E-mail encryption guru focuses on PGP's future

The inventor of Pretty Good Privacy e-mail encryption last week left Network Associates, Inc. -- the company he joined after selling it the rights to PGP in 1997 -- to become chief cryptographer at a company planning to do battle with NAI.

Phil Zimmermann, who fought the U.S. Department of Justice in the early 1990s to help win freer use of e-mail encryption, says he is no longer confident that NAI will develop PGP the way he thinks best.

Rather, he sees the future of PGP at Hush, an Irish firm that later this year plans to release a version of its HushMail product based on the IETF's Open PGP standard.

NAI markets a commercial version of PGP, which comes bundled with antivirus, intrusion-detection and firewall capabilities, but also makes a freeware version available on its Web site. There are uncounted numbers of PGP freeware users around the world, and NAI provides a certificate server for users to store their PGP public keys for free. It now holds more than one million PGP certificates.

He expressed concern that PGP's freeware future may be in doubt, pointing to the fact that NAI last month refused to publish the source code for the latest version, PGP 7.0.3, as it has done for all previous versions. Zimmermann, who had been a consultant at NAI, says PGP 7.0.3 contains no secret back doors -- at least to his knowledge -- but he adds that the open source process would help assure the masses on that score.

Sandra England, president of NAI's PGP Security business, counters that there will never be back doors in PGP. She says the company had not gotten around to posting the source code, though she offered no date when it might. England adds that NAI has no plans to discontinue PGP freeware or its free certificate storage.

"NAI has a different vision for PGP's future," says Zimmermann, who says he will safeguard PGP freeware at Hush.

For its part, the privately held Hush, which also has offices in the U.S., says it offers freeware, but has moved aggressively into the commercial market with a product called HushMail Private Label. The next version, expected around midyear, will be based on Open PGP. Zimmermann says his job will be to oversee HushMail Open PGP, and to ensure it works with NAI's PGP -- with which it also will compete.

According to Zimmermann, HushMail Open PGP will be quite different in that it will use technology that delivers an authenticated user's private key to a Web browser -- via a Java applet -- from a HushMail Open PGP server. This will enable end users to access encrypted mail from any desktop with a Java-enabled Web browser. By contrast, NAI's PGP requires users to store their private keys on their desktops, limiting end-user access while away from the office. Hush is also negotiating with a company called Veridis to store public-key certificates in the same way NAI does.

"The disadvantage with PGP is that you have to install encryption software on every computer," Zimmermann says. "With HushMail, you won't."

Though NAI and Hush will go head-to-head, England says it's possible that NAI would consider adopting Hush's applet approach.

But with NAI struggling financially of late, England acknowledges her division doesn't have the same level of funding it did a year ago to add new features to the PGP division's products, which includes PGP, the CyberCop intrusion-detection product, and the Gauntlet firewall.

This story, "E-mail encryption guru focuses on PGP's future " was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon