Pretty Good Privacy

1. PREPARATION

The below is for manual setup of an account. You can use software to do it.
Please check the software section.
There are a number of things you need to know and/or do before you establish a nym account:

a.You need a working knowledge of "Pretty Good Privacy (PGP)." It must be
installed and properly configured on your system. If you're not "PGP
literate," stop now, learn it, then come back.
PGP can be obtained from one of the following sites:
For users in the United States or Canada - the MIT Distribution Site
For users in other countries - The International PGP Home Page
b.You must choose a "nym" (pseudonym) for yourself. It must be one that
isn't already being used by someone else. Get the most current list of
nyms in use by sending email to list@nym.xg.nu or by fingering the same
address.
c.Once you've chosen your nym you must create a new (RSA) PGP key pair for
it. The user ID of your new keys should be something like Your nym
yournym@nym.xg.nu. For example, if your chosen nym is "dude" your
user ID should be dude dude@nym.xg.nu
d.After creating your new key pair, extract the new public key to a
text file using the pgp -kxa command. You'll have to send it to the
nym server later, so get it ready to go first.
e.Get the most current list of reliable remailers. When you establish your
nym, you'll tell nym.xg.nu which remailer(s) to use when sending your
mail to you. You can change this information later if, for example,
you experience problems with the remailer(s) you've chosen. Be aware,
though, that the more remailers you use to send mail to or receive mail
from the nym server, the more chance there is that one will be down and
foul up the whole procedure.
f.Get the PGP public keys for the remailers you want to use and for
nym.xg.nu. You can get those by following links on the web site
http:/anon.xg.nu. Add them to your PGP pubring.
g.I strongly suggest that you use a DOS text editor or word processor when
establishing and working with PGP and nyms. All your work must be in
ASCII-text format. Many Windows word processors and email clients still
add some proprietary formatting that screws things up. Word
wrapping and carriage returns seem to be a common problem. Experimenting
with your particular Windows program and PGP is the best way to
determine if you have a problem or not.

2. CREATING YOUR NYM

a. Assumptions and Givens -

1.Your chosen nym is "dude" and you've confirmed that it's available for use.
2.You've created a new PGP key pair with the user ID of
"dude "
3.You've extracted your new nym's public key (using the command pgp -kxa)
into a file you can paste into an email message.
4.Your real email address is realname@xyz.com.
5.You've downloaded the public keys for nym.xg.nu and for the remailers
you want to use, and you've added them to your PGP keyring.
6.You have chosen only one remailer to go through, and it is
remailer@huge.cjones.com
6.You're fluent in PGP .

b. Creating the Reply Block -

1.Your reply block tells the nym server what your real email address is
and how to route mail to you. It also tells the server what passphrase to
use to conventionally encrypt all messages to you.
2.Type the following EXACTLY as shown, but without the "EXAMPLE #x."
Everything starts on the very first line of text and is all flush
with the left margin. If you see a space, use a space. If you see a blank
line, use one. That goes for everything you type:

EXAMPLE #1

::
Anon-To: realname@xyz.com

That's two colons on the first line. Save this as a text file
called FILE1.TXT.
A WARNING ABOUT BLANK LINES: Be sure to create all required blank
lines by using the carriage return, NOT by simply moving
the cursor. Some reports of PGP headers being chopped off
of the encrypted messages are caused by this. The messages
arrive from nym through the remailers, but are missing the
"-----BEGIN PGP MESSAGE-----" line, the "Version: " line, and the
blank line that follows before the encrypted text. This may be
caused by too many or too few blank lines somewhere in the reply
block. After troubleshooting this problem, we discovered each time
that the problem was caused by a missing hard carriage return to
create a blank line. Inserting one (and only one!) hard carriage
return in the correct places appears to be the solution.

3.Encrypt FILE1.TXT using the public key for
remailer@huge.cajones.com. The correct command line syntax is
pgp -eat file1.txt remailer@huge.cajones.com
That will give you a file called FILE1.ASC

4.Your file should look something like this:

EXAMPLE #2

-----BEGIN PGP MESSAGE-----
Version: 2.6.3i

hIwCL3nxiBW8n50BBACP8ez/ZDmCXUTAoYsahN+9ga7uCDbiiurxyIDvpR0syIWn
8+JKMijkgToK6hyY5l7Lda9UZdu4EUHYJ01OPywGDPt024otN4Ke91XLdYxialIj
qXrpCzWnOvVdv2wbs8TfPgLtqDlsTjmQ9v+QFNdvO10YBVe8NoM857K863dK36YA
AAKqjobhdiOoPErbUxG9ZXsQIMv+TrUC/05eDNpI46pjq4imFAa3uYHbknAFk1u1
56eFMEoomiqj6GjwNg==
=+yBT
-----END PGP MESSAGE-----

5.Prepend the above text with:

EXAMPLE #3

::
Anon-To: remailer@huge.cajones.com

::
Encrypted: PGP

and leave a blank line between "Encrypted: PGP" and the encrypted text.
6.At the end of the encrypted text, leave a blank line and then type:

EXAMPLE #4

That's two asterisks. These are very important! Your reply block
must end in this double asterisk on the second line below the text.
If you were going to have your mail sent through more than one
remailer (this example uses only one!), you would only put the
double asterisk at the very end of the complete reply block.

