PGP vs GnuPG in Big Business?

CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?

The problems with PGP

[danpat]

I've recently had to look at the same issue where I work. Management wanted to start sending financial information to each other via email, but didn't want to send it unencrypted (they at least have that many smarts). For management/admin, we're a mostly w2k shop, which means they all use outlook/IE. I found that the easiest way to implement encryption was to use the built in X.509 certificate stuff.

Personally, I prefer mutt with GnuPG, but PGP style encryption isn't the only alternative.

A number of reasons...

[Kirruth]

There are several reasons to think about switching.

The first is trust: while people often talk about access to source code being essential for security (and then nobody looks at the code), with popular encryption software everyone looks at the source code. You can trust open source encryption software more than closed source. Nevertheless, there is no evidence to suggest that NAI's commercial PGP has a deliberate back door (whatever people might have heard or believe).

Another reason is licensing: the NAI PGP license is quite prescriptive, in terms of what it permits you to do with the product (or say about it). In big companies, you may have people travelling to countries controlled by nasty regimes. You don't want them to have to uninstall their encryption software before they go to a country because the license says so (being arrested at the airport is a different matter...). GPG is covered by the German export regime, which is much more friendly than that of the US.

A third is commercial: NAI have have scaled back development effort on PGP software, and may well sell PGP desktop. You could certainly end up paying for software which is not effectively supported.

All of this is a shame, because PGP had every chance of flourishing under NAI, and it was shaping up to be a really good little product. Even as it is, it has definitely raised the bar for the usability of encryption software. Technically, I still think its pretty good (even with the above issues) but commercially, its position is questionable.

When you are buying security software, you have to both trust the software and trust the people who make the software.

If it's good enough for the German Govt....

[steve.m]

then its good enough for you.

See the press release.
There's even a section titled 'Why not use PGP?'

Re:Point is, you DO get what you pay for.

[Deagol]

The point is, you DO get what you pay for. If you think GnuPG is better than Phil Zimmermans PGP by all means go with it, but why not just do what most corporations do and pay for software that comes with a support contract?

Rubbish! Following the herd mentality of corporate america may be smart in the political aspects of business (so is knowing how to golf, but that's just as lame...), but not necessarily in the technical aspects.

Yes, you get what you pay for -- an unreasonable EULA and company that tells you "you're s.o.l." if anything should go wrong enough to cause your business damage, all for the yearly support cost of what could likely pay for a competent admin to deal with the software in-house. At least with GPL'd software, there's no pretense of accountability.

As for the techical comparison to PGP, I don't have the ability to evaluate code myself, so I must rely on those who care about security and have the ability to digest source code. To this end, if GPG support is good enough for users of Mixmaster anonymous remailers (these are some truly smart and paranoid folk) and for the OpenBSD maintaners, I'd have to say its okay for my needs.

And I'm pretty certain that GPG supports more algorithms than PGP, and you can be 100% certain that the out-of-the-box algorithms in GPG are not hindered by patents or license restrictions.

Just read this for how much responsibility software companies have to their paying customers.

Write this one down

[autocracy]

Because it's not likely I'll say it again anytime soon. Go with PGP for your corporation. Server side GPG may be better, and it makes more sense to run an open-code key server - but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this. You TCO will be less with NAI here. Also, PGP has support for split keys. For a corporation, this can be VERY important. Open Source stuff is usually that much better - but not this time. When it gets an interface as clean as NAI's for Windows and carries support for some of the extras, then it'll be worth it. Of course, I opt for the CKT build :)

Rethink your position.

[rjh]

For the time being, GnuPG has one enormous shortcoming in the corporate world. Namely, it's possible for individual users to send traffic that the corporation itself can't eavesdrop on. This may sound like a nonissue, or even an offensive one, but the fact is that if you're sending communications on the company dime, using company equipment, the company does have a right to make sure you're not sending corporate secrets to the competition.

The parameters of how they may exercise this right are matters of considerable debate. E.g., must the company give notice that communications are being monitored? Must the company stop monitoring if it's an email or a phone call to your spouse? Etc. There's a lot of room for debate on that issue, but the basic fact remains that corporations need some way to make sure their secrets aren't being sent out to their big competitors.

In the crypto world, there are two major ways of doing this. One is key escrow (a technology which appears to have finally died the ignominious death it deserved). The other is the Additional Decryption Key (ADK). The difference between the two of them is that the ADK is a request to encrypt to an additional (corporate-controlled) key, and escrow requires the private key be held by some "trusted party", just in case.

Escrow technology is a big can of worms, and ADKs are smaller cans of worms. They're unsuitable for private users because they wind up being security risks. And, in fact, PGP's most critical vulnerability since the 2.6.x days came from an ADK bug.

However, corporations view the risks of not having ADKs to be much greater than the risks of having ADKs.

Corporations demand either escrow or ADK. GnuPG supports neither, and Werner Koch has said that GnuPG will never support them. He has his reasons for saying that, and his reasoning is pretty sound. But, then again, so is the corporate logic for insisting on escrow/ADKs.

Moreover, GnuPG doesn't have any pretty GUIs. WinPT is making a good attempt for Win32, and GNU has their own (apparently stalled) GTK+ front-end, but neither one is anywhere near done. In any business setting, 95% of the people will be stark raving terrified of the prospect of using a command-line app. For this 95%, PGP is the only option. There simply isn't anything else.

This is sort of a shame, given that NAI's reputation for being an attentive, responsive vendor is ... well, pretty pathetic. But for time being, NAI--and PGP--is the only game in town on the corporate front.

For me, personally, I use GnuPG and love it. I wholeheartedly recommend people use it. But I simply can't see it taking off in the enterprise for the reasons listed above.