, as appropriate. [7691] · Messaging with Lotus Notes: Replying to messages in shared Notes databases (mailing databases) now works properly. [7820] · Messaging with Lotus Notes: Sending mail from a client launched in island (offline) mode now works properly. [7871] · V-ONE SmartPass VPN client: This client is now compatible with PGP Desktop. [7251] · Whole Disk Encryption: Whole Disk Encryption initiation no longer requires administrative privileges for the user account. This allows deployment of pre-configured builds to unprivileged users. [FMR] · Whole Disk Encryption: Further protections to ensure that disks with too many logical drives cannot be encrypted have been put in place. Other issues with logical drives appearing hidden in some scenarios have been resolved. [7337] · Whole Disk Encryption: Some third-party disk defragmentation utilities, such as PerfectDisk, could have caused corruption of encrypted disks. Additional protections have been put in place to prevent this. [7411] · Whole Disk Encryption: 30-day trial software licenses now allow evaluation of PGP Whole Disk Encryption, and will decrypt at the end of the trial period. [7654] · Whole Disk Encryption: It is now possible to license the product to enable only the PGP Whole Disk Encryption functionality with the core feature set. [7654] · Whole Disk Encryption: Enrolling a second user in a configured client from a PGP Universal Server on the same system when initiating whole disk encryption did not work properly. This has been resolved. [7920] · Japanese: Improvements have been made to various areas of the user interface for Japanese usability. [7673, others] · Japanese: Fully translated documentation and online help is now available in Japanese. [FMR] · Tokens: Generating keys on tokens would often hang when the wipe on delete functionality was turned on. This has been resolved. [7737] · RSA Legacy Keys: RSA Legacy keys could not be set with Implicit Trust. While these keys have been deprecated, this particular piece of functionality was not intended to be removed yet. [7961] · S/MIME: Some types of certificate chains were not properly included in the S/MIME formatting. This has been resolved. [7641] · Messaging: Some types of incorrectly formatted messages (usually incarnated as spam) could cause 4XX SMTP errors resulting in a backoff for SMTP mail queues rather than a proper rejection of the message with a 5XX error. This has been resolved. Additionally, some cases of poor message formatting affecting stability were resolved. [7915, 7940] · Messaging: Mailservers with improperly configured STARTTLS could incorrectly report SMTP AUTH failures rather than STARTTLS failures. These problems are now accurately reported. [7842] · Messaging: In some cases, clear-signed email with an attachment from an Outlook MAPI client forwarded to an IMAP/POP client would appear to lose the attachment when the attachment was actually present in the message source. This has been resolved. [7983] ****************************************************************** Changes from PGP Desktop 9.0.3 to 9.0.4 include: • PGP Wipe Free Space: In some cases on Windows XP, the PGP Free Space Wipe feature did not properly clean the slack space at the end of files that had been resized down. This has been fixed. To wipe slack space on locked files and in the MFT, it remains necessary to reboot into another operating system and use the ‘Wipe NTFS internal data structures’ option. This did not affect other operating systems, nor did it affect the PGP Shredder or automatic shredding functionality when files are deleted; both of those features wiped slack space properly. [8341] · Messaging: An incompatibility with the Oleane Mail Server has been resolved. [8286] · Whole Disk Encryption: A transposition problem with the English (United Kingdom) keyboard layout has been resolved. [8300] · AntiVirus Compatibility Improvements: An incompatibility between PGP Desktop and the NOD32 Antivirus System has been resolved. Issues with McAfee VirusScan 7 and 8 were also resolved - see the Anti-Virus Client Compatibility section for more information. [8306] ****************************************************************** Changes from PGP Desktop 9.0.4 to 9.0.5 include: • Thunderbird: Thunderbird 1.5 introduced unique changes to IMAPv4 that caused an inability to connect via IMAP through PGP Desktop. This has been fixed. [8068] • Mailservers: PGP Desktop has added support for non-compliant mailservers that use message IDs greater than 70 characters, in violation of standards. [8454] • PGP Virtual Disk: Mounting a PGP Virtual Disk incorrectly required that the public keys of all users with access to the disk were present on the keyring. This has been fixed. [8489] • EMC Legato Networker: Installation of EMC Legato Networker on the same system as PGP Desktop for Windows would crash the system on shutdown. This version of PGP Desktop works around this conflict. [8353] • Aladdin eTokens: A very rare