7.Your text should now look like this:

EXAMPLE #5

::
Anon-To: remailer@huge.cajones.com

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.3i

Make sure that you have blank lines exactly as shown! There's a
blank line between "Anon-To: remailer@huge.cajones.com" and the
next double colon, there's one between "Encrypted: PGP" and the
text itself, and there's one between the end of the text and the
double asterisk.

8.Save the above as a text file called FILE2.TXT. Your reply block is
now finished.

Creating the Creation Request -

a.Start a blank page in your text editor and type the following,
again starting on the first line and flush with the left margin:

EXAMPLE #6

Config:
From: dude@nym.xg.nu
Nym-Commands: create +acksend +signsend name="dude"
Public-Key:

IMPORTANT NOTES:
It's critical that your "creation request" begin with "Config:"
on the first line! The nym server will ignore any creation
requests without it.
There are numerous "Nym-Commands: " you can use. Most deal with
advanced features offered by the nym server, and all are clearly
explained in the official help file. I've used only four for
our example. "Create" tells the server that you are creating
a new nym. "+acksend" enables the feature which will send you
a confirmation every time the nym server forwards mail you
have sent. "+signsend" enables the feature which will sign
all messages with the nym server's PGP key, making forgery
virtually impossible. "name= ," with the requested name in
quotes, lets you set a name for yourself. With this feature
enabled, mail you send will appear to come from
"dude ." Without it, your mail will appear to
come simply from "."
Of the four "Nym-Commands: " I've shown, only "create" is
really required.
The "Nym-Commands: " can all be on one line
(separated by a space), or each can be on its own line. If you
list them on individual lines, each line must begin with
"Nym-Commands: ", followed by the command.

EXAMPLE #6A

Nym-Commands: create
Nym-Commands: +acksend
Nym-Commands: +signsend
Nym-Commands: name="dude"

b.On the very next line (NO blank line this time!), insert the
public key you extracted earlier for your new nym. It should now
look like:

EXAMPLE #7

Config:
From: dude@nym.xg.nu
Nym-Commands: create +acksend +signsend name="dude"
Public-Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAzCqHCEAAAEEALyo483O4RXzCKn/rGK6eSdZSrZITqqIoNgXn9i6idZhxnfu
WO2CmPwm0LD4zSbh5ciMpHNKBO3yPgRlSG87rQK2NxsyQFNu0stH4AkfmtG7SS75
uOGdkVYpPhk+NRFIk6FUePMspd96yQelNPznUMD8N+mmEcD5MS958YgVvJ+dAAUR
tC5KYXkgU3RvdHpreSA8NGJkZWFpcm1nckA0dGhiZGVocS4xYWQuYXJteS5taWw+
pjVDLgRXAN5PKt956n9G+KX9xA4P7Ggd7sOR0dNIVS3XiXFCKsr+hqLFYxT3K71U
IJWvJw==
=/tvC
-----END PGP PUBLIC KEY BLOCK-----

c.On the very next line (again, no blank line!), type

EXAMPLE #8

Reply-Block:

d.The whole thing should now look like this:

EXAMPLE #9

Config:
From: dude@nym.xg.nu
Nym-Commands: create +acksend +signsend name="dude"
Public-Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

e.Immediately after "Reply-Block:", append your reply block
(the FILE2.TXT you saved before). The whole thing should now
look like:

EXAMPLE #10

Config:
From: bubba@nym.xg.nu
Nym-Commands: create +acksend +signsend name="Bubba"
Public-Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.3i

NOTE: We're almost done; hang in there ;-))
f.Save all the above text as FILE3.TXT.
g.PGP encrypt FILE3.TXT with the public key for config@nym.xg.nu
and sign it with your new nym key. The command line syntax is
pgp -seat file3.txt config@nym.xg.nu -u bubba
h.You should now have a big, PGP-encrypted file called FILE3.ASC.
This is your finished creation request. It's the file you send to
the nym server to create your nym account.

i. Sending Your Creation Request to nym.xg.nu -

a.You can upload FILE3.ASC to your email client and send it directly
to config@nym.xg.nu, or you can send it through one or more
remailers first.

b.If you've done everything correctly, and the remailer(s) and nym
server are up, within a few hours you'll receive an encrypted
"confirmation message" from nym.xg.nu.

