Zimmermann Suggests Freeing PGP Source

broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."

Free PGP? How about GnuPGP

[(H)elix1]

Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...

Re:Free PGP? How about GnuPGP

[Neon+Spiral+Injector]

No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.

Dead Man's Switch

[peterdaly]

His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.

Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!

-Pete

Re:Dead Man's Switch

[Bruce+Perens]

This is sort of like source-code escrow, but not customer-specific.

In source-code escrow, the vendor promises to provide the source-code to the customer if the vendor goes out of business.

The problem is that bankruptcy courts often overturn source-code escrow clauses, because the source code turns out to be the firm's only salable asset.

The best solution is to free the code first, and for the customer to be careful not to become dependent on closed-source.

Bruce

Re:Dead Man's Switch

[kalidasa]

His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.

They used to have that. It was called copyright. One got a fixed term of copyright, could renew it for a small fee after that term to extend it to 75 years (net, not additional), and then it would go public domain after the 75 years were up. Then someone thought of the Berne Convention, and someone else thought of the Bono Bill, and someone else thought of the DMCA . . .

Re:Dead Man's Switch

[Bruce+Perens]

I lost the original case but found the following on google - there's more there. The first two citations here directly address the bankruptcy issue:

• http://my.ais.net/~lawmsf/articl15.htm
• http://www.wernick.com/Articles/1986Jun01%20Sour ce %20Code%20Escrow.pdf
• http://www.softescrow.com/faq.html

Thanks

Bruce

Re:Why listen to him?

[Cally]

> If this guy sold PGP five years ago, what authority
> does he have now to suggest the change?

"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.

So, only moral authority... which doesn't seem to be worth much on the free market, these days.

Sad for Zimmerman but irrelevant

[mikehunt]

When Zimmerman sold PGP, what did he expect? That people would start paying
Network Associates money to use something that most people still don't
see the need for?

Forget it Phil. You killed PGP when you sold it. GPG is there take over from
PGP and make sure that those who understand the need for good encryption still
have some reviewable source to trust.

Re:Free PGP? How about GnuPGP

[cygnusx]

GnuPG (not GnuPGP) dont work in Windows

GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.6 -2.zip

But it's not graphical. For that, I've been using WinPT for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here

Unreleased Updates

[MacDork]

I've read on numerous occasions that NA has versions of PGP updated to run on OS X and XP, but aren't releasing them. Something to do with 9/11 maybe? It seems stupid to simply throw away a defacto standard.

Let's hope the geeks here make that problem irrelevant. So far the Mac side is doing *OK* with tools like GPG Tools, GPGMail, and Apple's own AES encrypted volumes using Disk Copy. However, syncing with key servers, file wiping and other functionality available in PGPFreeware is sorely missed. Maybe Phil Z should start a company focused on GPG rather than wasting his energy trying to get PGP open sourced...

Re:Unreleased Updates

[zulux]

To stroke the black helicopter theories...

Several friends of mine work at Microsoft, and apparently, according to one of them - important government types have been at the Microsoft campus. This gist is that has somthing to do with the whole DRM/encryption thingy.

It makes sense in a odd sort of way - if the govenment could get a back door into the worlds most popular operating system, they would have a goldmine. I'd be disapointed in the NSA if they diden't try.

Phil, Please Join Us!

[Bruce+Perens]

Phil,

We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.

Thanks

Bruce

Re:Phil, Please Join Us!

[MAXOMENOS]

Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)

Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs, APIs, Web-based encrypted email, etc. And there is no GnuPGFone as far as I know.

I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.

Just my two cents.

Re:GPG is just fine but GUI needs work

Why not check out WinPT?

They have a nice little frontend for GPG that can sit in your system tray, and related projects bring GPG in to the Mozilla and Eudora mail clients as well. Plus, it's GPL'ed.

That's only for Windows, but I'm sure there are plenty of good GPG front ends for Linux and other Operating Systems as well.

I've switched, and I'm not looking back.

close

[martissimo]

but the article states that you can modify it and run the modified version on your machine, you just can't redistribute the modified code.

With the source code able to be modified, it might be easy for some people to think of PGP as Open Source. "You could modify it if you wanted to, and run it on your own computer, but you could not distribute a modified version," Zimmermann explains

Anyways, i dont think NA has any obligation to do as Zimm asks, he sold it to em, and it's now their's to do with as they please, even if that means that they let it just die basically. It's a shame but it is their right to do so.

Re:Commercial VPN client.....

[tzanger]

What sucks is they dropped the commercial VPN client totally, the freeware version is still around (or was a couple weeks ago) but it only supports machine to machine, no machine to network connectivity, that was only in the commercial version.

