How to Save PGP

Tomcat666 sends in: "The Register got some excerpts from an interview with Phil Zimmerman. He talks about how it might be possible to save PGP (Network Associates couldn't sell it, and will stop its development), OpenPGP and the future (industry-backed OpenPGP?)." A follow-up to our story yesterday about Network Associates mothballing PGP.

The lesson learned is...

[qurob]

Make your pet projects free from the start.

Notice that Phil wants to release it under a BSD style license. As much as we'd all like that, it probably isn't going to happen.

RTFA

[BlackSol]

This isn't the end of PGP. OpenPGP is always going to be around. (or almost always - its open but everyone could decide to trash it if they like)

This is the end of commercial PGP. This isn't a good thing for PGP to be used in commercial settings. Also this is the end of the PGPDesktop which was the only thing close to an option for (l)users.

Hopefully NSI will release the code in a manner that will allow a smaller company to add value and repackage it to large corporations.

Re:Why?

[Minupla]

How about Amnesty International who uses PGP to keep their researchers who are in dangerous parts of the world, and the people who inform them safe from governments who would think nothing of searching their laptops? PGP has saved lives of good people who without it wouldn't have access to encryption secure enough to trust their lives with.

Think about that, how many computer programs would you trust your life with?

Re:Save it WHY?

[Colosse]

That's not the real problem. PGP don't create terrorist, and we all know that encrypted mail/files aren't the only way to pass secret information. I belive we should all care about crypto. Like Phill Zimmerman says roughly: E-Mails are like postcards, PGP is just a tool to get you mail messages into an envelope. Privacy is the real issue about tools like PGP, if you are willing to let it go, goverments, industries and peoples will sooner or later abuse you rights. You're not free when you are always looked upon.

Re:Please do correct me if I'm wrong, but

[Choco-man]

of course, advances in magnetics and flight will eventually make tires on land vehicles obsolete too. unfortunately, neither of them has advanced to the point of feasibility yet, nor has quantum computing. until such time as that happens, there's a need for good ol' fashioned tires. or encryption.

GPG, OpenPGP, and what needs saving

[PureFiction]

In the article Phil focuses on easy to use GUI interfaces for less technically adept end users as the major feature that the OpenPGP/GPG projects need to focus on. This is the main advantage that the commerical version provided, and the main thing lacking in all the other alternatives.

He clearly states that the PGP protocol is in no danger whatsoever, and will continue to remain widely implemented.

Having spent many hours deciphering gpg command lines to use PGP to its full potential makes you realize how usefull a simple, easy to use GUI interface to a PGP would be. (Implicit in this task is integration with other applications, however, you can find plugin support for almost anything that you wish to use PGP in)

I don't get it...

[Ryu2]

The commerical PGP is only one implementation of the open PGP standard. Even up to 6.5.8, full source code was available from Network Associates.

Plus, there is GPG, PGPi, and other freeware implementations of the standard (under the umbrella of OpenPGP.org).

I don't see why "PGP" as a whole is going down.

It's like saying if Microsoft or Netscape decided to stop relasing browsers, then the entire WWW is doomed, when there's still Konquerer, Opera, Mozilla, and the whole W3C standards body, etc...

Re:Why?

[Anonymous Coward]

Yeah, I'd much rather die because of a bug in poorly-written public domain code, than buy from a company that has staff on hand to do quality testing, and paid programmers who can spend all day on the code.

Oh wait... NO!!

BEFORE you post a reply, read this:
1) Yes, I know, microsoft software sucks. That's not what I'm arguing about.
2) I'm also aware some companies use EULAs to eliminate their liability. You should buy from someone who doesn't do this if you need quality-certified software.
3) This has nothing to do with linux, beowulf clusters, or Linus Torvalds.

Re:Why save PGP?

[aridhol]

specifically what does it add over GPG?

Usability? GUI?

Re:Why not...

[caspper69]

Because as we know, we should look to the closed source community (Microsoft, what?) for all our security needs. At least open source doesn't try to deal with security problems by denying they exist.

It didn't even take 10 minutes... Can someone tell me what PGP being open/closed source has to do with Microsoft? Last I checked NAI was the vendor of the product, and it was CLOSED source. From what I've heard this is an excellent product, and it's a shame to loose, no matter what plaform you run. Just because something is Open Source doesn't mean it's better. Do you think that the majority of the best coders do work for free, or for profit? And despite what you may think, some of the most talented people in this industry work at Microsoft (and NAI for that matter)... As for public vs. non-public disclosure of security issues, I'm sure that MS has plenty of reasons for NOT releasing their vulnerabilities. They have to take things into consideration that the Open Source community does not. With all the MS haters out there, as SOON as a vulnerability is announced, there are tens of thousands of script kiddies in their basement trying to wreak havoc on the Internet. Should there be vulnerabilities? No, but it's a fact of ANY software development. It doesn't mean there aren't a thousand people at MS slaving away trying to make their products better. Have a little more respect and appreciation for the scale of the systems we are even able to create nowadays. Damn zealots.

Re:Sorta Phil's fault

[Slynkie]

Or, since back in 1991(?) when Phil first started his PGP work there was virtually NO corporate use of GPL'd software, PGP would have buried itself.

I think it was definitely advantageous to have the corporate support of PGP in order to get it entrenched (however deeply it is) in the business world. Now, with commercial PGP going away, it's possible companies will have no choice but to move to open sourced alternatives and implementations if they wish to keep their security and privacy intact.

Re:GPGME - GPG Made Easy

[aridhol]

Compiles fine on most Linux distributions. It needed a small amount of help to compile on Mac OS X

Yes, but in the Real World we still need to support Windows.

Note that GPGME isn't really a GPG library. It uses the GPG command-line behind the scenes, so it is inherently unportable - you can't get IO from another running process in ISO C.

When I suggested creating a PGP library, I meant a true library. Make the code ISO9899 compliant, then the only issue is linking it to the front end.

Re:Please do correct me if I'm wrong, but

[mmacdona86]

People discuss quantum computing as if it were inevitable, when in fact it is not at all clear that the difficulty of getting n bits entangled in a quantum computer does not scale as exp(n)--in other words, the difficulty of getting a quantum computer working may scale just as quickly as the computational advantage you get from it. A useful quantum computer being impossible to build would not be surprising at all. Lots of neato quantum effects are in fact impossible to scale to the macro world.

If you can't sell it . . .

[Anonymous Coward]

then a)it has no value, and you have nothing to lose by giving it away, say, to the FSF [fsf.org], OR b) you can't find the value in it, and so maybe you should let someone else have a crack at it. (Add suggestions for 'someone else' as you see fit, but, of course, my vote goes to Phil [philzimmermann.com].