Zimmermann creates a non-free command-line OpenPGP product

pplf pplf@wanadoo.fr
Sat Feb 8 09:44:01 2003

For info, here are the Slashdot article and the Philip Zimmermann letter:


Command-Line Crypto From Phil Zimmermann, Again

EncryptionPosted by timothy on Friday February 07, @04:45PM
=66rom the will-smite-thee-is-a-command-line dept.

A few months ago, PGP creator Phil Zimmermann became a reseller for the=20
current graphical version of the software he originally spawned,=20
produced by PGP Corporation. Now, Zimmermann has just started selling=20
through his own website a modern command-line encryption product called=20
FileCrypt, which has its roots in an older version of PGP. Confusingly=20
enough, this software is produced by a company called (Veridis), and=20
doesn't say PGP on the box, because legally it can't. Network=20
Associates, which acquired PGP Inc. in 1997, still holds the rights to=20
that name; when NAI spun off PGP to PGP Corporation in 2002, they held=20
onto the command-line version. PGP Corporation, for whom Zimmermann=20
serves as a technical advisor (as well as a reseller), is contractually=20
unable to sell a command-line version. (He is on the board of Veridis as=20
well.) But why introduce a text-only version of utility software,=20
anyway, when the GUI-fied desktop version has been maturing for years=20
and costs less? Update: 02/07 23:07 GMT by T: Here are three instant=20
clarifications: PGP Corporation was misrendered as "Open PGP" in this=20
paragraph; Veridis' command line product was inspired by PGP but=20
independently created; its codebase is separate from NAI's version of=20
PGP; and the rights holder to the PGP name is PGP Corporation, not NAI.

They aren't paying for a pretty logo.
The real reason is that the GUI version of PGP (along with other=20
graphical encryption software, like the GNU Privacy Guard) aren't even=20
in the same market.

Casual computer users have never laid out much money for encryption. The=20
widespread use of PGP in its original incarnation (during the era of=20
Zimmermann's prosecution for allowing it to be exported) can be=20
attributed as much to its zero-dollars price as to a generalized=20
interest in privacy. Home and hobby users are not cut out from buying=20
Veridis's software -- for about a hundred dollars, you can buy a=20
personal use version of the command-line version. The real money isn't=20
in individuals keeping their tax records private, though -- Zimmermann=20
and Veridis, like NAI (whose PGP-based product is called E-Business=20
Server) are really aiming at commercial and governmental datacenters,=20
and for customers willing to accept a much higher pricetag.

Insurance companies, banks, credit card processing centers, state=20
records -- anywhere financial or otherwise confidential records are=20
exchanged or stored en masse -- these all need encryption which works at=20
the command-line. More precisely, they need crypto software which can=20
work without direct human intervention at all. Instead, massive data=20
centers need tools which can be called by scripts and other programs, so=20
servers, or server farms, can spend their time crunching numbers rather=20
than drawing pictures.

The name is familiar ...
The commercial competition FileCrypt faces is familial -- it's the same=20
product from NAI (sold from their McAffee division) that prevents=20
Zimmermann and Veridis from calling their software PGP, even though NAI=20
now labels their product E-Business Server. And though many companies=20
have homegrown cryptographic solutions, Zimmermann says he knows of no=20
other packaged software offering the high-volume encryption that the=20
products from NAI or Veridis do.

And, he emphasizes, what they do is very similar. He says of the Veridis=20
command-line product compared to NAI's, "It's drop-in compatible,=20
identical in operation ... you could run the same perl scripts, the same=20
command-line arguments."

If you want to buy Veridis' encryption software licensed for electronic=20
commerce (not one-person use), hold onto your wallet: the price jumps=20
about 50 times, to a shade under $5000, which Zimmermann describes as a=20
bargain -- at least compared to the competition.

(Prices on the McAfee website show a one-year subscription-based license=20
for E-Business Server starting at $6,875; $14,375 buys a perpetual=20
license, with no included support.)
Both sides of that fence.
And of competing in this case with a product that originated from his=20
own crypto software (and his own company, PGP Inc.), Zimmermann says "I=20
just don't really think of that as my product any more. It's in the=20
hands of NAI, all the engineers have been fired. I just don't feel=20
psychologically connected to that product."
To look and not to sell.
Especially when it comes to cryptographic software, code openness is=20
considered not just a virtue but a near necessity. Peer-review and=20
independent auditing, after all, are about the only ways you can tell=20
that software isn't shuttling credit card numbers to the wrong person.

The business model of selling high-priced crypto software at thousands=20
of dollars per processor doesn't mesh well with gratis software, though.=20
To that end, Zimmermann says the FileCrypt code will be soon be=20
available for download and inspection under terms which he says will be=20
similar to those under which users can download the code for PGP=20
Corporation's version of the PGP-based desktop software. (PGP=20
Corporation's terms are available though their source code page).



 From PGP to OpenPGP...

by Philip R. Zimmermann

PGP, the most popular email encryption product in the world, has come a=20
long way since 1991 when I first released it. The PGP=AE product itself=20
has been improved and rewritten many times by teams of engineers over=20
the years, and indeed even the teams of engineers have had a significant=20
amount of personnel turnover.