problem authenticating to Aladdin eTokens at boot time has been resolved in this version of PGP Desktop. [8367] ****************************************************************** Changes from PGP Desktop 9.0.5 to 9.0.6 include: • WDE: The user records file has been improved for better encryption and forward compatibility. It will automatically be upgraded after the installation reboot. [9064] • Messaging: Verizon recently changed their POP servers such that their CAPA response violates RFC 2449. This is now supported. [8821] • SDK: If a system was misconfigured with a malicious PATH environment, an incorrect loading sequence could occur. This has been fixed. [8804] ******************************************************************* PGP 9.6.1: Changes Between 9.6 and 9.6.1 Include: Resolved issue: After installing and enrolling PGP Desktop for Lotus Notes, the native Lotus Notes (non-PGP) encryption was ignored when selected. PGP Desktop now uses Lotus Notes encryption if the recipient's key is not found and if the user has selected to use native Notes encryption. [13197] Resolved issue: Lotus Notes clients enrolled using LDAP synchronization will now always properly secure the initial email following enrollment. [12821] Resolved issue: Users can now use roaming profiles between multiple systems with different keyring paths (for example, when keyrings are stored on a server, and the user logs in to different computers that use a different mapped drive to the server). [13108] Resolved issue: Support for decrypting an incorrect signing time format on S/MIME emails from Blackberry devices has been added. [13248] Resolved issue: Lotus Notes email is now decrypted when the principal of the email received does not include a display name. [13366] What's New in PGP Desktop for Windows Version 9.6 Building on PGP Corporation’s proven technology, PGP Desktop 9.6 for Windows includes numerous improvements and the following new and resolved features: Installation New feature: PGP Desktop now supports the Microsoft Windows Vista operating system (all 32-bit editions). New feature: PGP Desktop now supports Microsoft Outlook 2007. New feature: PGP Desktop now supports Microsoft Exchange 2007. See "PGP Corporation Compatibility Status with Microsoft Exchange Server 2007" in this document for more information. General Resolved issue: In situations where the "My Documents\PGP" folder is deleted, PGP Desktop now properly recreates the folder and creates new keyring files. [12517] PGP Whole Disk Encryption New feature: PGP Whole Disk Encryption now supports both Spanish language and French language keyboards. Resolved issue: The PGP Desktop application is now compatible with logical drives contained on extended partitions. [11365] PGP NetShare Changed functionality: Interaction with large protected folders has been improved. Resolved issue: Delays when accessing a mapped network drive have been resolved. The problem no longer occurs as long as Overlay PGP icon on secured files and folders is disabled in the Netshare tab of the PGP Options dialog box. [12441] Changed functionality: Interaction with a large number of shares on a DFS root has been improved. [12438] PGP Zip Resolved issue: The PGP Zip filename was not included in the save location, which in some situations could lead to unintentional overwriting of previous PGP Zip files. [12250] PGP Virtual Disk Changed functionality: Improvements have been made to the compaction of very large PGP Virtual Disks. PGP Messaging Resolved issue: Embedded attachments in forwarded MAPI messages displayed as invalid attachments if Outlook was configured to only download headers. [12044] Resolved issue: Users were unable to automatically import keys sent from users without PGP Desktop, as the .asc extension was removed from the public key file attachment. [12163] Resolved issue: Encrypting to a list of keys would not encrypt the message if all of the keys were expired or revoked. Now messages are blocked if any of the keys are expired or revoked; an error appears in the Notifier and is logged in the messaging log. [12537] Resolved issue: MAPI Exchange Server Fax Connector style email addressing is now supported via the MAPI interface. When configured on your Exchange Server with an appropriate product, addresses of the form [ADDRESSSPACE:FAXNUMBER (such as [FAX:5551212]) or [ADDRESSSPACE:FAXNUMBER##FAXLINE] (such as FAX:5551212##LINE1]) will be allowed. In addition to numerals, the characters +,-()*# and spaces are also allowed. Messages not conforming to proper address semantics will be blocked. [12840, 13365] Lotus Notes Support Changed functionality: Extensive updates have been made to support multiple domain-qualification on email addresses against the Notes/Domino platform. Resolution includes handling of cases of domained addresses appearing in Notes/Domino groups, and of similar appearing in recipient's forwarding address (person document). Also includes the routing of an SMTP-addressed