Philip Zimmermann, the inventor of the widely used Pretty Good Privacy (PGP) encryption protocol, yesterday announced that he has left Network Associates Inc. because he and the company no longer agree about the future of PGP.
The world-renowned cryptographer, who in 1996 founded Pretty Good Privacy Inc. based on the PGP freeware encryption algorithm he invented, will take the post of chief cryptographer at Dublin, Ireland-based Hush Communications Inc.
Santa Clara, Calif.-based Network Associates acquired PGP Inc. in 1997. The company, now called PGP Security, has continued to release open versions of PGP source code but has also built enterprise applications around it.
“In the past three years, NAI has developed a different vision for PGP’s future, and it’s time for me to move on to other projects more fitting with my own objectives to protect personal privacy,” wrote Zimmermann, who has served as senior fellow at the company since 1997. “New senior management [at Network Associates] assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish.”
In an interview with Computerworld, Zimmermann said he thinks Network Associates will publish some source code but he just doesn’t know how much.
Sandra England, president of PGP Security, said nothing has changed. The company is committed to publishing the encryption algorithms and all portions of the source code related to encryption, she said.
“What we are not publishing is source code that has no value in the encryption world,” she said, such as the graphical user interface, management features, personal firewall code and intrusion detection system code related to Network Associates products. To do that would be the equivalent of “turning over the crown jewels of our product line,” said England.
This June marks the 10-year anniversary of the release of PGP to the public. PGP was originally designed to protect privacy and civil liberties. The issue of back doors – code inserted surreptitiously to allow third parties to read encrypted e-mail – and corporate control of PGP’s future has been the subject of many heated political battles between users, software engineers and vendors.
Zimmermann this week assured PGP users that all versions of the protocol that he has worked on, including the current release, PGP 7.0.3, are free of back doors. “I can offer only my own assurances that this version of PGP was developed on my watch, and has no back doors,” he wrote.
England said, “You have my word that there will never be a back door in PGP.”
Zimmermann has played “a seminal role” in advancing public key cryptography and breaking the government’s attempted stranglehold on strong crypto, said John Pescatore, a security analyst at Stamford, Conn.-based Gartner Group Inc. But Pescatore downplayed the role that PGP has played in information security since Network Associates’ purchase of it in 1997.
“Network Associates really drained the life out of the PGP brand, trying to straddle the fence between PGP’s open-source roots and the desire to sell enterprise software to large companies,” said Pescatore.
Since PGP’s installed base consisted of mostly small groups of people content with exchanging keys in a high-maintenance “web of trust” model, there was “very little synergy between the two, and NAI failed both audiences,” said Pescatore. Zimmermann’s departure is symbolic of this failure, Pescatore said.
Philip Rosch, an analyst at Giga Information Group Inc. in Cambridge, Mass., said Zimmermann’s letter basically says that he and NAI “agreed to disagree.” It also represents that Zimmermann is “not ethically challenged,” said Rosch.
“My inclination is to take him at his word,” said Rosch. “I’d also hazard a guess that his passion bodes well for OpenPGP. I can’t say the same for the NAI product.”
In his new role as chief cryptographer at Hush, Zimmermann will assist the developers of HushMail, a free, Web-based encrypted e-mail service, to integrate the OpenPGP standard in the company’s future products.
OpenPGP is the open standards version of NAI’s PGP encryption protocol, it’s recognized by the Internet Engineering Task Force (IETF) and any company can freely integrate OpenPGP into its products.
Zimmermann will also work with another security vendor, Veridis, a recent spin-off of Highware Inc., to create other OpenPGP compliant products, including software for certificate authorities for the OpenPGP community.
He also announced plans to launch the OpenPGP Consortium, to facilitate interoperability of different vendors’ implementations of the OpenPGP standard, as well as to help guide future directions of the OpenPGP standard.