Zimmermann creates a non-free command-line OpenPGP product
R. A. Hettinga
rah at shipwright.com
Sat Feb 8 13:07:41 EST 2003
--- begin forwarded text
From: pplf <pplf at wanadoo.fr>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130)
To: gnupg-users at gnupg.org
Subject: Zimmermann creates a non-free command-line OpenPGP product
Sender: gnupg-users-admin at gnupg.org
Date: Sat, 08 Feb 2003 09:44:09 +0100
For info, here are the Slashdot article and the Philip Zimmermann letter:
Command-Line Crypto From Phil Zimmermann, Again
EncryptionPosted by timothy on Friday February 07, @04:45PM
from the will-smite-thee-is-a-command-line dept.
A few months ago, PGP creator Phil Zimmermann became a reseller for the
current graphical version of the software he originally spawned,
produced by PGP Corporation. Now, Zimmermann has just started selling
through his own website a modern command-line encryption product called
FileCrypt, which has its roots in an older version of PGP. Confusingly
enough, this software is produced by a company called (Veridis), and
doesn't say PGP on the box, because legally it can't. Network
Associates, which acquired PGP Inc. in 1997, still holds the rights to
that name; when NAI spun off PGP to PGP Corporation in 2002, they held
onto the command-line version. PGP Corporation, for whom Zimmermann
serves as a technical advisor (as well as a reseller), is contractually
unable to sell a command-line version. (He is on the board of Veridis as
well.) But why introduce a text-only version of utility software,
anyway, when the GUI-fied desktop version has been maturing for years
and costs less? Update: 02/07 23:07 GMT by T: Here are three instant
clarifications: PGP Corporation was misrendered as "Open PGP" in this
paragraph; Veridis' command line product was inspired by PGP but
independently created; its codebase is separate from NAI's version of
PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.
They aren't paying for a pretty logo.
The real reason is that the GUI version of PGP (along with other
graphical encryption software, like the GNU Privacy Guard) aren't even
in the same market.
Casual computer users have never laid out much money for encryption. The
widespread use of PGP in its original incarnation (during the era of
Zimmermann's prosecution for allowing it to be exported) can be
attributed as much to its zero-dollars price as to a generalized
interest in privacy. Home and hobby users are not cut out from buying
Veridis's software -- for about a hundred dollars, you can buy a
personal use version of the command-line version. The real money isn't
in individuals keeping their tax records private, though -- Zimmermann
and Veridis, like NAI (whose PGP-based product is called E-Business
Server) are really aiming at commercial and governmental datacenters,
and for customers willing to accept a much higher pricetag.
Insurance companies, banks, credit card processing centers, state
records -- anywhere financial or otherwise confidential records are
exchanged or stored en masse -- these all need encryption which works at
the command-line. More precisely, they need crypto software which can
work without direct human intervention at all. Instead, massive data
centers need tools which can be called by scripts and other programs, so
servers, or server farms, can spend their time crunching numbers rather
than drawing pictures.
The name is familiar ...
The commercial competition FileCrypt faces is familial -- it's the same
product from NAI (sold from their McAffee division) that prevents
Zimmermann and Veridis from calling their software PGP, even though NAI
now labels their product E-Business Server. And though many companies
have homegrown cryptographic solutions, Zimmermann says he knows of no
other packaged software offering the high-volume encryption that the
products from NAI or Veridis do.
And, he emphasizes, what they do is very similar. He says of the Veridis
command-line product compared to NAI's, "It's drop-in compatible,
identical in operation ... you could run the same perl scripts, the same
If you want to buy Veridis' encryption software licensed for electronic
commerce (not one-person use), hold onto your wallet: the price jumps
about 50 times, to a shade under $5000, which Zimmermann describes as a
bargain -- at least compared to the competition.
(Prices on the McAfee website show a one-year subscription-based license
for E-Business Server starting at $6,875; $14,375 buys a perpetual
license, with no included support.)
Both sides of that fence.
And of competing in this case with a product that originated from his
own crypto software (and his own company, PGP Inc.), Zimmermann says "I
just don't really think of that as my product any more. It's in the
hands of NAI, all the engineers have been fired. I just don't feel
psychologically connected to that product."
To look and not to sell.
Especially when it comes to cryptographic software, code openness is
considered not just a virtue but a near necessity. Peer-review and
independent auditing, after all, are about the only ways you can tell
that software isn't shuttling credit card numbers to the wrong person.
The business model of selling high-priced crypto software at thousands
of dollars per processor doesn't mesh well with gratis software, though.
To that end, Zimmermann says the FileCrypt code will be soon be
available for download and inspection under terms which he says will be
similar to those under which users can download the code for PGP
Corporation's version of the PGP-based desktop software. (PGP
Corporation's terms are available though their source code page).