recipient through Notes Mail (for example, user_name@example.com @ TECH). [12135] Resolved issue: Lotus Notes emails sent in RTF format without body text did not include the annotations "Signed" and "Decrypted" and the message was decrypted inconsistently. [11890] Resolved issue: Lotus Notes email messages were not proxied if the Lotus Notes email client was installed after PGP Desktop. [7545] Resolved issue: Lotus Notes quit unexpectedly if an email message was addressed without the Organization Name (for example, addressing a message to John Doe@DomainName rather than John Doe/OrganizationName@DomainName). [12071] Resolved issue: PGP Desktop was unable to decrypt emails that are stored in a Lotus Domino archive database. [12297] PGP Keys Resolved issue: The PGP Global Directory Assistant displayed when manually uploading keys to the PGP Universal Server. [12248] Resolved issue: The PGP Keys control box disappeared when the My Documents folder was moved to an unavailable remote location. In this situation, if your keyring was on a remote network share that is not accessible during logon, then PGP Desktop did not display the PGP Key control box. A dialog box now appears asking if you want to Try Again or Create New Default Public/Private Keyring File. [12211] ************************************************ What's New in 9.7 Building on PGP Corporation’s proven technology, PGP Desktop 9.7 for Windows includes numerous improvements and the following new and resolved features: PGP Desktop General Features Additional platform support. PGP Desktop and PGP Universal Satellite are now available for Microsoft Windows Vista 64-bit and Mac OS X 10.5 (Leopard). Feature deployment control. Administrators can now enforce policy by providing end users only with authorized client features, enabling or disabling client capabilities before distributing PGP client software to end-users. Disabled features are then unavailable in the PGP Desktop user interface. Intel AMT support. PGP Desktop supports Intel Active Management Technology (AMT) Agent Presence on those computers with properly configured Intel AMT-equipped motherboards. PGP Desktop reports its current status via AMT to enable Enterprises to query configuration information even when a system is turned off. Updated key reconstruction user interface. The PGP Desktop Key Reconstruction user interface has been significantly improved in this release. Primary new features include the ability to select and customize a set of provided questions, a visually more appealing experience, and a new Assistant to help guide the user through the process. Local key reconstruction. Standalone installations of PGP Desktop support Local Key Reconstruction. The Key Reconstruction Assistant saves Key Reconstruction information in a file that can be used later to reconstruct the user key. PGP Log message filtering. The PGP Log feature of PGP Desktop now provides a menu option to filter local log messages by topic to facilitate troubleshooting (for example, displaying messages related only to Email, IM, NetShare, or WDE). Passphrase quality evaluation improvements. Passphrase quality evaluation has been significantly enhanced both visually and functionally in this release. PGP Whole Disk Encryption Features Advanced centralized event logging. PGP Universal now provides significantly expanded reporting on PGP Whole Disk Encryption usage on client systems. This logging feature itemizes events such as which systems have been encrypted, the progress of encryption or decryption for an individual system, errors encountered during encryption, the status of recovery tokens, removable storage usage, and failed/successful login attempts. Administrators can set thresholds that raise alerts in PGP Universal on the PGP Daily Status Email or dashboard screen after a configured number of failed logins has been exceeded. Extended pre-boot smart card support. PGP Whole Disk Encryption has greatly expanded pre-boot authentication to a variety of smart cards. Customizable WDE BootGuard screens. Administrators in a PGP Universal-managed environment can configure the PGP Whole Disk Encryption boot screen to display the text and graphics of their choice. Group administration access tokens. PGP Whole Disk Encryption admin accounts can be added, allowing an administrator with a smart card key to override the BootGuard prompt. This key can be specified separately for each Internal User Policy. Using a single keypair copied to multiple smart cards (each with its own PIN), an organization can enable multiple administrators for each Policy. Domain administrator restart bypass. Windows System and Administrator account(s) may now engage a mode to bypass WDE authentication on the next restart by utilizing the privileges of the administration account to act as the authenticated user. This feature enables administrators to perform remote software installations requiring a restart of the target computer. Use of this feature