Slashdot Mirror
Zimmermann Suggests Freeing PGP Source
broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."
Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...
+++ UGUCAUCGUAUUUCU
If this guy sold PGP five years ago, what authority does he have now to suggest the change?
What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.
If they can't make money with it, and they don't plan on it, it could be used to build will and advertising. Part of the requirement would be to leave in the advertsing banners. Or require some form of license for inclusion into other commercial software.
Note that they have not conceeded that PGP cannot be sold off, yet.
Fight Spammers!
not to bash slashdot, but why is it that Linux Today always posts the latest linux stories at least half a day before slashdot does?
anyways, on a side note, i think zimmerman is in the wrong here. if he is so concerned about the concept of pgp, then why isn't he focusing his efforts on GnuPG, which is a completely open version of the PGP concept?
No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.
Considering Network Associates isn't developing it further, I somewhat see his point, but I don't see how he really has a say in the matter.
PGP is very good in Outlook for email and within Windows for it's other features. Not making it available for Windows leaves people stuck in Windows with only proprietary options bundled in with Outlook/Windows, or those supplied by other vendors. GnuPG (not GnuPGP) dont work in Windows (well, it might via cygwin, but I'm not counting on it).
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
>Why should we care what Network Assosciates's
>proprietary privacy software does? There's no good
>reason one can't write their own Public Key >Encryption software
Because another Free implementation - of anything - will always be useful.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
What about doing what Microplanet did with their Gravity news reader and making it freely available in binary format for all to use?
That way they don't have to give up the rights to it, but still have a loyal base of users. When they're able to make a buck off PGP again they can add some "must-have" features and the customer base will slowly come back to the commercial fold. As it is, the freeware versions will dominate and eventually PGP will be forgotten by most people.
Don't anthropomorphize computers, they don't like it.
His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.
Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!
-Pete
Soccer Goal Plans
Uh, that's great, but they still own it. Yes, you can look at the code, but you can't use or modify it without their consent - which I don't think that they intend to give. Open source means that you get those benefits.
SIG: HUP
PGP being sold out was the inspiration for the OpenPGP project which generated GPG, a perfectly good alternative to PGP.
The only real problem with GPG is the comparative lack of high quality "mere end user" facilities such as a good GUI.
Let's all dump PGP, it's served its purpose and its time is done. Put your effort into making GPG (real open source!) widely accepted and used.
Since he developed PGP, why not develop a RGP, or Really Good Privacy. He can keep this one open, and it can compete with the closed source version.
.0199999999
It offers the liberty of being Free and Free.
Just my
If we don't fight for ourselves no one will.
When Zimmerman sold PGP, what did he expect? That people would start paying
Network Associates money to use something that most people still don't
see the need for?
Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.
Nothing of the sort is neccisary. BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court. It is easier to be cleanroom though.
...and this lie crawls out of its mouth: 'I, the state, am the people.'
GnuPG (not GnuPGP) dont work in Windows
6 -2.zip
GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.
But it's not graphical. For that, I've been using WinPT for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here
Didn't I read where they were "asking" people to remove copies of PGP for download, even though they didn't offer or support PGP anymore?
Doesn't bode well, if you ask me.
I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.
Let's hope the geeks here make that problem irrelevant. So far the Mac side is doing *OK* with tools like GPG Tools, GPGMail, and Apple's own AES encrypted volumes using Disk Copy. However, syncing with key servers, file wiping and other functionality available in PGPFreeware is sorely missed. Maybe Phil Z should start a company focused on GPG rather than wasting his energy trying to get PGP open sourced...
We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.
Thanks
Bruce
Bruce Perens.
ok, then it just plain dont work well from a user's viewpoint (which was really my point). Or from Outlook, FWIW.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
I actually paid for a license for PGP Desktop for home and still use it heavily for pgpdisk (the encrypted virtual disk software). I like the thought that even if someone hacks into my computers with my login, they still have some work to do to get the important files.
While it sucked to see NAI drop PGP, I made sure I pulled down the latest build before my license expired. I can still get another couple of years use out of it.
I would like to think that someone will eventually pick it up. It's entirely too useful to let it die. It be nice if it turned free, but I would still pay a reasonable amount of money to get a new enhanced version.
but the article states that you can modify it and run the modified version on your machine, you just can't redistribute the modified code.
With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains
Anyways, i dont think NA has any obligation to do as Zimm asks, he sold it to em, and it's now their's to do with as they please, even if that means that they let it just die basically. It's a shame but it is their right to do so.
"Yes, you can look at the code, but you can't use or modify it without their consent"
Actually you *can* modify it and use it as you like you just can't *distribute* it.
No todo lo que es oro brilla
he's an interesting little capitalist.
right now he seems to be a slashdoted little capitalist.
[you@someterminal you]# cd pgp-source
[you@someterminal you]# grep -c -r -i "nsa"
27
Religion is a gateway psychosis. -- Dave Foley
> Or from Outlook, FWIW
Ah, actually there a plugin for Outlook _Express_ available now. GPGOE. Outlook will take some time -- and hacking on the office dev kit -- I guess. But yes, I get what you mean about "dont work well", but I can tell you it's getting better fast! And if you can, do give WinPT a try. You may be surprised.
It does work in OutLook. I'm using it right now.
Go get it here:
http://www3.gdata.de/gpg/
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
BSD unix was a non-cleanroom reimplimentation of AT&T unix. BSD won when it went to court.
But only an organization like BSD, backed by the University of California and their lawyers, had the resources to stand up to AT&T in court. I wouldn't suggest being cavalier about clean-room issues to any random Open Source project.
It's not immoral at all for him to request this, anymore than it's immoral for anyone else to request it.
He sold it to them, yes, but now they've effectively killed it, and don't plan to do anything with it.. so it's fair enough that the pgp using world want's to see it opened. Zimmerman is one of those.
That being said I tend to think that the push towards GnuPG isn't as great of an idea as some think.
While there is many "free" or open source projects out there that are great on multiple platforms, GnuPG hasn't yet been fully (if at all) accepted by the Windows users.
Before you flame me; encryption needs to be open, and it needs to be easy to use in some respects. If my grandma (or male lover) has to go to the command line to encrypt his/her e-mail - it isn't happening. Now I see one project to bring it to the Windows desktop but it's being developed by linux developers.
If people expect Phil to come over to the GnuPG camp then you have to be ready to develop as much time to the Windows product as *nix.
Maybe I'm just not making sense because I'm typing fast... but simply: Gui, Gui, Gui. Equal time on all systems. Then I'll put my support behind GnuPG.
Otherwise Network Ass. should release their control over a product they raped.
Get your Unix fortune now!
I'd beg to differ. read the (currently highest moderated) post by Bruce Perens begging Phil to Join the GPG team
they ont HAVE to claim their code is clean room... as long as no code is copy-pasted over then its ok... if there is some type of bug or other problem in the code and he knows HOW to fix it but not the exact code he CAN tell them how to do that... he can give them ideas about what to do as ong as he doesn't drop in some code...
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
The only piece I really use is the PGPdisk feature. Creating a totally encrypted virtual harddrive is very cool.
I create 649 / 699 MB PGPdisks, fill them with my 'backups', "unmount" them, and then burn them onto CD. Voila, encrypted CD contents. Works beautifully.
It would be the coolest thing in the world if GPG was able to mount the same PGPdisks. Heck, even using other filesystems should be possible.
It's great for keeping data private (as long as the encryption will hold, a couple of years longer maybe).
Once GPG can at least mount and hopefully also create "GPGdisks", I'll ditch PGP.
You mean something like the KDE Free Qt Foundation? Qt is triple licensed: GPL, QPL, proprietary. If TrollTech discontinues the free edition of Qt, then the last available version will be released under the BSD license. (I'm not sure whether that's with the advertising clause.)
He could probably join the project as an advisor, as long as he didn't write any code, and not break the "clean-roomliness" of the code.