Congratulations!

SENDING EMAIL FROM YOUR NYM ACCOUNT

a.To send email from your new nym account, start the body of your text
with:

EXAMPLE #16

From: dude
To: recipient's email address
Subject: whatever

leave one blank line, then type your message.

NOTE: Just like everything else, the above begins on the first
line and is flush with the left margin.
b.Save the file and then encrypt and sign it for the nym server. If you
saved the file as MAIL.TXT, the command line syntax would be:
pgp -seat mail.txt send@nym.xg.nu -u bubba

IMPORTANT NOTE: Notice that this time it's "send@nym..." instead
of "config@nym..." You use "config@nym..." to set up or change
your account. To send mail, you use "send@nym...." It's the same
PGP public key, so no problem there.
c.Send the MAIL.TXT file to send@nym.xg.nu

6. PUTTING IT ALL TOGETHER

a.When you send mail this way, first it goes to send@nym.xg.nu.
When the nym server receives it, the message is decrypted. The nym
server compares your From: line and PGP signature with the public
key it has on file for you. When it's satisfied that the mail is
really from you, it forwards the now decrypted plaintext to the
address given on your To: line. The recipient gets a plaintext email
that appears to come from "dude ."
b.If the recipient wants to respond, he or she composes a normal reply
to dude@nym.xg.nu and sends it. The nym server receives it,
confirms that you have an account, encrypts the message using your
public key, and signs it using its own key. The message is then
first remailer you've specified in your reply block.
c.Finally, you receive the message. What you receive appears to be an
encrypted email from the final remailer in the chain. Download the
message and use PGP to decrypt it.

NOTE: At this point you might be tempted to download the message and
use a Windows PGP frontend to decrypt it. We won't go into the
pros and cons of frontend.
d.The actual message is encrypted with your public key.

IMPORTANT NOTES:
The header "Newsgroups:" really is plural, even if you list only one group.
If you list more than one group, separate them with commas, but not with
spaces. For example:

CORRECT - Newsgroups: alt.anonymous,alt.anonymous.messages

WRONG - Newsgroups: alt.anonymous, alt.anonymous.messages
You can use additional headers, such as "X-No-Archive: Yes", if you feel
the need. "X-No-Archive: Yes" will help avoid your posts
being archived by services such as DejaNews.
There are quite a few other gateways you can use for posting to newsgroups.
I've used mail2news@anon.lcs.mit.edu for these examples because I use it
myself, and have found it to be very quick and reliable.

POSTING TO NEWSGROUPS WHEN USING YOUR NYM

a.Posting to newsgroups with your nym is very similar to sending email.
The only real differences are some additional headers inserted before
the text of you message. Paragraph 5a above shows how to format an
email message. The format for a newsgroup post is as follows:

EXAMPLE #20

From: dude
To: mail2news@anon.lcs.mit.edu
Newsgroups: whatever
Subject: whatever

Leave a blank line after the last header and then type your message.
b.If you are replying to a post and want your reply to be threaded with
the original message, you must also add a "References:" header. If your
reply will be the first reply to the post, you should also add
"Re:" before the original subject.

EXAMPLE #21

From: bubba
To: mail2news@anon.lcs.mit.edu
Newsgroups: whatever
References: whatever
Subject: Re: whatever

As always, leave a blank line and then type your message.

NOTES:
To obtain the correct "Subject:", simply copy or cut-and-paste
the "Subject:" line from the original post, and add the "Re:", if
needed.
To obtain the "References:" entry, use the "Message-ID:" header
(including the angle brackets) from the post you are replying to.
c.Save the file and follow the instructions in paragraphs 5b through 5h
above to encrypt and send.

-----------------------------------NYM Commands-------------------------------

You can give several commands using the "Nym-Commands:" header in a
message to config@nym.xg.nu. You can place several of these
commands in a single Nym-Commands header, separated by spaces, or you
can can put multiple "Nym-Commands:" headers in the same message. Valid
commands are:

+acksend/-acksend
Enable/disable an automatic acknowledgment each time a message is
successfully remailed for your alias through send@nym.alias.net.
This configuration option can be overridden on a per-message basis
by a `Nym-Commands:' header in an outgoing mail message.

+signsend/-signsend
Enable/disable automatic PGP signing of any outgoing mail you send
through the remailer. If you disable this, anyone can forge mail
from your nym very easily (particularly since the sendmail program
running on nym.alias.net does not add Received: headers to all
mail). If you have decided to publish the public key of your nym,
however, you will want to sign all outgoing messages with your nym's
public key (that is sign them a second time inside the message--
send@nym.alias.net will always reject a message unless it can
strip off a valid signature around the whole thing).

