[Announce] GnuPG's 10th birthday
Hideki Saito
hidekis at gmail.com
Thu Dec 20 20:39:02 CET 2007
Hi Werner,
May I translate this into Japanese?
Cheers,
--
Hideki Saito
On Dec 20, 2007 1:55 AM, Werner Koch <wk at gnupg.org> wrote:
> A Short History of the GNU Privacy Guard
> ========================================
>
> It's been a decade now that the very first version of the GNU Privacy
> Guard [0] has been released. This very first version was not yet
> known under the name of GnuPG but dubbed "g10" as a reference on the
> German constitution article on freedom of telecommunication
> (Grundgesetz Artikel 10) and as a pun on the G-10 law which allows the
> secret services to bypass these constitutional guaranteed freedoms.
>
> Version 0.0.0 released on December 20th 1997 [1], was a barely working
> replacement of PGP avoiding all patented algorithm by using Elgamal
> and Blowfish instead of RSA and IDEA. It was prominently marked as a
> test version but nevertheless included most of the features of the
> current GnuPG. The data format however was not compatible with
> OpenPGP but oriented towards the PGP 2 format with a few extensions
> (e.g. to allow streaming of data). The OpenPGP working group was
> founded back in fall 1997 and I learned a bit to late about it to
> build "g10" according to the then existing draft. For copyright
> reasons it was practically not possible to reverse engineer the format
> used by PGP-5, so the establishment of the OpenPGP WG was the right
> thing at the right time.
>
> Before talking about GnuPG we need to go some more years back in
> history: To help political activists Phil Zimmermann published a
> software called Pretty Good Privacy (PGP) in 1991. PGP was designed
> as an easy to use encryption tool with no backdoors and disclosed
> source code. PGP was indeed intended to be cryptographically strong
> and not just pretty good; however it had a couple of inital bugs, most
> of all a home designed cipher algorithm. With the availability of the
> source code a community of hackers (Branko Lankester, Colin Plumb,
> Derek Atkins, Hal Finney, Peter Gutmann and others) helped him to fix
> these flaws and a get a solid version 2 out.
>
> Soon after that the trouble started. As in many counties the use or
> export of cryptographic devices and software was also strongly
> restricted in the USA. Only weak cryptography was generally allowed.
> PGP was much stronger and due to the Usenet and the availability of
> FTP servers and BBSs, PGP accidently leaked out of the country and
> soon Phil was sued for unlicensed munitions export. Those export
> control laws were not quite up to the age of software with the funny
> effect that exporting the software in printed form seemed not to be
> restricted. MIT Press thus published a book with the PGP source code
> which was then scanned outside the USA to form the base of PGP-2i ("i"
> for international). Since then that version was used widely.
>
> The criminal investigations against Phil ended in 1996 and he founded
> PGP Inc to write PGP-5. The first public release was done in spring
> 1997. The same year at the 39th IETF meeting at Munich in August Phil
> Zimmermann and Jon Callas asked the IETF to setup a working group to
> publish a standard for the protocol used by PGP-5 under the name
> OpenPGP. The main drive behind this was to allow widespread use of
> strong encryption even if at some point the new company would decide
> to stop selling and supporting PGP. As it turned out PGP Inc was
> acquired by Network Associates just a few months later and in 2002
> this company actually ceased support and development of PGP (though
> the PGP product was later continued by the new PGP Corporation).
>
> Also often claimed to be Free Software, PGP has never fulfilled the
> requirements for it: PGP-5 is straight proprietary software; the
> availability of the source code alonedoes not make it free. PGP-2 has
> certain restrictions on commercial use [2] and thus puts restrictions
> on the software which makes it also non-free. Another problem with
> PGP-2 is that it requires the use of the patented RSA and IDEA
> algorithms. The patent on RSA was only valid in the USA but the
> patent on IDEA was and is still valid [3] in most countries.
>
> Although the GNU project listed a requirement for a PGP replacement
> for some years on its task list, it was not possible to start
> implementing it as long as patents on all public key algorithms were
> valid. That changed when in April 1997 the basic patent on public key
> algorithms expired (the Diffie-Hellman US patent 4200770) and finally
> in August when the broader Hellman-Merkle patent (4218582) expired.
>
> A month later, at the Individual-Network Betriebstagung at Aachen [4],
> Richard Stallman continued his talk with a BoF session where he asked
> the European hackers to start implementing public key software. The
> arms trafficker laws of the USA prohibited the GNU project to write
> such software in their country or even by US citizens working abroad.
> Thus he told the European hackers that they are in the unique position
> to help the GNU with crypto software.
>
> Being tired of writing SMGL conversion software and without a current
> fun project, I soon found my self hacking on PGP-2 parsing code based
> on the description in RFC-1991 and the pgformat.txt file. As this
> turned out to be easy I continued and finally came up with code to
> decrypt and create PGP-2 data. After I told the GNU towers that I
> will take up the PGP replacement implementation I spent the rest of
> the year replacing IDEA by Blowfish, RSA by Elgamal, implementing
> streaming encryption, adding some key management and getting the code
> into a reasonable shape.
