PGP vs GnuPG in Big Business?

CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?

Support!

[posting anonymously to protect the utterly paranoid (that would be me)]

We're using PGP to send data over email instead of sending that data with a courier on disk.

The main reason for using pgp was that at the time S/mime was not as standardized as it is now. We're a bank so we don't want to hassle with the software of our clients.

Now with the NAI contract we do not only get a "personalized install" but we also get support. We don't have to setup support for pgp ourselves but direct the question to NAI.

This saves us from doing techsupport (we're a bank not a software house), and we can concentrate on making sure the emails get send and arive. with GPG you need to do the support yourself. This costs money. It might be that NAI can do it cheaper than yourself.

Note, that their server side software is very expensive as well. That part could be replaced with GPG as the two are compatible!

If it's good enough for the German Govt....

[steve.m]

then its good enough for you.

See the press release.
There's even a section titled 'Why not use PGP?'

Re:A number of reasons...

[larien]

The US export regime is, as you say, very limiting. I work at a large company and we had to go to a US export control presentation, even though we're based in the UK. Reason being, anything which begins its life in the US is subject to US export restrictions. For example, if I took a Windows laptop I purchased in the UK to e.g. Iraq, I'd be in trouble because Windows originated in the US. Yup, it's really that bad.

Luckily, there are only a few countries in the black list (and fewer in the last 6 months; India and Pakistan were bribed for their support against Afghanistan by removal from the list, and Afghanistan is now largely off the list too). Unfortunately, we do have bases in some of those countries, mainly in the Middle East (which should be a good hint as to what type of company it is...).

Back on topic; even if you're not based in the US, PGP may become a liability if you do business in a restricted country.

Re:Point is, you DO get what you pay for.

[Deagol]

The point is, you DO get what you pay for. If you think GnuPG is better than Phil Zimmermans PGP by all means go with it, but why not just do what most corporations do and pay for software that comes with a support contract?

Rubbish! Following the herd mentality of corporate america may be smart in the political aspects of business (so is knowing how to golf, but that's just as lame...), but not necessarily in the technical aspects.

Yes, you get what you pay for -- an unreasonable EULA and company that tells you "you're s.o.l." if anything should go wrong enough to cause your business damage, all for the yearly support cost of what could likely pay for a competent admin to deal with the software in-house. At least with GPL'd software, there's no pretense of accountability.

As for the techical comparison to PGP, I don't have the ability to evaluate code myself, so I must rely on those who care about security and have the ability to digest source code. To this end, if GPG support is good enough for users of Mixmaster anonymous remailers (these are some truly smart and paranoid folk) and for the OpenBSD maintaners, I'd have to say its okay for my needs.

And I'm pretty certain that GPG supports more algorithms than PGP, and you can be 100% certain that the out-of-the-box algorithms in GPG are not hindered by patents or license restrictions.

Just read this for how much responsibility software companies have to their paying customers.

Re:A number of reasons...

[ksheff]

The company that I worked for considered using GPG for a project. I had pushed for it but it was met with a lot of resistance until it was discovered that another group in the company was using it (typical programmers don't know anything, will listen only to another PHB attitude). Unfortunately, the other organization that we would be sending the data to refused to accept it if it was anything other than the commercial PGP.

So you may win over people inside your company, but if the recipients are stuck in the 'proprietary software only' mindset you may have to keep PGP around for them. There are companies that have explicit IT dept guidelines banning open source, freeware, and shareware -- even if it's bundled with a commercial product. PeopleSoft claimed it had to ship an alternative commercial *nix web server with it's software for those companies where Apache would be against the set in stone policies.

Re:Write this one down

but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this

If desktop integration is a big deal, you don't want PGP either -- You want to use the built-in SMIME/X509 capabilities in Outlook (and Netscape and Notes). PGP/GPG is a 3rd party hack and SMIME isn't.

Also, PGP has support for split keys.

I'm not sure what this is, but it sounds like some sort of PKI feature hacked on top of a distributed system that wasn't designed to support it. Again, save yourself the trouble and just do X509.

Re:Point is, you DO get what you pay for.

[Deagol]

If there are any cases that seen an actual judgement (not settlement) in favor of a plaintiff against a software company for damages done by faulty software, please enlighten me with references.

I would love to see them -- sincerely.