is logged to the PGP Universal server. Partition encryption deployment. Administrators in a PGP Universal-managed environment may now configure encryption of only the boot partition or only Windows partitions rather than always encrypting entire disks. PGP WDE Single Sign-On for Novell environments. The PGP WDE Single Sign-On (SSO) feature is now available for Windows systems running in Novell network environments. User Interface modifications for ADA compliance. As part of our expanding support for the Americans with Disabilities Act (ADA) standards for accessible design, the PGP WDE BootGuard screen has been modified to provide audible feedback when the screen is ready for user input, when a user types in an incorrect password, and when a user types a correct password. This audio feedback is optional, configurable using PGP Universal for managed clients. Lenovo laptop Recovery button. PGP Whole Disk Encryption now provides complete support for the Lenovo Rescue and Recovery software (version 3.x and 4.x) including using the “Access IBM” blue button for boot-level recovery of the OS even when the disk (or partition) is encrypted. Microsoft Windows PE support. PGP Desktop provides administrators with the ability to create a Windows PE (Preinstallation Environment) boot disk containing a subset of PGP Whole Disk Encryption. This bootable disc can be used to perform a variety of management and recovery tasks. Trusted Platform Module (TPM) support for PGP WDE. PGP Desktop supports using the Trusted Platform Module as an additional authentication device for PGP Whole Disk Encryption if present on the motherboard and enabled via proper driver installation for your hardware. When use of the TPM is specified prior to encryption, the user can authenticate to the disk only on that particular machine, locking the disk to the machine hardware and thus deterring attacks such as hard disk theft. This feature works with passphrase users only and is compatible with the PGP WDE Single Sign-On feature. PGP NetShare Features PGP NetShare per-folder administration. PGP NetShare administrative granularity has been extended to restrict administrator control to a per-folder level, thus limiting administrative access to exactly where it is needed. Whitelists and blacklists. Administrators can now centrally define PGP NetShare policy to protect files stored in specific directory locations, enforcing security policy without impacting user behavior. Conversely, administrators can also force specific directories to prevent encryption. Directory roles. There are now three roles for PGP NetShare-protected directories: Admin, with full rights over the directory; Group Admin, who can add/remove users that are not Admins or Group Admins; and Users, who can only access content, and have no administration abilities. Centralized PGP NetShare logging. Centralized logging on PGP Universal provides visibility into the activity of PGP NetShare deployments to satisfy management and auditing requirements. PGP NetShare Command Line. Most PGP NetShare functions can now be scripted. This utility is documented in the PGP NetShare Command Line Programmer's Guide. PGP Desktop Email Features MAPI support for PGP/MIME formatted messages. PGP Desktop and PGP Universal Satellite now provide the ability to encrypt PGP/MIME messages in Outlook clients using MAPI. PGP/MIME decryption has also been significantly improved in this area. Microsoft CAPI integration. PGP Desktop and PGP Universal Satellite support the use of Microsoft Cryptographic Application Programming Interface (CAPI) credentials, enabling the user to make use of existing X.509 certificates directly from the Microsoft operating system certificate store. PGP Universal administrators can specify automatic enrollment of such certificates as well. IMAP speed improvements. This release contains significant IMAP performance improvements. Users will experience quicker responses and shorter downloads, particularly when accessing large mailboxes, switching between folders, and checking for new messages. Out-of-the-mail-stream support. PGP Desktop and PGP Universal Satellite will selectively send email messages directly to the PGP Universal Server via a SOAP connection if required by policy, such that the server does not need to be in the mail stream to support Web Messenger or Smart Trailer functionality. Weak-cipher decryption. PGP products now decrypt S/MIME encoded messages encrypted with weak 40-bit RC2 encryption for backwards compatibility with older email clients. Additional warnings are added to messages decrypted using that algorithm. Note that PGP Desktop and PGP Universal Satellite will not encrypt using weak ciphers. ************************************************ Changes between version 9.8.3 and version 9.8.2 Resolved issue: Resolved a rare issue where PGP NetShare could introduce an inconsistency in the file encryption keys, preventing the file from properly decrypting when performing