--- begin forwarded text
From: pplf <[EMAIL PROTECTED]> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130) To: [EMAIL PROTECTED] Subject: Zimmermann creates a non-free command-line OpenPGP product Sender: [EMAIL PROTECTED] Date: Sat, 08 Feb 2003 09:44:09 +0100 Status: R <x-flowed> For info, here are the Slashdot article and the Philip Zimmermann letter: ----------------- Command-Line Crypto From Phil Zimmermann, Again EncryptionPosted by timothy on Friday February 07, @04:45PM from the will-smite-thee-is-a-command-line dept. A few months ago, PGP creator Phil Zimmermann became a reseller for the current graphical version of the software he originally spawned, produced by PGP Corporation. Now, Zimmermann has just started selling through his own website a modern command-line encryption product called FileCrypt, which has its roots in an older version of PGP. Confusingly enough, this software is produced by a company called (Veridis), and doesn't say PGP on the box, because legally it can't. Network Associates, which acquired PGP Inc. in 1997, still holds the rights to that name; when NAI spun off PGP to PGP Corporation in 2002, they held onto the command-line version. PGP Corporation, for whom Zimmermann serves as a technical advisor (as well as a reseller), is contractually unable to sell a command-line version. (He is on the board of Veridis as well.) But why introduce a text-only version of utility software, anyway, when the GUI-fied desktop version has been maturing for years and costs less? Update: 02/07 23:07 GMT by T: Here are three instant clarifications: PGP Corporation was misrendered as "Open PGP" in this paragraph; Veridis' command line product was inspired by PGP but independently created; its codebase is separate from NAI's version of PGP; and the rights holder to the PGP name is PGP Corporation, not NAI. They aren't paying for a pretty logo. The real reason is that the GUI version of PGP (along with other graphical encryption software, like the GNU Privacy Guard) aren't even in the same market. Casual computer users have never laid out much money for encryption. The widespread use of PGP in its original incarnation (during the era of Zimmermann's prosecution for allowing it to be exported) can be attributed as much to its zero-dollars price as to a generalized interest in privacy. Home and hobby users are not cut out from buying Veridis's software -- for about a hundred dollars, you can buy a personal use version of the command-line version. The real money isn't in individuals keeping their tax records private, though -- Zimmermann and Veridis, like NAI (whose PGP-based product is called E-Business Server) are really aiming at commercial and governmental datacenters, and for customers willing to accept a much higher pricetag. Insurance companies, banks, credit card processing centers, state records -- anywhere financial or otherwise confidential records are exchanged or stored en masse -- these all need encryption which works at the command-line. More precisely, they need crypto software which can work without direct human intervention at all. Instead, massive data centers need tools which can be called by scripts and other programs, so servers, or server farms, can spend their time crunching numbers rather than drawing pictures. The name is familiar ... The commercial competition FileCrypt faces is familial -- it's the same product from NAI (sold from their McAffee division) that prevents Zimmermann and Veridis from calling their software PGP, even though NAI now labels their product E-Business Server. And though many companies have homegrown cryptographic solutions, Zimmermann says he knows of no other packaged software offering the high-volume encryption that the products from NAI or Veridis do. And, he emphasizes, what they do is very similar. He says of the Veridis command-line product compared to NAI's, "It's drop-in compatible, identical in operation ... you could run the same perl scripts, the same command-line arguments." If you want to buy Veridis' encryption software licensed for electronic commerce (not one-person use), hold onto your wallet: the price jumps about 50 times, to a shade under $5000, which Zimmermann describes as a bargain -- at least compared to the competition. (Prices on the McAfee website show a one-year subscription-based license for E-Business Server starting at $6,875; $14,375 buys a perpetual license, with no included support.) Both sides of that fence. And of competing in this case with a product that originated from his own crypto software (and his own company, PGP Inc.), Zimmermann says "I just don't really think of that as my product any more. It's in the hands of NAI, all the engineers have been fired. I just don't feel psychologically connected to that product." To look and not to sell. Especially when it comes to cryptographic software, code openness is considered not just a virtue but a near necessity. Peer-review and independent auditing, after all, are about the only ways you can tell that software isn't shuttling credit card numbers to the wrong person. The business model of selling high-priced crypto software at thousands of dollars per processor doesn't mesh well with gratis software, though. To that end, Zimmermann says the FileCrypt code will be soon be available for download and inspection under terms which he says will be similar to those under which users can download the code for PGP Corporation's version of the PGP-based desktop software. (PGP Corporation's terms are available though their source code page). http://slashdot.org/articles/03/02/06/1936221.shtml?tid=93 --------------------------------------- From PGP to OpenPGP... Foreword by Philip R. Zimmermann PGP, the most popular email encryption product in the world, has come a long way since 1991 when I first released it. The PGP® product itself has been improved and rewritten many times by teams of engineers over the years, and indeed even the teams of engineers have had a significant amount of personnel turnover. This raises a question, what exactly is PGP? Which is the "true" version? Was it the classic 1994 PGP version 2.6.2 command line product, which some diehard PGP users still cling to? Or is it the current PGP 8.0 GUI product from PGP Corp, which has almost no code in common with my old PGP 2.6.2? If these products are both regarded as PGP, then why not consider other code bases that implement the OpenPGP standard? The obvious answer is trademark. PGP is a trademark of PGP Corporation. More on that later. Let's go back to 1995, when I was still under criminal investigation by the US Justice Department for export control violations by letting PGP become exported from the US. At that time, I was approached by Olivier Merenne, who owned a software company in Brussels, who specialized in security and system software applications. Olivier wanted to sell PGP in Europe, but knew that the original code base I developed would always have a cloud hanging over it due to the taint of alleged violations of US export controls. He wanted to solve this problem by developing in Belgium a new code base to re-implement PGP from scratch. Then he could sell it in Europe with no legal problems. That was OK with me. Olivier proceeded with development, and was ready a year later to demo the new product to me. But in that same year, I won my fight with the US government, they dropped the case, and I started a new company called PGP Inc in the US. In the intervening years I have come to know Olivier and his engineering team (headed by Laurent Debonte and Sebastien Lemmens), and have developed respect for their code base that implements the OpenPGP standard. I joined their board of directors. I have worked with them, participating in engineering design sessions, reviewed critical parts of the code in their crypto library SDK, and I regard it as a good implementation of the OpenPGP standard. After a couple of years, my company ran out of money and I had to sell it to Network Associates (NAI), who never really understood PGP. In late 2000, NAI broke with PGP tradition and stopped publishing their source code. In February 2002, NAI pulled the plug on PGP, fired all the employees (I got out a year earlier), and tried to find a buyer of the assets. A new startup, PGP Corporation, bought the rights to the PGP products and trademark from NAI. But NAI held on to one version of PGP, the version that lacked a graphical user interface, the command line version. It was called PGP E-Business Server. After selling the PGP trademark to PGP Corporation, NAI called it the McAfee E-Business Server. This product is used by web commerce sites to encrypt credit card numbers and the like, or for moving bulk files around between corporate servers via FTP transfers. It had to be the non-GUI version, because it had to run in shell scripts without human intervention. The reason why NAI retained control of this product was because it was a cash cow for them. However, many PGP users were alienated by stratospheric pricing policies and lack of a low cost version for the non-server interactive users. Something had to be done, to relieve the pressure on the PGP community that depends on a command line product. We needed a licensing scheme that would address both the corporate server market as well as the interactive workstation user. PGP Corporation couldn't do anything, because they have an agreement with NAI that precludes them from competing with NAI by producing or selling a command line version of PGP. Fortunately, no other player in the OpenPGP community suffers from such a handicap. Including me. And Olivier's team, with their completely independent code base. So I'm introducing my own modest alternative to the old PGP command line product, and I'm basing it on the code developed by my friends in Belgium. I can't call it PGP because I don't own that trademark. I wracked by brain to come up with another name as inspired as Pretty Good Privacy, but just couldn't. So we had to make do with the perfectly servicable name of FileCrypt®. I think that at a technical level it's just as much like PGP as the current NAI E-Business Server product, and is as compatible with the OpenPGP standard as PGP. And keeping with the true PGP tradition, the source code will be available for peer review. We are offering an inexpensive version of FileCrypt for interactive users who simply prefer a command line product, and another version priced for corporate servers that run it non-interactively. If you want a nice GUI version of PGP, I suggest you get PGP Corporation's product, PGP. You can get it from me on my web site at www.philzimmermann.com/sales.shtml . Why should the business community opt for the OpenPGP standard? For years this standard dominated the world of email encryption. But during the last year of NAI's stewardship of PGP, the user community held back, deferring deployment decisions to see what would happen with PGP, creating a backlog of pent-up demand. Now, since PGP's rescue, OpenPGP has surged ahead of all other protocols for email and file encryption. Even the US military, previously committed to a different email encryption protocol with an inflexible PKI, now seems to be showing a renewed interest in embracing PGP. The handwriting on the wall is clear, OpenPGP is now unstoppable. Philip Zimmermann http://www.veridis.com/openpgp/en/index.asp --------------------------------------- -- pplf - French OpenPGP page <[EMAIL PROTECTED]> "OpenPGP en francais" PGP: 8263 8399 2074 5277 a6d3 http://www.openpgp.fr.st 622d 1b66 ea3d caa0 8c94 _______________________________________________ Gnupg-users mailing list [EMAIL PROTECTED] http://lists.gnupg.org/mailman/listinfo/gnupg-users </x-flowed> --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]