Ask any (ex) Informix employee about how well the hostile takeover and fire everyone "software company" strategy works. Computer Associates: milking support contracts for all their worth for years now.
Some ethics would be in place, this guy SOLD it to network associates, it's quite immoral for him to request them to open source it now!
How is it immoral for him to make that request? Suppose that you sold a car to your neighbor. Two years later, you find it rusting on blocks in their front lawn. Would it be immoral of you to politely suggest that they donate it to a worthy charity? I think not.
Admittedly, it's not the latest and greatest - but this is open source folks, surely some talented hackers out there can expand on what is already open?
Try reading the article before you post. The article tells you why this couldn't happen.
-a
How to rationalize theft.
The principle issue that faces any developer wishing to integrate GPG is that it is covered by GPL. That means that even if it had an SDK (which the isn't) you couldn't link with it without infecting your own code. Even LGPL libs can't link with it. At present if you wish to use GPG, you must mess around constructing command line arguments, opening pipes etc., invoking it and then parse the results. It is a major pain. There are libraries such as GPGME that hide some of this from you but it is still slower than running in-process and has significant issues running on platforms like Windows or Mac where piping etc. might be done differently.
If PGP were opened up with either a LGPL or BSD style licence I can see it being used in preference to GPG. GPG has the better command-line interface and might be ok for scripts but PGP has an SDK (as well as a great UI on Win32) and would be ultimately faster if software can link directly to it.
PZ should get involved with Mozilla. For literally years I've been waiting for someone to build in some sort of public-key email (and newsgroup) crypto. It's still not there yet, and THAT has prevented several people I know - including myself - from adopting Mozilla as my sole internet access tool. I'd love to be able to dump some of the crap I run for email and usenet.
First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!
Maybe the NSA will buy it and then open source it, then include it with their SE Linux.
Zoot!
I didn't say it would be a good idea. I just said it would be an ethical one.
I don't believe email encryption will become mainstream unless these things happen.
1) Major email client providers agree on a standard
2) The ability to encyrpt/decrypt is provided with the default install of their product.
Network Associates is sitting on the code to squash it. They don't want to sell it. They don't want to make money off it. They want to keep it unavailable. Texaco owned the patent for fuel injection systems in cars. Until that patent expired (patents used to expire), no cars had fuel injection. If you don't remember, they might want to look back at the date on the press release that Network Associates (a.k.a. McAffee) released, stating that they planned to discontinue PGP. It's pretty close to September 12, 2001.
I'd say that the fact that no one seems to know conclusively where you can run GnuPG is a sign that it's not ready for prime time!
-------------------------
slashdot@com.jarnot (swap the domain)
The generic response was "Open Source does not mean taking a product we don't want any more and throwing it over the wall. It means taking a product we continue to maintain and donating rights to it to the open source community. We can't just give away software without assessing the legal and PI risks. That's an expensive process, and we just won't do it unless it helps us start an OS project with some real potential."
I might be misquoting (that's why I don't name the company), but you can see the issues.
Out of curiosity, I went to NAs site looking for a client. They only make one for windows? I didn't see one for any other opsys's.
Guess we do need to save PGP.
JB
The heat from below can burn your eyes out
Have you tried to work with Phil Z.? Oh... thought not.
People who end up in the mess Phil did are not always the folk with the best social interfaces...
The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
For a good read w/r/t Crypto in general (including Zimmerman and some of his past,) check out Stephen Levy's book Crypto. It is excellent.
FreeBSD for the impatient.
Try out Enigmail [http://enigmail.mozdev.org/].
Enigmail is a "plugin" for Mozilla/Netscape7 Mail which allows users to access the authentication and encryption features provided by the popular GPG and PGP software (see screenshots). Enigmail is open source and dually-licensed under the GNU General Public License and the Mozilla Public License .
I was using WinPT for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:
So anyway, here's what you do:
So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.
Right now GUI wise, it's the easiest and nicest way to use gnupg for emails in Windows.
Could the Open source community buy it? I know I'd donate. If every one who thinks its important keep donates something, would it be enough? We could put it under a decent license (BSD, MIT, GPL, etc) and donate it to GNU, MIT, or the EFF.
Are there any sites out there which take donations to buy closed source products and open source them?
Zeinfeld writes:
PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.
Sure, anyone can be an X.509 CA, but that doesn't help much. In order to issue meaningful X.509 certificates, you need to be a widely trusted CA, and that means commercial certificate distribution deals with Verisign, AOL and Microsoft, and that pretty much rules out all but big businesses.
PGP's web of trust has a much lower barrier of entry.
----
Open mind, insert foot.
This is one of the problems of GnuPG vs. Commercial PGP.
With GnuPG, you expect "normal" end-users go download GnuPG that has been ported to Win32 from somewhere... then go download a GUI from somewhere else, then go download an email plug-in from yet ANOTHER place.
Just getting people to understand the basics of asymmetric encryption is difficult enough without making a career out of finding a usable installation.
Complain all you want about "stupid users", but in the end, a simplified installation package is what gets people to use it. Encryption for the masses, not encryption for the techno-elite.
-SB
Anyway, I highly recommend it.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
In MS business environments you don't tend to Admin rights on the box where you are working. I don't even have at home on my Windows box.
I know, I worked on it for a while back in the early days.
It seems that under circumstances like these, the online community often coughs up quite a bit of cash. Why not ask for donations?
If the online community gave him this money, he would be obligated to act in good faith and open source the entire thing (including the commandline wrapper if Network Associates is truly selling PGP).
Sorry, I'm not actually living in the real world. My imagination tends to get the better of me...
All data is speech. All speech is Free.
For encrypt to really take off amongst technical lay-people someone like AOL will have to seamlessly integrate it into their mailer: complete with automagic key-fetching and hiding all that nasty ASCII armoured 'garbage' (like KMail does). Unless the PGP or GNUPG creators can solve this problem then neither of them are any use to the average email user.
x.509 certificates are supported as standard in shitloads of mail clients (inc. Netscape and the ever popular MS Outhouse). Many people regard those as an "industry standard"
However, x.509 is more suited to compannies, as each public key must be signed by a trusted certificate authority to be valid. (e.g. Signed by Thwate.... otherwise use openSSL and set yourself up as a certificate authority and generate your own x.509 certs). This is only really practacle for a large company.
Individuals are better suited to PGP because of its "web of trust" model eliminates the need for certificate authoritys, but will be impractacle for a large organisation. (Its no wonder NA failed to sell PGP to companies.... the existing x.509 standard is mutch more suited)
See this link
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
You need one of the international versions of PGP available from www.pgpi.org you do
Available on a shitload of platforms
And pgpi is a very trusted site
(I could also mention the Cyber Knights Templar builds. Also very trusted + open source)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
An interesting comment in the Newsforge article:
This would allow Network Associates to continue to sell and make money from the command-line version, more popular with corporate techies. "End-users don't pay money," Zimmermann says. "It's the businesses with their techies who pay money and they like to have a command-line product to run in a shell script, so that a big Web site, for example, can encrypt your credit card number. Their command-line product is for one of those raised-floor machine rooms with a bunch of servers and nobody around."
Compare this to the reference in the snort article, where the core code is free, because its the techies who use that, and the GUI addons that cost.
I'm not really going anywhere with this, but it is a little surprising to see two completely diametric viewpoints on the same idea.
Well, the GNU Project is not "any random Open Source project" either. Though the FSF might prefer the current situation, without PZ involved in GnuPG.
But I doubt that PZ would be interested in working on GnuPG anyway. Seems he's more interested in his project surviving.
He saw some dirty arabs and fired. Too bad it was just some friendly kurds, BBC reporters and his fellow cowboys.
GnuPG is partly backed by the german government:
gnupg.de
gnupp.de
Someone is wrong on the Internet!
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required. If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
.NET but my industry sources tell me that it is about 3 generations behind Entrust and 2 behind Verisign as far as capabilities, security, and (surprise) interoperability. This doesn't surprise me given the MS record with PKI and security in general. I'd better stop there or I won't get any work done today.
