Slashdot Mirror

← Back to Stories (view on slashdot.org)

PGP vs GnuPG in Big Business?

Posted by Cliff on from the getting-that-foot-in-the-door dept.

CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?

14 of 51 comments (clear)

  1. The problems with PGP by danpat · · Score: 4, Informative

    I've recently had to look at the same issue where I work. Management wanted to start sending financial information to each other via email, but didn't want to send it unencrypted (they at least have that many smarts). For management/admin, we're a mostly w2k shop, which means they all use outlook/IE. I found that the easiest way to implement encryption was to use the built in X.509 certificate stuff.

    Personally, I prefer mutt with GnuPG, but PGP style encryption isn't the only alternative.

  2. Support! by Anonymous Coward · · Score: 3, Interesting
    [posting anonymously to protect the utterly paranoid (that would be me)]

    We're using PGP to send data over email instead of sending that data with a courier on disk.

    The main reason for using pgp was that at the time S/mime was not as standardized as it is now. We're a bank so we don't want to hassle with the software of our clients.

    Now with the NAI contract we do not only get a "personalized install" but we also get support. We don't have to setup support for pgp ourselves but direct the question to NAI.

    This saves us from doing techsupport (we're a bank not a software house), and we can concentrate on making sure the emails get send and arive. with GPG you need to do the support yourself. This costs money. It might be that NAI can do it cheaper than yourself.

    Note, that their server side software is very expensive as well. That part could be replaced with GPG as the two are compatible!

  3. A number of reasons... by Kirruth · · Score: 4, Informative

    There are several reasons to think about switching.

    The first is trust: while people often talk about access to source code being essential for security (and then nobody looks at the code), with popular encryption software everyone looks at the source code. You can trust open source encryption software more than closed source. Nevertheless, there is no evidence to suggest that NAI's commercial PGP has a deliberate back door (whatever people might have heard or believe).

    Another reason is licensing: the NAI PGP license is quite prescriptive, in terms of what it permits you to do with the product (or say about it). In big companies, you may have people travelling to countries controlled by nasty regimes. You don't want them to have to uninstall their encryption software before they go to a country because the license says so (being arrested at the airport is a different matter...). GPG is covered by the German export regime, which is much more friendly than that of the US.

    A third is commercial: NAI have have scaled back development effort on PGP software, and may well sell PGP desktop. You could certainly end up paying for software which is not effectively supported.

    All of this is a shame, because PGP had every chance of flourishing under NAI, and it was shaping up to be a really good little product. Even as it is, it has definitely raised the bar for the usability of encryption software. Technically, I still think its pretty good (even with the above issues) but commercially, its position is questionable.

    When you are buying security software, you have to both trust the software and trust the people who make the software.

    --
    "Well, put a stake in my heart and drag me into sunlight."
    1. Re:A number of reasons... by larien · · Score: 3, Interesting
      The US export regime is, as you say, very limiting. I work at a large company and we had to go to a US export control presentation, even though we're based in the UK. Reason being, anything which begins its life in the US is subject to US export restrictions. For example, if I took a Windows laptop I purchased in the UK to e.g. Iraq, I'd be in trouble because Windows originated in the US. Yup, it's really that bad.

      Luckily, there are only a few countries in the black list (and fewer in the last 6 months; India and Pakistan were bribed for their support against Afghanistan by removal from the list, and Afghanistan is now largely off the list too). Unfortunately, we do have bases in some of those countries, mainly in the Middle East (which should be a good hint as to what type of company it is...).

      Back on topic; even if you're not based in the US, PGP may become a liability if you do business in a restricted country.

    2. Re:A number of reasons... by ksheff · · Score: 3, Interesting

      The company that I worked for considered using GPG for a project. I had pushed for it but it was met with a lot of resistance until it was discovered that another group in the company was using it (typical programmers don't know anything, will listen only to another PHB attitude). Unfortunately, the other organization that we would be sending the data to refused to accept it if it was anything other than the commercial PGP.

      So you may win over people inside your company, but if the recipients are stuck in the 'proprietary software only' mindset you may have to keep PGP around for them. There are companies that have explicit IT dept guidelines banning open source, freeware, and shareware -- even if it's bundled with a commercial product. PeopleSoft claimed it had to ship an alternative commercial *nix web server with it's software for those companies where Apache would be against the set in stone policies.

      --
      the good ground has been paved over by suicidal maniacs
  4. If it's good enough for the German Govt.... by steve.m · · Score: 5, Interesting

    then its good enough for you.

    See the press release.
    There's even a section titled 'Why not use PGP?'

  5. PGP has an uncertain future... by disappear · · Score: 3, Informative

    ... because NAI is putting it up for sale, according to this Register article. Of course, this hasn't actually happened yet, but the fact that they didn't deny it means that the commercial product is probably dead.

  6. No outlook plugin by gruntvald · · Score: 3, Funny

    As there's no outlook plugin (just one for express), you'll have to convert your users to emacs for mail, but other than that, the cost savings will be huge. Of course, there's no unattended deployment tools either, so you'll have to visit each desktop, but again, the cost savings will be huge. Folks, this is sarcasm, sometimes a development project needs to tackle the unsavory aspects of windows to make sense.