From PGP to OpenPGP...
by Philip R. Zimmermann
PGP, the most popular email encryption product in the world, has come a
long way since 1991 when I first released it. The PGP® product itself
has been improved and rewritten many times by teams of engineers over
the years, and indeed even the teams of engineers have had a significant
amount of personnel turnover.
This raises a question, what exactly is PGP?
Which is the "true" version? Was it the classic 1994 PGP version 2.6.2
command line product, which some diehard PGP users still cling to? Or is
it the current PGP 8.0 GUI product from PGP Corp, which has almost no
code in common with my old PGP 2.6.2? If these products are both
regarded as PGP, then why not consider other code bases that implement
the OpenPGP standard? The obvious answer is trademark. PGP is a
trademark of PGP Corporation. More on that later.
Let's go back to 1995, when I was still under criminal investigation by
the US Justice Department for export control violations by letting PGP
become exported from the US. At that time, I was approached by Olivier
Merenne, who owned a software company in Brussels, who specialized in
security and system software applications. Olivier wanted to sell PGP in
Europe, but knew that the original code base I developed would always
have a cloud hanging over it due to the taint of alleged violations of
US export controls. He wanted to solve this problem by developing in
Belgium a new code base to re-implement PGP from scratch. Then he could
sell it in Europe with no legal problems. That was OK with me.
Olivier proceeded with development, and was ready a year later to demo
the new product to me. But in that same year, I won my fight with the US
government, they dropped the case, and I started a new company called
PGP Inc in the US.
In the intervening years I have come to know Olivier and his engineering
team (headed by Laurent Debonte and Sebastien Lemmens), and have
developed respect for their code base that implements the OpenPGP
standard. I joined their board of directors. I have worked with them,
participating in engineering design sessions, reviewed critical parts of
the code in their crypto library SDK, and I regard it as a good
implementation of the OpenPGP standard.
After a couple of years, my company ran out of money and I had to sell
it to Network Associates (NAI), who never really understood PGP. In late
2000, NAI broke with PGP tradition and stopped publishing their source
code. In February 2002, NAI pulled the plug on PGP, fired all the
employees (I got out a year earlier), and tried to find a buyer of the
assets. A new startup, PGP Corporation, bought the rights to the PGP
products and trademark from NAI.
But NAI held on to one version of PGP, the version that lacked a
graphical user interface, the command line version. It was called PGP
E-Business Server. After selling the PGP trademark to PGP Corporation,
NAI called it the McAfee E-Business Server. This product is used by web
commerce sites to encrypt credit card numbers and the like, or for
moving bulk files around between corporate servers via FTP transfers. It
had to be the non-GUI version, because it had to run in shell scripts
without human intervention. The reason why NAI retained control of this
product was because it was a cash cow for them. However, many PGP users
were alienated by stratospheric pricing policies and lack of a low cost
version for the non-server interactive users.
Something had to be done, to relieve the pressure on the PGP community
that depends on a command line product. We needed a licensing scheme
that would address both the corporate server market as well as the
interactive workstation user. PGP Corporation couldn't do anything,
because they have an agreement with NAI that precludes them from
competing with NAI by producing or selling a command line version of
PGP. Fortunately, no other player in the OpenPGP community suffers from
such a handicap. Including me. And Olivier's team, with their completely
independent code base.
So I'm introducing my own modest alternative to the old PGP command line
product, and I'm basing it on the code developed by my friends in
Belgium. I can't call it PGP because I don't own that trademark. I
wracked by brain to come up with another name as inspired as Pretty Good
Privacy, but just couldn't. So we had to make do with the perfectly
servicable name of FileCrypt®. I think that at a technical level it's
just as much like PGP as the current NAI E-Business Server product, and
is as compatible with the OpenPGP standard as PGP. And keeping with the
true PGP tradition, the source code will be available for peer review.
We are offering an inexpensive version of FileCrypt for interactive
users who simply prefer a command line product, and another version
priced for corporate servers that run it non-interactively.
If you want a nice GUI version of PGP, I suggest you get PGP
Corporation's product, PGP. You can get it from me on my web site at
Why should the business community opt for the OpenPGP standard? For
years this standard dominated the world of email encryption. But during
the last year of NAI's stewardship of PGP, the user community held back,
deferring deployment decisions to see what would happen with PGP,
creating a backlog of pent-up demand. Now, since PGP's rescue, OpenPGP
has surged ahead of all other protocols for email and file encryption.
Even the US military, previously committed to a different email
encryption protocol with an inflexible PKI, now seems to be showing a
renewed interest in embracing PGP.
The handwriting on the wall is clear, OpenPGP is now unstoppable.
pplf - French OpenPGP page <pplf at wanadoo.fr>
"OpenPGP en francais" PGP: 8263 8399 2074 5277 a6d3
http://www.openpgp.fr.st 622d 1b66 ea3d caa0 8c94
Gnupg-users mailing list
Gnupg-users at gnupg.org
--- end forwarded text
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography