Slashdot Mirror
Zimmermann Suggests Freeing PGP Source
broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."
Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...
+++ UGUCAUCGUAUUUCU
No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.
> If this guy sold PGP five years ago, what authority
> does he have now to suggest the change?
"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.
So, only moral authority... which doesn't seem to be worth much on the free market, these days.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
When Zimmerman sold PGP, what did he expect? That people would start paying
Network Associates money to use something that most people still don't
see the need for?
Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.
Not only that, but he was involved in a legal quagmire for quite some time, thanks to the U.S. government classifying encryption as a munition. It is hard to blame the man for selling PGP when his legal expenditures probably placed him in quite a bit of debt.
We should all be thankful that Phil was willing to stand up for something like this.
His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.
They used to have that. It was called copyright. One got a fixed term of copyright, could renew it for a small fee after that term to extend it to 75 years (net, not additional), and then it would go public domain after the 75 years were up. Then someone thought of the Berne Convention, and someone else thought of the Bono Bill, and someone else thought of the DMCA . . .
Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)
Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs, APIs, Web-based encrypted email, etc. And there is no GnuPGFone as far as I know.
I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.
Just my two cents.
Finding God in a Dog
Fact is, we need him with us more than ever. If not as GnuPG contributor, then as a speaker of technology/crypto and the freedom of the people. In both the U.S. and Europe, the 1984 ghost is materializing.
Looks like a fish, drives like a fish, steers like a cow.
I don't believe email encryption will become mainstream unless these things happen.
1) Major email client providers agree on a standard
2) The ability to encyrpt/decrypt is provided with the default install of their product.
I've found a whole series of GnuPG interfaces and email plugins for windows (WinPT being my favorite sofar). I don't know if the developers are "Linux developers" or not - but I fail to see how that matters.
Nobody is stopping any developers from running with GnuPG development on their favorite platform. In fact, as already pointed out, Windows development is definately picking up (probably due to NAI's dropping PGP - way to create an itch / need). And the GnuPG developers are definately thinking ahead with libraries such as their GPGME API. No more shell front-ends like the old PGP GUI days. GPGME provides direct hooks in to GnuPG (WinPT uses it).
In short, the door is wide open.
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Other programs do the same (have a separate security dedicated process). Check ssh and its privilege separation, and postfix and its multitude of little processes.