administrative update operations on complex folder structures with differing memberships. [16905, 17833] Resolved issue: Resolved an issue where upgrading PGP Whole Disk Encryption could, in rare cases, cause disk inconsistencies. [17726] Changes between version 9.8.2 and version 9.8.1 Resolved issue: PGP BootGuard now properly displays on an external monitor (Analog or digital) when the laptop lid is closed including when using a docking station. [16341, 17501] Resolved issue: Users are no longer required to enter Key Reconstruction information again if that information was previously entered and is currently stored on the PGP Universal Server [17001, 17173] Resolved issue: Resolved issues with WDRTs and encrypting multiple removable disks. [17258] Changes between version 9.8.1 and version 9.8 Resolved issue: PGP Universal-generated certificates now contain all email aliases of the key within the Subject Alternative Name property of the certificate [13138, 16372] Resolved issue: Security of keyboard-typed passphrases at boot time for a PGP WDE-encrypted drive has been improved. [16869] Resolved issue: Improved PGP NetShare interoperability with Novell 4.91 SP4. [16326] Resolved issue: Issues with PGP Whole Disk Encryption when upgrading an encrypted disk from previous versions, including version 9.0.6, have been resolved. [16904] Changes between version 9.8 and version 9.7.1 Localized for German and Japanese: PGP Desktop for Windows is available in German and Japanese. This release also includes bug fixes and improvements. Resolved issue: A new Whole Disk Recovery Token (WDRT) is now sent to the appropriate PGP Universal Server in cases where the client was unable to contact the server when the original WDRT was used. [10730] Resolved issue: Rare cases where Microsoft Office macros conflicted with PGP Desktop have been fixed. [15035] Resolved issue: A conflict between Microsoft SoftGrid and PGP Desktop has been fixed. [15665] Resolved issue: Improvements have been made to token handling when tokens are removed from a system. [15758, 16242] Changes between version 9.7.1 and version 9.7 Resolved issue: PGP NetShare files initially encrypted by PGP Desktop 9.7.1 on 64-bit versions of Windows used an incorrect file format. Such files should be decrypted using 9.7.1 on the 64-bit system prior to upgrade. This release ensures proper PGP NetShare formatting on 64-bit systems. [16381] ************************************************ What's New in PGP Desktop for Windows Version 9.9 Building on PGP Corporation’s proven technology, PGP Desktop 9.9 for Windows includes numerous improvements and the following new features. General User Interface Modifications for ADA Compliance. Compliance with the Americans with Disabilities Act (ADA) standards for accessible design continues to improve in this release. PGP Universal Server now provides keyboard equivalents for all actions in PGP Universal Web Messenger and PGP Verified Directory web pages. The PDF documentation for all PGP products in this release is tagged to facilitate reading and navigation of the documentation by users of assistive technology. PGP NetShare PGP NetShare for Multi-user Environments. PGP NetShare is now compatible with certain Microsoft Terminal Services and Citrix Presentation Server environments. PGP NetShare Application Encryption Policy. PGP NetShare now extends managed support to provide policy-based encryption by application. An example of this feature would be to configure all users in the Finance department so that all documents created with Microsoft Excel are encrypted with PGP NetShare automatically, while the Microsoft Word documents created by users in the Legal department are protected. PGP Whole Disk Encryption PGP WDE BootGuard Lockout. PGP Universal Server now enables the administrator to enforce a PGP WDE BootGuard Lockout. PGP BootGuard locks access to the system after the user exceeds the maximum number of permitted failed authentication attempts. PGP WDE Advanced Bad Sector Management. In managed environments, when PGP Whole Disk Encryption encounters bad disk sectors during encryption, it silently logs the event, continues encrypting the disk, and informs the PGP Universal Server of the bad sector. For information on PGP WDE best practices for disk preparation, see the PGP Desktop User’s Guide. Enhanced PGP WDE Policy. Administrators now have fine-grained control of end-user PGP Whole Disk Encryption permissions. For example, an Administrator can now manage boot disk functions separately from removable disk functions by preventing the decryption of boot disks, while allowing the encryption and decryption of removable disks. Computer Name on PGP BootGuard Screen. The computer name and ID (as specified in the System Properties dialog box) can now be displayed on the PGP BootGuard screen, so the system's user can easily identify what specific computer is being used. With the user now able to communicate this information, a PGP Universal