This raises a question, what exactly is PGP?
Which is the =93true=94 version? Was it the classic 1994 PGP version 2.6.=
command line product, which some diehard PGP users still cling to? Or is=20
it the current PGP 8.0 GUI product from PGP Corp, which has almost no=20
code in common with my old PGP 2.6.2? If these products are both=20
regarded as PGP, then why not consider other code bases that implement=20
the OpenPGP standard? The obvious answer is trademark. PGP is a=20
trademark of PGP Corporation. More on that later.

Let=92s go back to 1995, when I was still under criminal investigation by=
the US Justice Department for export control violations by letting PGP=20
become exported from the US. At that time, I was approached by Olivier=20
Merenne, who owned a software company in Brussels, who specialized in=20
security and system software applications. Olivier wanted to sell PGP in=20
Europe, but knew that the original code base I developed would always=20
have a cloud hanging over it due to the taint of alleged violations of=20
US export controls. He wanted to solve this problem by developing in=20
Belgium a new code base to re-implement PGP from scratch. Then he could=20
sell it in Europe with no legal problems. That was OK with me.

Olivier proceeded with development, and was ready a year later to demo=20
the new product to me. But in that same year, I won my fight with the US=20
government, they dropped the case, and I started a new company called=20
PGP Inc in the US.

In the intervening years I have come to know Olivier and his engineering=20
team (headed by Laurent Debonte and Sebastien Lemmens), and have=20
developed respect for their code base that implements the OpenPGP=20
standard. I joined their board of directors. I have worked with them,=20
participating in engineering design sessions, reviewed critical parts of=20
the code in their crypto library SDK, and I regard it as a good=20
implementation of the OpenPGP standard.

After a couple of years, my company ran out of money and I had to sell=20
it to Network Associates (NAI), who never really understood PGP. In late=20
2000, NAI broke with PGP tradition and stopped publishing their source=20
code. In February 2002, NAI pulled the plug on PGP, fired all the=20
employees (I got out a year earlier), and tried to find a buyer of the=20
assets. A new startup, PGP Corporation, bought the rights to the PGP=20
products and trademark from NAI.

But NAI held on to one version of PGP, the version that lacked a=20
graphical user interface, the command line version. It was called PGP=20
E-Business Server. After selling the PGP trademark to PGP Corporation,=20
NAI called it the McAfee E-Business Server. This product is used by web=20
commerce sites to encrypt credit card numbers and the like, or for=20
moving bulk files around between corporate servers via FTP transfers. It=20
had to be the non-GUI version, because it had to run in shell scripts=20
without human intervention. The reason why NAI retained control of this=20
product was because it was a cash cow for them. However, many PGP users=20
were alienated by stratospheric pricing policies and lack of a low cost=20
version for the non-server interactive users.

Something had to be done, to relieve the pressure on the PGP community=20
that depends on a command line product. We needed a licensing scheme=20
that would address both the corporate server market as well as the=20
interactive workstation user. PGP Corporation couldn't do anything,=20
because they have an agreement with NAI that precludes them from=20
competing with NAI by producing or selling a command line version of=20
PGP. Fortunately, no other player in the OpenPGP community suffers from=20
such a handicap. Including me. And Olivier's team, with their completely=20
independent code base.

So I=92m introducing my own modest alternative to the old PGP command lin=
product, and I=92m basing it on the code developed by my friends in=20
Belgium. I can=92t call it PGP because I don=92t own that trademark. I=20
wracked by brain to come up with another name as inspired as Pretty Good=20
Privacy, but just couldn't. So we had to make do with the perfectly=20
servicable name of FileCrypt=AE. I think that at a technical level it=92s=
just as much like PGP as the current NAI E-Business Server product, and=20
is as compatible with the OpenPGP standard as PGP. And keeping with the=20
true PGP tradition, the source code will be available for peer review.

We are offering an inexpensive version of FileCrypt for interactive=20
users who simply prefer a command line product, and another version=20
priced for corporate servers that run it non-interactively.

If you want a nice GUI version of PGP, I suggest you get PGP=20
Corporation's product, PGP. You can get it from me on my web site at=20
www.philzimmermann.com/sales.shtml .

Why should the business community opt for the OpenPGP standard? For=20
years this standard dominated the world of email encryption. But during=20
the last year of NAI=92s stewardship of PGP, the user community held back=
deferring deployment decisions to see what would happen with PGP,=20
creating a backlog of pent-up demand. Now, since PGP's rescue, OpenPGP=20
has surged ahead of all other protocols for email and file encryption.=20
Even the US military, previously committed to a different email=20
encryption protocol with an inflexible PKI, now seems to be showing a=20
renewed interest in embracing PGP.
The handwriting on the wall is clear, OpenPGP is now unstoppable.

Philip Zimmermann



pplf - French OpenPGP page    <pplf@wanadoo.fr>
"OpenPGP en francais"         PGP: 8263 8399 2074 5277 a6d3
http://www.openpgp.fr.st           622d 1b66 ea3d caa0 8c94