Also, only one of the three businesses you mention is in the business of selling commercial certificates (Verisign). MS sells PKI products that allow you to generate your own self-signed certificates. MS has a PKI offering coming in
Stop Continental Drift! Reunite Gondwanaland!
That has nothing to do with the format of the certificate. It is simply basic math.
All the major email programs allow you to install your own trust roots, always have. The problem is getting a trust root widely recognized.
The diameter of a graph is the length of the longest path between two nodes. If the diameter of the graph is small then either the graph cannot be large or there must be at least soe nodes of very high degree. [The Moore bound on the diameter of a graph is k * (k-1)^d where k is the degree of the nodes and d the diameter.
Applied to PGP it means that if you have a Web of trust with a trust chain length of 5 and each person signs ten other keys you can have no more than 90,000 members if the members align themselves perfectly. In practice the size of the graph would be much smaller since the connections would be either random or highly locally connected which gets you down to about 10,000 users.
PGP works largely because people take untrusted keys of key servers and because there are folk like Jeff Schiller who have signed hundreds of keys.
If you want a global PKI then you need intermediaries. PGP is not designed to scale to be a global system. But if you are prepared to put up with the size limitations of the PGP model you can do the same in S/MIME.
Microsoft even ship a mini CA tool with Office and Visual studio - makecert.exe. It is a bit idiosyncratic and you need to get another tool fro the Microsoft site to convert the private key formats to PKCS12 format but it certainly works. The SSLeay code also has a cert signer.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I really love that expression "like trying to herd cats".
...
I would be right there ready to test binaries if you do something like this, but the idea of going off and starting yet another project worries me. You never know, diplomacy might actually work (especially if Phil Zimmerman was the diplomat).
You might try doing a cross platform but different native toolkit kinda thing like Abiword does.
The Mozilla plugin has potential, interesting.
My GUI design philosophy is if in doubt copy what everyone else is doing (in this case copy the official PGP). Do it differently only if you can demonstrate why your way is better (and even then it has to be substantial better to overcome the problem of inconsistancy+learnability).
Trying desperately to stay on topic and protect my meagre Karma
OK, let's put this one to rest for once and all. I can't even begin to use the code unless I've paid for the right to do so. PGP Freeware exempted yes, but if I'm trying to do something for, say, a company, then I can't do squat with the code. Sure, I could theoritically modify it, but I would be in trouble for using that code until I've bought the license.
SIG: HUP
Conare writes:
Not really. If your only concern is encrypting/signing mail (and other stuff) within your organization, than the CA only needs to be trusted within your organization. Trust in the CA can be enforced as a condition of employment. This makes PKI practical for many mid size businesses as well, although small businesses should look elsewhere due to the large inital outlay required.
X.509 is a clumsy tool for internal encryption. Most programs using it are using it for communications, not storage. A good chunk of any businesses need for secure communications is with other businesses. You can't make your parts supplier trust your internal CA as a condition of employment, and you usually can't even require it as a term of your contract with them.
If you wish to explicitly trust the PKI of another business than your CA's can issue each other Cross-Certificates.
Again using my parts supplier example, that would basically be me going to my parts supplier, and asking them to trust that every certificate we issue is valid. That's a lot of trust. Most people are prone to say "no", particularly if they don't understand the full ramifications of that trust.
With the PGP/GPG "Web Of Trust" model, all I would have to ask them is to trust that my key is validly my key. Much easier to do, the guy at my parts supplier can do this over the phone in many cases. Then he can sign my key and put it on their keyserver. Anyone at my parts supplier who accepts his signature will automatically trust my key. They are only asked to trust themselves, and what they can readily verify; a much more palatable trust model.
only one of the three businesses you mention is in the business of selling commercial certificates (Verisign).
The other two are the leading distributors of X.509 capable products, and therefore the leading distributors of "Here are the trusted Certificate Authorties" lists. To get on those lists takes money.
----
Open mind, insert foot.