Zimmermann Suggests Freeing PGP Source

broody writes "NewsForge has an interesting article detailing Phillip R Zimmermann's lament at selling PGP. Since he cannot afford to buy it back outright, he is pushing for Network Associates to 'open source' it. Well, the GUI and SDK anyway. I'll say this, he's an interesting little capitalist."

Free PGP? How about GnuPGP

[(H)elix1]

Why bother? Its gone, sold, IP traded for cash. He knew what hw was doing when it was traded for money. If he really wants to do something, GnuPGP would probably welcome him with open arms...

Re:Free PGP? How about GnuPGP

[Neon+Spiral+Injector]

No, they probally wouldn't. The IP belongs to NA, and I think he has probally seen the source code, so Gnu couldn't claim their code was a clean room implimentation.

Dead Man's Switch

[peterdaly]

His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.

Think of all the software that might still be available if they had such a clause in their license. Hell, just the games!

-Pete

Re:Dead Man's Switch

[Bruce+Perens]

This is sort of like source-code escrow, but not customer-specific.

In source-code escrow, the vendor promises to provide the source-code to the customer if the vendor goes out of business.

The problem is that bankruptcy courts often overturn source-code escrow clauses, because the source code turns out to be the firm's only salable asset.

The best solution is to free the code first, and for the customer to be careful not to become dependent on closed-source.

Bruce

Re:Dead Man's Switch

[kalidasa]

His idea for a Dead Man's Switch license would be very interesting to see implemented. It would be nice to see something like that used in a lot of commercial software.

They used to have that. It was called copyright. One got a fixed term of copyright, could renew it for a small fee after that term to extend it to 75 years (net, not additional), and then it would go public domain after the 75 years were up. Then someone thought of the Berne Convention, and someone else thought of the Bono Bill, and someone else thought of the DMCA . . .

Re:Dead Man's Switch

[Bruce+Perens]

I lost the original case but found the following on google - there's more there. The first two citations here directly address the bankruptcy issue:

• http://my.ais.net/~lawmsf/articl15.htm
• http://www.wernick.com/Articles/1986Jun01%20Sour ce %20Code%20Escrow.pdf
• http://www.softescrow.com/faq.html

Thanks

Bruce

Re:Why listen to him?

[Cally]

> If this guy sold PGP five years ago, what authority
> does he have now to suggest the change?

"This guy" developed the PGP protocol, and it's first implementation, then released it freely on the Internet when it seemed likely the US Govt. was about to criminalise *all* personal encryption.

So, only moral authority... which doesn't seem to be worth much on the free market, these days.

Re:Free PGP? How about GnuPGP

[cygnusx]

GnuPG (not GnuPGP) dont work in Windows

GnuPG _does_ work on Windows: http://ftp.gnupg.org/gcrypt/binary/gnupg-w32-1.0.6 -2.zip

But it's not graphical. For that, I've been using WinPT for some time. It's a pretty good replacement for PGPtray, not as pretty though. And it imported all my PGP 6.x/Win Keys fine too. Download with all dependencies here

Phil, Please Join Us!

[Bruce+Perens]

Phil,

We'd really like you to join the work on GnuPG, and on GUI projects like GNOME. I think it would be most productive to write off the PGP code base and continue your work on the existing Free Software projects. We've gotten most of the hard work done already.

Thanks

Bruce

Re:Phil, Please Join Us!

[MAXOMENOS]

Let me second this. (Yes, I'm seconding Bruce Perens. How's that for chutzpah?.)

Most of the Gnu Privacy Guard code base is in place, but we still need a ton of help with GUIs, APIs, Web-based encrypted email, etc. And there is no GnuPGFone as far as I know.

I know PGP is your baby .. I can appreciate that, and I know what it's like to lose control of your baby. I'm not going to pretend that GnuPG is the same thing. Nonetheless, GnuPG is working toward (mostly) the same goals, and that's something worth considering. They could also use your help, as you have years and years of hard-won experience in this field. Yeah, they're young punks, but they mean well and they do good.

Just my two cents.

The real reason this will never happen

[Monkelectric]

[you@someterminal you]# cd pgp-source
[you@someterminal you]# grep -c -r -i "nsa"
27

Re:Free PGP? How about GnuPGP

[1010011010]

It does work in OutLook. I'm using it right now.

Go get it here:
http://www3.gdata.de/gpg/

Re:Unreleased Updates

[zulux]

To stroke the black helicopter theories...

Several friends of mine work at Microsoft, and apparently, according to one of them - important government types have been at the Microsoft campus. This gist is that has somthing to do with the whole DRM/encryption thingy.

It makes sense in a odd sort of way - if the govenment could get a back door into the worlds most popular operating system, they would have a goldmine. I'd be disapointed in the NSA if they diden't try.

Phil should work on Mozilla

[PingXao]

PZ should get involved with Mozilla. For literally years I've been waiting for someone to build in some sort of public-key email (and newsgroup) crypto. It's still not there yet, and THAT has prevented several people I know - including myself - from adopting Mozilla as my sole internet access tool. I'd love to be able to dump some of the crap I run for email and usenet.

First it was the export restrictions that were deterring Mozilla crypto. Now it's something else. I guess these projects qualify for some of what's being done today, but I needed Mozilla to do built-in crypto years ago. The standard Mozilla comeback is "do it yourself". Well, I have neither the time nor the skill to do that. But Phil does!

Re:Free PGP? How about GnuPGP

[Zeinfeld]

If he really wants to do something, GnuPGP would probably welcome him with open arms...

Have you tried to work with Phil Z.? Oh... thought not.

People who end up in the mess Phil did are not always the folk with the best social interfaces...

The problem with PGP is that overall it is tending to hinder the use of crypto than help at this point. There is perfectly good crypto built into Outlook, Outlook Express, Notes, Netscape etc. Only thing is people don't know its there because they are being told that only crypto persecuted by the NSA should be used.

PGP has a somewhat different PKI design, but not all that much different. Anyone can be a CA with X.509, the only technical difference being that certificate signing certs have the key signing bit set.

Rather than attempt to resurect the PGP message formats it would be better to spend time building S/MIME key signing code.

Windows users: try GPGshell with Nullify GnuPG

[Jim+Efaw]

I was using WinPT for a while, until I stumbled on GPGshell. It calls GnuPG to do the work, so you never have to worry about entering your passphrase into a GUI. IMHO, it's a lot nicer than WinPT. When you install it, you get 3 programs, which don't need each other to work:

• GPGkeys, a program to do manage all the keys.
• GPGtray, which has a lot of the options on the system tray, and magically knows the "right" thing to do with the clipboard if you double-click it. Highlighting a PGP key in a terminal window then double-clicking on an icon makes importing keys really slick.
• GPGtools, which lets you drag-and-drop files onto it.

So anyway, here's what you do:

1. Get GnuPG (1.0.7 or later) from Nullify. It comes with an installer, plus contains those sinful patented algorithms (like IDEA) that PGP was fond of using in various versions.
2. Get GPGshell, install, and tell it where you put GnuPG.

So far this setup has had no problem dealing with any PGP messages I've encountered, from 2.6.2 to 7.x, but I haven't tested it extensively.