Slashdot Mirror
PGP vs GnuPG in Big Business?
CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?
"I work for a Fortune 50 company"
;)
---- SNIP ----
That's a new one to me
Why not just use Open PGP
http://www.pgpi.org/
I've recently had to look at the same issue where I work. Management wanted to start sending financial information to each other via email, but didn't want to send it unencrypted (they at least have that many smarts). For management/admin, we're a mostly w2k shop, which means they all use outlook/IE. I found that the easiest way to implement encryption was to use the built in X.509 certificate stuff.
Personally, I prefer mutt with GnuPG, but PGP style encryption isn't the only alternative.
We're using PGP to send data over email instead of sending that data with a courier on disk.
The main reason for using pgp was that at the time S/mime was not as standardized as it is now. We're a bank so we don't want to hassle with the software of our clients.
Now with the NAI contract we do not only get a "personalized install" but we also get support. We don't have to setup support for pgp ourselves but direct the question to NAI.
This saves us from doing techsupport (we're a bank not a software house), and we can concentrate on making sure the emails get send and arive. with GPG you need to do the support yourself. This costs money. It might be that NAI can do it cheaper than yourself.
Note, that their server side software is very expensive as well. That part could be replaced with GPG as the two are compatible!
There are several reasons to think about switching.
The first is trust: while people often talk about access to source code being essential for security (and then nobody looks at the code), with popular encryption software everyone looks at the source code. You can trust open source encryption software more than closed source. Nevertheless, there is no evidence to suggest that NAI's commercial PGP has a deliberate back door (whatever people might have heard or believe).
Another reason is licensing: the NAI PGP license is quite prescriptive, in terms of what it permits you to do with the product (or say about it). In big companies, you may have people travelling to countries controlled by nasty regimes. You don't want them to have to uninstall their encryption software before they go to a country because the license says so (being arrested at the airport is a different matter...). GPG is covered by the German export regime, which is much more friendly than that of the US.
A third is commercial: NAI have have scaled back development effort on PGP software, and may well sell PGP desktop. You could certainly end up paying for software which is not effectively supported.
All of this is a shame, because PGP had every chance of flourishing under NAI, and it was shaping up to be a really good little product. Even as it is, it has definitely raised the bar for the usability of encryption software. Technically, I still think its pretty good (even with the above issues) but commercially, its position is questionable.
When you are buying security software, you have to both trust the software and trust the people who make the software.
"Well, put a stake in my heart and drag me into sunlight."
then its good enough for you.
See the press release.
There's even a section titled 'Why not use PGP?'
... because NAI is putting it up for sale, according to this Register article. Of course, this hasn't actually happened yet, but the fact that they didn't deny it means that the commercial product is probably dead.
Herbivore has an advantage over PGP-like systems isn that it is intended to be effort-free in normal use.
I mean is GnuPG actually technically better than PGP ? Also, in these post 9/11 days you might want to consider what using encryption says about your organization. Do you have something to hide ?
As there's no outlook plugin (just one for express), you'll have to convert your users to emacs for mail, but other than that, the cost savings will be huge. Of course, there's no unattended deployment tools either, so you'll have to visit each desktop, but again, the cost savings will be huge. Folks, this is sarcasm, sometimes a development project needs to tackle the unsavory aspects of windows to make sense.
Because it's not likely I'll say it again anytime soon. Go with PGP for your corporation. Server side GPG may be better, and it makes more sense to run an open-code key server - but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this. You TCO will be less with NAI here. Also, PGP has support for split keys. For a corporation, this can be VERY important. Open Source stuff is usually that much better - but not this time. When it gets an interface as clean as NAI's for Windows and carries support for some of the extras, then it'll be worth it. Of course, I opt for the CKT build :)
SIG: HUP
And if you insist on paying somebody money for proprietary security software, you're paying them to keep private information that you need to have public. I'm not an open-source true believer, but you can't get around the fact that the security of open-source products is objectively verifiable. With a proprietary product, you have to take the word of the vendor that it's secure. That's bad in and of itself -- and bad again when you recall that the vendor has every incentive to conceal his product's flaws.
Fortune 500, eh? Why not have a friend start a company selling support for GnuPGP, start another company yourself with shares in the first, then get the place you work for to buy a contract from them (you)? That's how it's supposed to work, no?
But the Fresh Prince might know.
"You know you don't act like a scientist, you're more like a game show host." Dana Barret
I didn't try gpg because I don't want to
learn Just Another Command-Line Interface(TM),
but what I can say on PGP:
Do not use any versions other than
* pgp-2.6.3-ia
* pgp-2.6.3-in
The latter is a modificated version of
pgp-2.6.3-i made by the German IN-CA
(Certification Authority) and supports more.
