Zimmermann to Network Associates: Sell PGP back to me, or open-source it

[R. A. Hettinga]

http://newsforge.com/newsforge/02/07/01/1411226.shtml?tid=21


 Zimmermann to Network Associates: Sell PGP back to me, or open-source it

Tuesday July 02, 2002 - [ 09:27 AM GMT ]
Topic - Privacy -  - by Bruce Tober -

Philip R. Zimmermann, author of encryption program Pretty Good Privacy, is
suggesting current owner Network Associates open-source PGP's code as one
alternative to the program dying on the vine at the company. "I would
strongly prefer PGP be Open Source compared with the current scenario,
because right now it's locked in intellectual property prison and no one
can get it," he says. "Open Source would be much better."

Zimmermann says a return to open-code status is one option he could live
with. His first choice for PGP, however, would be to buy it back from
Network Associates. He sold PGP in 1997, but last year, the company gave up
trying to make PGP profitable and put it up for sale. But the company
hasn't been able off-load it, and PGP is now in limbo world.

Zimmermann says he can't buy back PGP for one very simple reason: "I don't
have the money to buy it back."

PGP's status as Open Source has sometimes been confused. "It wasn't
actually Open Source," Zimmermann says. "It was published source code, for
peer review. Open Source has to do with IP. Publishing source code for peer
review has to do with transparency and making sure there are no back doors."

With the source code able to be modified, it might be easy for some people
to think of PGP as Open Source. "You could modify it if you wanted to, and
run it on your own computer, but you could not distribute a modified
version," Zimmermann explains. "That's the way it's always been, it's not
some recent policy, it's right there in the PGP manual, from 10 years ago."

Douglas Hurd, Network Associates' senior product manager for Desktop
Firewall and E-Business Server, says PGP products are in "maintenance
mode." He adds: "We don't sell more. We look after existing customers until
their licenses expire. I was responsible for the desktop crypto stuff as
well before we rolled up the PGP business unit."

Hurd says there are "no plans to make it Open Source. I can't say 'never'
as far as selling it off. And we still sell PGP in the form of E- Business
Server (the command-line version of PGP). This is a viable offering that an
Open Source policy would kill off."

Zimmermann disputes this. He explains Network Associates could open-source
the software developer's kit and the GUI, "thus allowing the desktop
product to be free from its prison, and omit the command-line wrapper from
the OS.

"So what they could do," Zimmermann continues, "is open-source everything
except the command-line wrapper. So they're selling a product that is a
command-line product. Everybody likes to use the desktop product, which is
the SDK and the GUI. So that's what they should open-source."

This would allow Network Associates to continue to sell and make money from
the command-line version, more popular with corporate techies. "End-users
don't pay money," Zimmermann says. "It's the businesses with their techies
who pay money and they like to have a command-line product to run in a
shell script, so that a big Web site, for example, can encrypt your credit
card number. Their command-line product is for one of those raised-floor
machine rooms with a bunch of servers and nobody around."

But Hurd has more questions: "Also, if we were Open Source, who do you
think users would look to to maintain it? And how many of them would be
willing to pay?"

Hurd believes "it is possible that there is a viable business model with
regards to PGP desktop encryption technology, but we haven't found what it
is. Our server-based licensing is successful, though, and we continue to
sell, support, develop in this area."

But Zimmermann thinks otherwise. "First of all, I'd like to point out that
they don't have any engineers to maintain the command-line product. They
fired all the employees in February after their attempts to sell it failed.
There's no one left to maintain it."

In addition, he says, "nobody's buying it. They haven't found a corporate
buyer. And so, by sitting on it like this, and not open-sourcing it, it
kind of reminds me of the wealthy Japanese tycoons who when they died were
cremated along with their great works of art that they'd accumulated
through their lives. It does them no good to keep it the way it is. And it
does everyone else a great deal of harm."

If Zimmermann is eventually able to buy back PGP, his plan would be to
"create a mechanism whereby there would be some kind of a dead man's switch
on it. That way it could be published source code as it always was, but not
Open Source for as long as the new company continues developing,
commercializing and selling it. But, if something happens like it goes
bankrupt, or gets sold to another company that doesn't continue to develop
it, they would inherit the same responsibilities. As soon as it becomes
discontinued, then it would have to become fully Open Source. That's what I
would do, I would have an IP lawyer craft a license that would spell out
those conditions.

"Now, one would have to do that in a way that would still make it
attractive to investors in order for them to finance the thing to begin
with ... But I'm not seeing investors lining up at the door here."

The reasons investors aren't beating a path to his door are several, he
says. "One is that the tech sector has been hit pretty hard. The crash of
the Nasdaq in November 2000 certainly had a huge impact on the Silicon
Valley's economy, and it dried up capital. And this was before September
11. So that, probably more than anything else, has made it difficult to
raise the capital to buy the product back."
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com