The two keys, public and private, are reciprocal in the RSA algorithm. If either is used to encrypt, the other can be used to decrypt. Consider the situation where one party encrypts a message with the private key. We assume that that individual is the only one capable of doing this, because only they have possession of the private key. Anyone with the public key may decrypt the message. If the message is also published, anyone may be satisfied that the first party performed the encryption and no-one else. This characteristic is analogous to a signature on a document, and has become known as a ``digital signature''. Digital signatures may be used to implement the desirable property of authenticity.
Privacy and authenticity may both be achieved by using the same key pair for each. It may be convenient, however, to reserve one key pair for privacy and to use another for authenticity. The reason for this apparently odd behaviour becomes apparent when we consider either key escrow or enforced decryption of private material. Suppose that an organization wishes to be able to gain access to material encrypted by an employee, or that a court orders some information to be made legible. The organization may require that a copy of the decryption key be provided to them when it is made, or the court may force it to be revealed. If the same key pair is used in both roles, revealing the private key so that material may be decrypted also permits the organization or court-authorized investigator to forge the signature of the individual. This could be regarded as undesirable. Versions of PGP prior to 3.0 draw no distinction between privacy keys and authenticity keys. It has been stated by the developers that version 3.0 will support both types and the distinction will be explicit.
Since public key encryption has such attractive properties, it might be wondered why conventional encryption is used at all. The reason is efficiency. The best asymmetric methods are much slower than strong symmetric methods. PGP uses both, as has been mentioned. When it is used for privacy, the program picks a random number of 128 bits, called a ``session key'' and uses that as the key for IDEA to encrypt the bulk of the message. It then encrypts the relatively small session key with (each of) the public key(s) of the intended recipient(s) and adds it to the encrypted data. The recipient(s), on receipt of the message, can then use their private key to decrypt the session key and use that to decrypt the main information.