RealTime IT News

PGP Lifts Its Hood

Looking to generate interest in its new PGP 8.0 privacy product line, PGP Corp. has released source code for one of the most common ways to protect messages on the Internet to the developer community, a move that reverses a policy of previous owner Network Associates .

The Palo-Alto, Calif.-based start-up officially lifted the wraps off the Pretty Good Privacy (PGP) encryption software suite, which includes PGP 8.0 for enterprise, desktop and personal clients. But the big move that's making waves in the developer community was the decision to roll out a new freeware version and the PGP 8.0 source code for peer review.

Chief Technical Officer Jon Callas told internetnews.com the decision to lift the hood off the latest iteration of the PGP technology was done to demonstrate that the software "is exactly what people think it is."

"We want people to look at the code and see for themselves that there are no horrible bugs or intentional things put in there. It's another way of proving that this technology is the very best," Callas added.

When Network Associates acquired the PGP encryption technique from creator Phil Zimmermann back in 1997, it decided against publishing the source code, a move that rankled many in the developer community.

Although the technology was never 'open-source,' the code was always published for peer review to ensure transparency and guard against back door holes. This basically allowed users to modify the code and run it on their own PCs but users were blocked from distributing modified versions.

Now, PGP, which bought the PGP suite from Network Associates in August, has decided to embrace the developer community again. However, there are limits to what can be done with the PGP 8.0 code, which covers PGP Personal, PGP Desktop, PGP Enterprise, and PGP SDK.

"Our intent with this release is to allow interested individuals to review the source code for correctness and to verify that our compiled binary software produces the same cipher text as the software compiled from source code does," the company said.

"Our intent with this release is not to make the source code available to others for reuse or to provide information about implementation details so that it may be reproduced in other software," PGP added.

It warned against mirroring or redistributing the code, insisting its own home page was the only PGP-sanctioned source for the PGP Source Code.

The company's CTO dismissed the notion the PGP line was unprofitable in the face of free alternatives like GnuPG, which does not use the patented algorithm and can be used without restrictions.

"PGP has always been profitable, even for Network Associates," Callas insisted. "They sold it because they were exiting that side of the business and it wasn't a big part of what they do but it was very profitable," he said.

"If things keep going the way they are right now, we'll be profitable this quarter," Callas added.

Callas said the availability of free, fully open-source alternatives was not an issue to his company's ability to hawk its software suite. "What we do is much more useable than the free alternatives. What we do is known to be good. Plus, we have many of the advantages that people get from free software in that the code is available for people to see what's inside it," Callas said.

"A lot of what the open-source community really want the right to look under the hood. And that's the trust issue we're providing."

PGP is based on the public-key method, which uses two keys -- one is a public key that you disseminate to anyone from whom you want to receive a message. The other is a private key that you use to decrypt messages that you receive.