Server administrator or helpdesk agent can easily provide the correct WDRT to the user. Extended Keyboard Support. PGP Whole Disk Encryption has expanded support to the following regional keyboards: Belgian Bosnian, Croatian, Serbian and Slovenian Canadian Multilingual Standard Chinese Simplified (China/Singapore) Chinese Traditional (Hong Kong/Taiwan) Czech (QWERTY) Danish Dutch English English (US-International) Estonian Finnish French French Canadian German German (Germany/Austria) German (Swiss) Hungarian Icelandic Irish Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Portuguese (Portugal) Romanian Spanish Spanish (Latin America) Spanish Variation Swedish Swiss French Enhanced Key Handling. Improvements have been made to ensure that key material is securely wiped at shutdown in all cases. PGP Messaging Offline Policy controls. Administrators can now enforce policy for offline users by controlling what happens to email when the PGP Universal Server cannot be reached by PGP Desktop. Options include blocking outbound messages, sending outbound messages in the clear, or allowing users to follow locally defined policy. A PGP Notifier-like window can optionally be presented, informing the user that policy could not be executed, and asking if the user would like to send the message unsecured. Any use of client offline bypass is logged to PGP Universal Server. PGP Universal Server Logging Rich Client Policy Logging. PGP Universal Server now logs a variety of information about the client's receipt and use of downloaded policy. This information also includes the list of enabled PGP Desktop modules, license information for the client, and PGP NetShare folder encryption processing preferences (that is, specified white lists and black lists for the client). Enhanced Centralized Event Logging. PGP Universal Server provides expanded reporting on PGP Whole Disk Encryption usage on client systems. Information now provided includes the user name and primary email address associated with the system, the last access by the user, the version of PGP Desktop in use, and other system-specific information. Resolved Issues For a list of issues that have been resolved in this release, please go to the PGP Support Portal and view Knowledge Base Article 1014 (https://support.pgp.com/?faq=1014). ************************************************ What's New in PGP Desktop for Windows Version 9.12 Building on PGP Corporation’s proven technology, PGP Desktop 9.12 for Windows includes numerous improvements and the following new features. General Windows 7 Support. PGP Desktop can now be installed on Microsoft Windows 7 systems (all 32-bit and 64-bit editions). French user interface. PGP Desktop for Windows now includes enrollment dialog boxes in French. To display the three enrollment dialog boxes in French, be sure the following Windows Registry key is added before the setup assistant is started: HKLM\Software\PGP Corporation\PGP\ENROLL_FRENCH=1 PGP NetShare Unlocking a PGP NetShare folder. If your PGP Universal Server administrator has enabled the option, you can select Rescan NetShare Locks from the PGP tray menu. Use this option to unlock a PGP NetShare protected folder when your key is on a smart card or token that was not inserted when you attempted to access the folder. PGP Whole Disk Encryption Turkish keyboards. You can now use Turkish keyboards (Turkey, F and Q keyboards) for pre-boot authentication in PGP Desktop for Windows. Additional smart card. Support has been added for the Safenet iKey 2032 smart card for pre-boot authentication in PGP Desktop for Windows. General improvements. Improvements have been made to the overall robustness of PGP Whole Disk Encryption for Windows. Resolved Issues For a list of issues that have been resolved in this release, please go to the PGP Support Portal and view Knowledge Base Article 1014 (https://support.pgp.com/?faq=1014). ************************************************ What's New in PGP Desktop for Windows Version 10.0 Building on PGP Corporation's proven technology, PGP Desktop 10.0 for Windows includes numerous improvements and the following new features. General * Additional supported operating systems. PGP Desktop for Windows can now be installed on Windows 7. * New localized versions. PGP Desktop has been localized and can now be installed in French (France) and Spanish (Latin America). * Support for new smart cards. For both pre- and post-boot in PGP Desktop for Windows: o Axalto Cyberflex Access 32K V2 smart card o Giesecke and Devrient Sm@rtCafe Expert 3.2 personal identity verification cards o Oberthur ID-One Cosmo V5.2D personal identity verification cards o SafeNet iKey 2032 USB token o T-Systems Telesec NetKey 3.0 and TCOS 3.0 IEI cards * Redesigned interface. The main user application window in PGP Desktop for Windows has been redesigned. * PGP Universal Server connectivity. Increased resiliency of PGP Desktop when connectivity to the PGP Universal Server is dependent on a