Slashdot Mirror
PRZ Announces Depature From NAI
The message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A note to PGP users:
As most PGP users know, Network Associates Inc (NAI) acquired my company, PGP Inc, in December 1997. For three years after that, I stayed on with NAI as Senior Fellow, to provide technical guidance for PGP's continued development, and to ensure PGP's cryptographic integrity. But I can't stay on forever. In the past three years, NAI has developed a different vision for PGP's future, and it's time for me to move on to other projects more fitting with my own objectives to protect personal privacy.
Let me assure all PGP users that all versions of PGP produced by NAI, and PGP Security, a division of NAI, up to and including the current (January 2001) release, PGP 7.0.3, are free of back doors. In all previous releases, up through PGP 6.5.8, this has been proven by the release of complete source code for public peer review. New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish. If NAI ever publishes the complete PGP 7.0.3 source code, I am confident that the public will be able to see that there are still no back doors. Until that time, I can offer only my own assurances that this version of PGP was developed on my watch, and has no back doors. In fact, I believe it to be the most secure version of PGP produced to date.
While it is true that NAI holds the PGP trademark and the source code for the NAI implementation of PGP, I'd like to point out that PGP is defined by an IETF open standard called OpenPGP, embodied in IETF RFC 2440, which any company may implement freely into its products. I will be working with other companies to support implementations of the OpenPGP standard, to turn it into a real industry standard supported by multiple vendors. I think the emergence of more than one strong commercial implementation of the OpenPGP standard is necessary for the long term health of the PGP movement, and will, incidentally, ultimately benefit NAI.
To this end, I will be assisting the makers of HushMail, Hush Communications (http://www.hush.com), to implement the OpenPGP standard in their future products. They will be doing their own announcement of this new relationship.
In addition, I will be assisting Veridis (http://www.veridis.com), a recent spin-off of Highware (http://www.highware.com), to create other OpenPGP compliant products, including software for certificate authorities for the OpenPGP community.
I am also launching the OpenPGP Consortium (http://openpgp.org), to facilitate interoperability of different vendors' implementations of the OpenPGP standard, as well as to help guide future directions of the OpenPGP standard.
This coming June marks the 10 year anniversary of the 1991 release of PGP to the public. PGP was originally designed for human rights applications, and to protect privacy and civil liberties in the information age. By proliferating the OpenPGP standard, we can renew that promise, and continue the commitment to personal privacy that captured the imagination and participation of millions around the world.
Philip Zimmermann
19 Feb 2001
prz@mit.edu
http://web.mit.edu/prz
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQA/AwUBOpDtWmPLaR3669X8EQLv0gCgs6zaYetj4JwkCiDSzQ JZ1ugMhqsAoMgS
me78KR5VEfCVEUFpwOCCk8Tx
=JVF2
-----END PGP SIGNATURE-----
--
--------------------------------------------------
I get a feeling of "the PGP spirit will move on in OpenPGP not PGPclassic" from the letter though that NAI won't be happy at at all - I would say the real world value of PGP just halved for them....
--
-=DaveHowe=-
you might want to check the plaintext version of it on the pgpi website then.
--
-=DaveHowe=-
However, since the message was changed in formatting to HTML, the signature cannot be easily verified. You'd have to get back to the original file contents exactly, line breaks and all. Did he submit those URLs with [a href=""] tags, or did the slashdot editor insert them?
Not that it's likely very useful for Slashdot itself, but Slash and other should probably have a mechanism for "submit by file upload" and "read original submission file," so that more people can use signed content on the web. Slash already has a place for you to announce your PGP key [mine is posted], but the lame word-wrapping feature inserts a column of spaces.
It would also avoid some of that ugly "id so-and-so is the real User; everyone else is an impostor" check, by the way. Bruce Perens and anyone else who thought they were being forged could digitally sign their submissions.
[
Surely he'd be better off staying within NAI and fighting to ensure that the code remains free from backdoors?
;)
Well, that may be best for us (the community), but Phil is entitled to a rewarding life of his own. Maybe he just felt he was pissing into the wind at NAI, and that he'd be happier and more productive elsewhere.
It is after all -his- life, not ours
EZ
'The truth is out there.. but the lies are all in your mind.'
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
I don't see the problem here - Phil is sufficiently well-known that everyone knows who PRZ is when we use that appreviation..
--
-=DaveHowe=-
I hope the "OpenPGP consortium" doesn't make it their objective to write yet another version of PGP. We all ready have one - Gnu Privacy Guard - which is both open source and RFC-whatever compliant. Plus it's fully scriptable, so it's easy to hook it up to other programs. And the documentation is even good.
On the other hand, if the OpenPGP consortium works with Hushmail, Zero Knowlege, and all the other companies out there to try to make secure email interoperable, that would be very, very nice.
I'm sure the NSA,CIA,FBI, and others get the giggles every day they decrypt email and think "Damn, these people are dumb! PGP has been out there in the world for years now, and almost nobody uses it!"
But frankly, it's a pain to use because it isn't integrated into enough software. For example, it would be nice if you could attach an OpenPGP signature to the text you put into an on-line form in Mozilla - like I am right now. Then we could have secure-signed Slashdot postings. Why? It's not like Slashdot's cookie-based login system is very secure - not that it was ever claimed to be - but if hacked into Slashdot (again) and managed to steal some username/password combinations, they could do a lot of damage to some people's reputations. I'm not talking about karma loss here - what if posts under your userID started showing up badmouthing the company you work for, and praising kiddie porn, and threatening to kill the president? You would have a rough time fixing that. GPG signatures would make it easy to prove you didn't do it.
And if my W2K box at work supported OpenPGP in Outlook, that would be nice too. So, I wish the best to Phil Katz and the OpenPGP consortium, as long as they don't bother to reinvent the Gnu Privacy Guard wheel. Look for innovative ways to add Open-PGP signatures to everything!
Torrey Hoffman (Azog)
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
Hm, it looks like PRZ is saying that while NAI owns the trademark on PGP, since OpenPGP is the name of an internet standard, other people can use it to describe their projects.
Maybe I'm reading that wrong, but I wonder how that plays with the whole "SSH the Product" vs. "SSH the Protocol" debate?
Seems to be as though this letter contains hints of bitterness over having to leave, and that the vision he had for PGP and NAI's vision were somewhat different. The comments about source code and backdoors seem to indicate that he thinks NAI aren't going to be opening the code for review in the future.
Surely he'd be better off staying within NAI and fighting to ensure that the code remains free from backdoors? It seems as though he's willing to compromise his principles to get out of a difficult situation, and it means that many of us are going to have to switch to other, less secure versions that we at least know are free from holes.
When it comes to ensuring freedom you can't just cut and run at the first hurdle...
blah.
Karma: Bored. (Thinking about resurrecting the "Anyone else is an imposter" joke.)
If I was NAI, I would take this as a pretty devestating blow - although PKZ is only saying "I can't guarantee future versions won't be backdoored" it *will* be read as "I left because future versions WILL be backdoored" and may well cost NAI major market share. Certainly, an OpenPGP "approved and checked by PKZ" labelled product will have a higher confidence-factor than something PKZ openly turned his back on....
--
-=DaveHowe=-
It is more likely that, given the PKZ "name" was a major part of the resources of the official PGP product, his contract said he couldn't take the money and run - he must publicly stay with NAI for a number of years (three seems like a likely number)
--
-=DaveHowe=-
...since we all know he is a criminal. I don't trust a guy who illegaly export ammo from the USA, no matter that now he was considered innocent.
;)
I wish it had more of an API for incorporating it into other software though (Maybe it does and I just missed it...)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?