>
> There used to be a plan for a free version of Secure Shell called PSST
> (later known as LSH) with a somewhat populated mailing lists
> maintained by Martin Hamilton. Martin was the so kind to setup a
> mailing list for g10 too and announced it on that list. This way we
> got the first subscribers. Eventually I made the first tarball, put
> it up to ftp.guug.de, the FTP server of the German Unix User Group,
> and wrote an announcement [5].
>
> Right the next day Peter Gutmann offered to allow the use of his
> random number code for systems without a /dev/random. This eventually
> helped a lot to make GnuPG portable to many platforms. The next two
> months were filled with code updates and a lengthly discussion on the
> name; we finally settled for Anand Kumria's suggestion of GnuPG and
> made the first release under this name (gnupg-0.2.8) on Feb 24 [6].
> Just a few days later an experimental version with support for Windows
> was released. (That release also fixed an alignment problem on Alpha
> boxes which was detected due to kernel log files filling up the hard
> disk and an admin asking whether they really need to be backed up. ;-)
>
> In July 1998 the first more or less OpenPGP draft compliant version
> was released. Matthew Skala had contributed Twofish code done cleanly
> From scratch (Twofish was at that time a promising AES candidate and
> suggested by Schneier as a Blowfish replacement; however we had some
> copyright concerns with the reference code). Michael Roth contributed
> a Triple-DES implementation later the year and thus completed the
> required set of OpenPGP algorithms. Over the next year the usual
> problems were solved, features discussed, complaints noticed and
> support for gpg in various other software was introduced by their
> respective authors.
>
> Finally, on September 7, 1999 the current code was released as version
> 1.0.0 with the major update of including Mike Ashley's GNU Privacy
> Handbook [7]. A year later the RSA patent was to expire on September
> 20; the patent holder placed the patent into the public domain 3 weeks
> earlier and thus we could release 1.0.3 with RSA support already on
> September 18. One of the major obstacles on widespread use public
> cryptography had gone (far too late of course).
>
> Also in 1999 the German government decided that strong encryption will
> not be regulated in any way and that its use is recommended for
> everyone. To publicly support this statement the Ministry of
> Economics funded the porting of GnuPG and related software to
> Microsoft Windows [8]. The US government was not keen to see that and
> tried to urge the German government to revise the decision to allow
> unregulated distribution of crypto software [9]. That did not work
> out and to the end the USA had no other way than to weaken their own
> export rules.
>
> Although we still develop GnuPG using servers located in Europe the
> new US export controls eventually allowed US hackers to contribute to
> GnuPG development. In 2001 David Shaw joined the project and since
> then he is one of the most active GnuPG hackers and the co-maintainer.
>
> It's now a long time since GnuPG could be managed as a fun project and
> thus I now spend most of my professional life maintaining and extending
> GnuPG. In 2001 I founded g10 Code, a Free Software company for the
> development and support of GnuPG and related software. The most known
> project is probably GnuPG-2 which started under the name NewPG as part
> of the broader Aegypten project. The main goal of Aegypten was to
> provide support for S/MIME under GNU/Linux and integrate that cleanly
> with other mail clients, most notably KMail. Although having been
> actively used since 2004, we released 2.0.0 only one years ago.
>
> It was not that much fun writing X.509/CMS (commonly named S/MIME)
> software compared to the elegant and very interoperable OpenPGP
> protocol. Having mastered that we meanwhile achieved to provide a
> software which is really useful and works nicely with almost any other
> S/MIME implementation. It also turned out that we could port GnuPG-2
> to Windows - despite my original claim that a modern POSIX platform
> will be needed for GnuPG-2. This development also showed that it is
> viable to develop Free Software as a business.
>
> With the new tools and from a user's perspective S/MIME and OpenPGP
> will soon not make much of a difference anymore. However I had to
> smile when I today read a report on the last RSA Europe conference
> where a quick poll during a talk showed that OpenPGP is the mostly
> used encryption protocol.
>
> Recall that GnuPG is just one tool; there are numerous other tools out
> to solve related privacy problems. Kudos to all who worked on writing
> and deploying privacy tools over all these years!
>
>
> Happy Hacking,
>
> Werner
>
>
> [0] http://www/gnupg.org
> [1] ftp://ftp.gnupg.org/gcrypt/historic/g10-0.0.0.tar.gz
> [2] from pgpdoc2.txt: "Finally, if you want to turn PGP into a
> commercial product and make money selling it, then we must agree
> on a way for me to also make money on it. [...] Under no
> circumstances may PGP be distributed without the PGP
> documentation, including this PGP User's Guide."
> [3] "valid" is meant in the sense the patent holders use it and does
> not imply that I regard patents on software a valid concept. See
> http://www.fsfeurope.org/projects/swpat/background.en.html .
> [4] http://www.dascon.de/IN-BT97/programm.html
> [5] http://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014131.html
> There are just a few mails in December mainly discussing patent things.
> [6] http://lists.gnupg.org/pipermail/gnupg-devel/1998-February/014208.html
> [7] http://lists.gnupg.org/pipermail/gnupg-announce/1999q3/000037.html
> [8] http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html
> [9] http://www.heise.de/tp/r4/artikel/5/5124/1.html
>
>
> --
> Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
>
> _______________________________________________
> Gnupg-announce mailing list
> Gnupg-announce at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-announce
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
More information about the Gnupg-users
mailing list