VPN connection or is otherwise intermittent. PGP Keys * Enhanced Server Key Mode (SKM) keys. SKM keys now include the entire key on your keyring. In addition, SKM keys can now be used for encryption functions such as disk and file encryption and decryption, as well as decrypting MAPI email messages when you are offline. * Keyring location. In PGP Desktop for Windows, you can use environment variables to specify the location of your keyrings. * Key usage flags. Each subkey can now have its own key usage properties, so that one subkey could be used for PGP WDE only, and another could be used for all other PGP Desktop functions. Set the key usage of a key when you want to use a key for disk encryption only but you do not want to receive encrypted email using that key. * Universal Server Protocol (USP) key searches. The PGP Universal Services Protocol (USP) is a SOAP protocol operating over standard HTTP/HTTPS ports. This is now the default key lookup mechanism. If you are in a PGP Universal Server-managed environment, all key search requests as well as all other communications between the PGP Universal Server and PGP Desktop use PGP USP. PGP Messaging * PGP Viewer. Use PGP Viewer to decrypt and view legacy IMAP/POP/SMTP email messages. * Lotus Notes. PGP Desktop now provides the ability to encrypt mail messages using Lotus Notes native encryption if PGP Desktop is configured to do so and the recipient is an internal Notes user. * Lotus Notes. PGP Desktop now provides the ability to encrypt Lotus Notes RTF-formatted email messages using PGP/MIME, S/MIME, or PGP Partitioned formats. * Lotus Notes. PGP annotations in messages now honor the regional settings for date and time stamp. * Microsoft Outlook buttons added. Buttons enable you to manually add encryption and/or your digital signature to your Outlook emails. This new feature provides compliance with digital signature laws that require showing intent to sign. * Offline policy enhancements. In a managed environment, mail policy is now enforced even if you are offline and not connected to the PGP Universal Server or if the server itself is offline. PGP Portable * Previously available as a standalone option, PGP Portable is now included in PGP Desktop. PGP Portable Disks can be created on Windows systems. This functionality requires a separate license. PGP Whole Disk Encryption * Additional smart card compatibility. New cards added for pre-boot authentication in PGP Whole Disk Encryption for Windows include Axalto Cyberflex Access 32K V2, Marx CrypToken USB token, SafeNet iKey 2032 USB token, and T-Systems T-Telesec NetKey smart card. * Personal Identity Verification (PIV) card support. Support has been added in PGP Whole Disk Encryption for Windows for users with Giesecke and Devrient Sm@rtCafe Expert 3.2 and Oberthur ID-One Cosmo V5.2D personal identity verification cards. * Additional Keyboard Compatibility (Windows). A total of 50 international language keyboards can now be used to log in at PGP BootGuard. For a list of all compatible keyboards, see the PGP Desktop for Windows User's Guide or online help. * Full disk encryption support on Linux. PGP WDE for Linux provides full disk encryption with pre-boot authentication on Ubuntu and Red Hat. For more information, see the PGP Whole Disk Encryption for Linux Command Line Guide. * Local self recovery. PGP Desktop for Windows now provides a way for you to access your encrypted drive from the PGP BootGuard screen if you have forgotten your passphrase. When configured, you won't have to contact your administrator for assistance. * Multi-user enhancements. In an environment where multiple users may access a group of computers, the PGP Universal Server administrator can define a PGP WDE Admin password. When you enter this password at the PGP BootGuard screen on a PGP Desktop for Windows system, you are prompted to enter your Windows passphrase and the disk is decrypted. * Force encryption enhancements. When your PGP Universal Server administrator changes policy to require that all disks be encrypted, the next time policy is downloaded to your system, the PGP WDE assistant is displayed so you can begin to encrypt your disk. * Additional token support for PGP BootGuard. The Marx CrypToken USB token can now be used at the PGP BootGuard for PGP Desktop for Windows. * Extended ASCII character support. Extended ASCII characters can now be used when creating PGP WDE users. * Kanji characters. Kanji characters are now displayed correctly in the PGP BootGuard screen. * Windows Server operating systems. PGP WDE can now be installed on Windows Server operating systems (Windows Server 2003 and Windows Server 2008). For additional system requirements and best practices information on using PGP WDE on Windows Server systems, see PGP KB article 1737. Resolved Issues For a list of issues that have been resolved in this release, please go to the PGP Support Portal and view Knowledge Base Article 1014: http://support.pgp.com/?faq=1737