  7. Re:Point is, you DO get what you pay for. by Deagol · · Score: 4, Interesting
    The point is, you DO get what you pay for. If you think GnuPG is better than Phil Zimmermans PGP by all means go with it, but why not just do what most corporations do and pay for software that comes with a support contract?

    Rubbish! Following the herd mentality of corporate america may be smart in the political aspects of business (so is knowing how to golf, but that's just as lame...), but not necessarily in the technical aspects.

    Yes, you get what you pay for -- an unreasonable EULA and company that tells you "you're s.o.l." if anything should go wrong enough to cause your business damage, all for the yearly support cost of what could likely pay for a competent admin to deal with the software in-house. At least with GPL'd software, there's no pretense of accountability.

    As for the techical comparison to PGP, I don't have the ability to evaluate code myself, so I must rely on those who care about security and have the ability to digest source code. To this end, if GPG support is good enough for users of Mixmaster anonymous remailers (these are some truly smart and paranoid folk) and for the OpenBSD maintaners, I'd have to say its okay for my needs.

    And I'm pretty certain that GPG supports more algorithms than PGP, and you can be 100% certain that the out-of-the-box algorithms in GPG are not hindered by patents or license restrictions.

    Just read this for how much responsibility software companies have to their paying customers.

    --
    Method of processing duck feet
  8. Write this one down by autocracy · · Score: 4, Informative

    Because it's not likely I'll say it again anytime soon. Go with PGP for your corporation. Server side GPG may be better, and it makes more sense to run an open-code key server - but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this. You TCO will be less with NAI here. Also, PGP has support for split keys. For a corporation, this can be VERY important. Open Source stuff is usually that much better - but not this time. When it gets an interface as clean as NAI's for Windows and carries support for some of the extras, then it'll be worth it. Of course, I opt for the CKT build :)

    --
    SIG: HUP
    1. Re:Write this one down by autocracy · · Score: 3, Informative

      If you have no clue what a split key is or what its signicance is, then please don't judge its importance. Split keys are not a hacked on feature, but rather a method of splitting a key in a way that multiple people are required in order to decrypt / sign. Not in the X.509 standard. And in a corporate environment, PGP has a smaller learning curve.

      --
      SIG: HUP
  9. Actually, they're right by fm6 · · Score: 3, Insightful
    You do get what you pay for. But if "what you pay for" is somebody to call when things get broken, open-source versus proprietary is neither here nor there. What's important is whether the people you call are worth the money you're paying them. The people who wrote the software aren't always the best at supporting it. That was true even when Open Source wasn't an option.

    And if you insist on paying somebody money for proprietary security software, you're paying them to keep private information that you need to have public. I'm not an open-source true believer, but you can't get around the fact that the security of open-source products is objectively verifiable. With a proprietary product, you have to take the word of the vendor that it's secure. That's bad in and of itself -- and bad again when you recall that the vendor has every incentive to conceal his product's flaws.

  10. Re:Point is, you DO get what you pay for. by Deagol · · Score: 3, Interesting
    If there are any cases that seen an actual judgement (not settlement) in favor of a plaintiff against a software company for damages done by faulty software, please enlighten me with references.

    I would love to see them -- sincerely.

    --
    Method of processing duck feet
  11. Rethink your position. by rjh · · Score: 4, Informative

    For the time being, GnuPG has one enormous shortcoming in the corporate world. Namely, it's possible for individual users to send traffic that the corporation itself can't eavesdrop on. This may sound like a nonissue, or even an offensive one, but the fact is that if you're sending communications on the company dime, using company equipment, the company does have a right to make sure you're not sending corporate secrets to the competition.

    The parameters of how they may exercise this right are matters of considerable debate. E.g., must the company give notice that communications are being monitored? Must the company stop monitoring if it's an email or a phone call to your spouse? Etc. There's a lot of room for debate on that issue, but the basic fact remains that corporations need some way to make sure their secrets aren't being sent out to their big competitors.

    In the crypto world, there are two major ways of doing this. One is key escrow (a technology which appears to have finally died the ignominious death it deserved). The other is the Additional Decryption Key (ADK). The difference between the two of them is that the ADK is a request to encrypt to an additional (corporate-controlled) key, and escrow requires the private key be held by some "trusted party", just in case.

    Escrow technology is a big can of worms, and ADKs are smaller cans of worms. They're unsuitable for private users because they wind up being security risks. And, in fact, PGP's most critical vulnerability since the 2.6.x days came from an ADK bug.

    However, corporations view the risks of not having ADKs to be much greater than the risks of having ADKs.

    Corporations demand either escrow or ADK. GnuPG supports neither, and Werner Koch has said that GnuPG will never support them. He has his reasons for saying that, and his reasoning is pretty sound. But, then again, so is the corporate logic for insisting on escrow/ADKs.

    Moreover, GnuPG doesn't have any pretty GUIs. WinPT is making a good attempt for Win32, and GNU has their own (apparently stalled) GTK+ front-end, but neither one is anywhere near done. In any business setting, 95% of the people will be stark raving terrified of the prospect of using a command-line app. For this 95%, PGP is the only option. There simply isn't anything else.

    This is sort of a shame, given that NAI's reputation for being an attentive, responsive vendor is ... well, pretty pathetic. But for time being, NAI--and PGP--is the only game in town on the corporate front.

    For me, personally, I use GnuPG and love it. I wholeheartedly recommend people use it. But I simply can't see it taking off in the enterprise for the reasons listed above.