That doesn't suck at all, unless you're using Win95/98. Win2k has built in IPSec and it works quite well with FreeS/WAN (I am using it every day). vpn.ebootis.de (funny name, great documentation) shows you how to patch FreeS/WAN to use X/509 certs, and how to generate the certs, and how to make win2k and FreeS/WAN play nice together. PGPNet for Win2k was a little bit of a goofy thing.

Re:Why listen to him?

Not only that, but he was involved in a legal quagmire for quite some time, thanks to the U.S. government classifying encryption as a munition. It is hard to blame the man for selling PGP when his legal expenditures probably placed him in quite a bit of debt.

We should all be thankful that Phil was willing to stand up for something like this.

The real reason this will never happen

[Monkelectric]

[you@someterminal you]# cd pgp-source
[you@someterminal you]# grep -c -r -i "nsa"
27

Re:Free PGP? How about GnuPGP

[cygnusx]

> Or from Outlook, FWIW

Ah, actually there a plugin for Outlook _Express_ available now. GPGOE. Outlook will take some time -- and hacking on the office dev kit -- I guess. But yes, I get what you mean about "dont work well", but I can tell you it's getting better fast! And if you can, do give WinPT a try. You may be surprised.

Re:Free PGP? How about GnuPGP

[1010011010]

It does work in OutLook. I'm using it right now.

Go get it here:
http://www3.gdata.de/gpg/

One reason for PGP over GPL

[DrXym]

Assuming PGP was open sourced and was covered by a sensible licence, it could easily steal a march over GPG.

The principle issue that faces any developer wishing to integrate GPG is that it is covered by GPL. That means that even if it had an SDK (which the isn't) you couldn't link with it without infecting your own code. Even LGPL libs can't link with it. At present if you wish to use GPG, you must mess around constructing command line arguments, opening pipes etc., invoking it and then parse the results. It is a major pain. There are libraries such as GPGME that hide some of this from you but it is still slower than running in-process and has significant issues running on platforms like Windows or Mac where piping etc. might be done differently.

If PGP were opened up with either a LGPL or BSD style licence I can see it being used in preference to GPG. GPG has the better command-line interface and might be ok for scripts but PGP has an SDK (as well as a great UI on Win32) and would be ultimately faster if software can link directly to it.

Re:One reason for PGP over GPL

[Nicopa]

In fact, this is a good thing. Accessing to the gpg process through pipes gives you the greatest security. If you link GPG with your favorite GUI program, any hole or fault in GTK+ or your program could compromise your keys.

Other programs do the same (have a separate security dedicated process). Check ssh and its privilege separation, and postfix and its multitude of little processes.

Phil should work on Mozilla

[PingXao]

PZ should get involved with Mozilla. For literally years I've been waiting for someone to build in some sort of public-key email (and newsgroup) crypto. It's still not there yet, and THAT has prevented several people I know - including myself - from adopting Mozilla as my sole internet access tool. I'd love to be able to dump some of the crap I run for email and usenet.

First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!

Re:PGP owns...

[_Sprocket_]

Now I see one project to bring it to the Windows desktop but it's being developed by linux developers.

I've found a whole series of GnuPG interfaces and email plugins for windows (WinPT being my favorite sofar). I don't know if the developers are "Linux developers" or not - but I fail to see how that matters.

If people expect Phil to come over to the GnuPG camp then you have to be ready to develop as much time to the Windows product as *nix.

Nobody is stopping any developers from running with GnuPG development on their favorite platform. In fact, as already pointed out, Windows development is definately picking up (probably due to NAI's dropping PGP - way to create an itch / need). And the GnuPG developers are definately thinking ahead with libraries such as their GPGME API. No more shell front-ends like the old PGP GUI days. GPGME provides direct hooks in to GnuPG (WinPT uses it).

In short, the door is wide open.

Re:Free PGP? How about GnuPGP

[Zeinfeld]

If he really wants to do something, GnuPGP would probably welcome him with open arms...

Have you tried to work with Phil Z.? Oh... thought not.

People who end up in the mess Phil did are not always the folk with the best social interfaces...

The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.

PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.

Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.

Windows users: try GPGshell with Nullify GnuPG

[Jim+Efaw]

I was using WinPT for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:

• GPGkeys, a program to do manage all the keys.
• GPGtray, which has a lot of the options on the system tray, and magically knows the "right" thing to do with the clipboard if you double-click it. Highlighting a PGP key in a terminal window then double-clicking on an icon makes importing keys really slick.
• GPGtools, which lets you drag-and-drop files onto it.

So anyway, here's what you do:

1. Get GnuPG (1.0.7 or later) from Nullify. It comes with an installer, plus contains those sinful patented algorithms (like IDEA) that PGP was fond of using in various versions.
2. Get GPGshell, install, and tell it where you put GnuPG.

So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.