Having a nym.alias.net signature around another signature can
prevent mail readers from verifying the inside signature, so you
should choose the -signsend option if you want to sign all messages
yourself. (See the section on "GENERATING A PGP KEY FOR YOUR NYM"
for a note on the dangers of publishing your nym's PGP key.) This
configuration option can be overridden on a per-message basis by a
`Nym-Commands:' header in an outgoing mail message.

+cryptrecv/-cryptrecv
Enable/disable automatic encryption with your nym's public key of
messages received for your alias. Disabling public-key encryption
will reduce your privacy. However, it may also allow you to decode
received mail with client software designed for the older
alpha.c2.org-style pseudonym servers. Note that even when +cryptrecv
is enabled, you still should use shared-key encryption between
remailer hops to prevent your mail from being traced. See the
section on "SECURITY CONSIDERATIONS" below for more details.

+fixedsize/-fixedsize
When you send the +fixedsize Nym-Command, all messages you receive
will be split and/or padded to exactly the same size (roughly 10K).
This padding will take place outside the public key encryption, and
so will only be useful if you also use shared-key encryption. If you
do used shared-key encryption, however, (and you really should),
having all your messages be the same size will make it significantly
harder for anyone to do traffic analysis on mail to your nym.

+disable/-disable
One of the most effective forms of attack on a pseudonymous remailer
such as this is to flood the system with messages for a particular
destination. Moreover, because this alias software does not know a
message's final destination, it is possible that some joker could
point an alias at itself (maybe even using two reply-blocks to
create exponentially increasing levels of traffic). To protect
against this, if you send or receive more than about 10 Megabytes of
mail in one day, your alias will be disabled and further mail to you
it will bounce. You will receive mail notifying you of the situation
if this happens to you. At this point, you can re-enable your alias
by sending a message with `Nym-Commands: -disable' to
config@nym.alias.net.

+fingerkey/-fingerkey
Allow people to obtain your nym's PGP public key by fingering your
E-mail address. The Key ID on your PGP public key must contain your
nym's full E-mail address in angle brackets in order to be given out
through finger. Thus, a Key ID of "Test User
yournym@nym.alias.net" would be visible by fingering
yournym@nym.alias.net, but a key ID of just "yournym@nym.alias.net"
would not be. See the section on "GENERATING A PGP KEY FOR YOUR NYM"
below for a discussion of the security implications of publishing
your nym's public key.

name="Your Alias Name"
Typically E-mail `From:' lines contain a user's full name in
addition to his/her E-mail address or account name. To set up a name
to be printed in all your outgoing messages, like this:

From: Your Alias Name yournym@nym.alias.net

and to have that full name appear when your nym is fingered, you
should send the corresponding `name=' Nym-Command in a configuration
message. Note that the outer quotes are necessary even if your name
does not contain any white space. If your full name name actually
contains any quote or backslash characters, you must precede them
with a backslash, as in, for instance:

Nym-Commands: name="Billy \"the kid\" Smith"

To delete your full name so that outgoing mail only shows your alias
address and finger shows a full name of '???', send the command
name="".

create/create?
One of these two commands must be given when creating a new alias.
The create command will fail if a nym with the chosen name already
exists. The create? command will create a new nym, but can also
update an existing nym if the configuration message is signed by the
nym's previous private key.

delete
This command deletes your alias and wipes your reply block. As
described above, you should receive PGP-signed mail explicitly
acknowledging the deletion of your alias. An acknowledgment simply
confirming generic "successful execution" of your request does not
indicate that your alias has been deleted. Note the message will not
be PGP-encrypted if you have selected -cryptrecv, but in that case
encryption with the proper shared keys should provide some assurance
of authenticity.

+nobcc/-nobcc
When set to +nobcc, your nym will not receive any blind carbon
copies of mail messages. When you have selected +nobcc, any E-mail
sent to your pseudonym will bounce if it does not display your E-
mail address in a To, Cc, Resent-To, or Resent-Cc header. Aparently-
To headers are ignored for the purpose of the nobcc option--mail
will bounce even if you are listed in an Apparently-To header. While
blind carbon copies can be a legitimate and useful mechanism, most
so-called SPAM messages are sent as blind carbon copies. Thus,
+nobcc may reduce the number of SPAM messages you receive at the
possible expense bouncing some legitimate blind carbon copies. -
nobcc undoes the effect of a previous +nobcc command, and allows the
reception of blind carbon copies again. Note: You will not be able
to subscibe to any mailing lists if you select +nobcc.

------------------------------- end of file ------------------------------------

----- Credit -----

The original file was writen by jay@squirrel.owl.de and has been changed to meet the needs of nym.xg.nu. I would like to thank jay for the hard work he did on this file.