Both use IDEA/RSA though, so be sure to get
an IDEA license additionally (they are available
from Ascom Tech, CH - check pgpdoc2.txt).
The source and RSA are freely available nowadays,
you can also use the NON-US version.
My Karma isn't excellent, damn it! (And
For the time being, GnuPG has one enormous shortcoming in the corporate world. Namely, it's possible for individual users to send traffic that the corporation itself can't eavesdrop on. This may sound like a nonissue, or even an offensive one, but the fact is that if you're sending communications on the company dime, using company equipment, the company does have a right to make sure you're not sending corporate secrets to the competition.
... well, pretty pathetic. But for time being, NAI--and PGP--is the only game in town on the corporate front.
The parameters of how they may exercise this right are matters of considerable debate. E.g., must the company give notice that communications are being monitored? Must the company stop monitoring if it's an email or a phone call to your spouse? Etc. There's a lot of room for debate on that issue, but the basic fact remains that corporations need some way to make sure their secrets aren't being sent out to their big competitors.
In the crypto world, there are two major ways of doing this. One is key escrow (a technology which appears to have finally died the ignominious death it deserved). The other is the Additional Decryption Key (ADK). The difference between the two of them is that the ADK is a request to encrypt to an additional (corporate-controlled) key, and escrow requires the private key be held by some "trusted party", just in case.
Escrow technology is a big can of worms, and ADKs are smaller cans of worms. They're unsuitable for private users because they wind up being security risks. And, in fact, PGP's most critical vulnerability since the 2.6.x days came from an ADK bug.
However, corporations view the risks of not having ADKs to be much greater than the risks of having ADKs.
Corporations demand either escrow or ADK. GnuPG supports neither, and Werner Koch has said that GnuPG will never support them. He has his reasons for saying that, and his reasoning is pretty sound. But, then again, so is the corporate logic for insisting on escrow/ADKs.
Moreover, GnuPG doesn't have any pretty GUIs. WinPT is making a good attempt for Win32, and GNU has their own (apparently stalled) GTK+ front-end, but neither one is anywhere near done. In any business setting, 95% of the people will be stark raving terrified of the prospect of using a command-line app. For this 95%, PGP is the only option. There simply isn't anything else.
This is sort of a shame, given that NAI's reputation for being an attentive, responsive vendor is
For me, personally, I use GnuPG and love it. I wholeheartedly recommend people use it. But I simply can't see it taking off in the enterprise for the reasons listed above.
Thanks for the heads up, hope it gets added to the gpg page of links.
Just thought you /.ers might want an update on my progress. I've written a document selling the idea. My boss likes it and now it goes up a level. If she likes the idea, GnuPG is in.
We are only looking at GnuPG for server-based command-line file encryption. We already use NAI's PGP for desktop/e-mail encryption. The premium they want for basicly the same product on a server is, IMO, ridiculous.
Problem solved.
Remember with PZ quit NAI because of the source code issues. He is fully on the GnuPG/OpenPG solution over NFI's PGP.
assert(expired(knowledge));
http://seahorse.sourceforge.net/
"Seahorse is a GNOME front-end for GnuGP. It can be used for sign, encript, verify and decrypt text and files. The text can be taken from the clipboard, or written directly in the little editor it has. Seahorse is also a keymanager, which can be used to edit almost all the properties of the keys stored in your keyrings.
Seahorse currently consists of two projects. Along with Seahorse itself, a bonobo component called Seahorse-bonobo is being developed. This bonobo component will serve as a backend to Seahorse, as the most gnupg common functions are being implemented in it.
All the dialogs and windows had been developed using Glade, and they are loaded in runtime execution using libglade.
Both Seahorse and Seahorse-bonobo are released under the terms of the General Public License (GPL)." [from the website]
It's really nice. Has a whole keymanager, simplifies creating keys and (de)(en)crypting messages. Easy to use.
I tried to roll it out, but with real bad success. I'm a relative basic PGP/GPG user, so take this for what it's worth.
I created a basic, plain-jane key, exported the public key, and sent it out to several installations using PGP. Unanimously, they couldn't get it to work. 4 different sites, each with a similar problem. On their side, the program would choke on adding the key. I tried creating side keys, sub keys, etc, etc. On some I think it was due to the real PGP not dealing with El Gamal correctly, on others the key size was probably screwy, but overall it didn't work.
I had been really looking forward to using GPG for this, but not in this case.
That being said- try it out. You may very well have better luck than I. I hope so.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
RSA's Keon can do everything PGP can do, but is backed by a company which believes in its product and supports it. It is also completely compliant with s/mime, as an added benefit, something even PGP can't do. (For bean counters, s/mime support is free in Notes, Outlook/Exchange and Netscape Communicator.) Also supports smartcards.
Only down I know about this alternative is lack of *nix support at this time. RSA: Listen UP and support *nix with this excellent product!