Looking to generate interest in its new PGP 8.0 privacy product line,
PGP Corp. has released source code for one of the most common ways to protect messages on the Internet to the developer community, a move that reverses a policy of previous owner Network Associates .
The Palo-Alto, Calif.-based start-up officially lifted the wraps off the Pretty Good Privacy (PGP)
enterprise, desktop and personal clients. But the big move that’s making
waves in the developer community was the decision to roll out a new freeware
version and the PGP 8.0 source code for peer review.
Chief Technical Officer Jon Callas told internetnews.com the decision
to lift the hood off the latest iteration of the PGP technology was done to
demonstrate that the software “is exactly what people think it is.”
“We want people to look at the code and see for themselves that there are no
horrible bugs or intentional things put in there. It’s another way of
proving that this technology is the very best,” Callas added.
When Network Associates acquired the PGP encryption technique from creator
Phil Zimmermann back in 1997, it decided against publishing the source code,
a move that rankled many in the developer community.
Although the technology was never ‘open-source,’ the code was always
published for peer review to ensure transparency and guard against back door
holes. This basically allowed users to modify the code and run it on their
own PCs but users were blocked from distributing modified versions.
Now, PGP, which bought the
PGP suite from Network Associates in August, has decided to embrace the
developer community again. However, there are limits to what can be done with the
PGP 8.0 code, which covers PGP Personal, PGP Desktop, PGP Enterprise, and
PGP SDK.
“Our intent with this release is to allow interested individuals to review
the source code for correctness and to verify that our compiled binary
software produces the same cipher text as the software compiled from source
code does,” the company said.
“Our intent with this release is not to make the source code available to
others for reuse or to provide information about implementation details so
that it may be reproduced in other software,” PGP added.
It warned against mirroring or redistributing the code, insisting its own home page was the only PGP-sanctioned source for
the PGP Source Code.
The company’s CTO dismissed the notion the PGP line was unprofitable in the
face of free alternatives like GnuPG,
which does not use the patented algorithm and can be used without
restrictions.
“PGP has always been profitable, even for Network Associates,” Callas
insisted. “They sold it because they were exiting that side of the business
and it wasn’t a big part of what they do but it was very profitable,” he
said.
“If things keep going the way they are right now, we’ll be profitable this
quarter,” Callas added.
Callas said the availability of free, fully open-source alternatives was not an
issue to his company’s ability to hawk its software suite. “What we do is
much more useable than the free alternatives. What we do is known to be
good. Plus, we have many of the advantages that people get from free
software in that the code is available for people to see what’s inside it,”
Callas said.
“A lot of what the open-source community really want the right to look under
the hood. And that’s the trust issue we’re providing.”
PGP is based on the public-key method, which uses two keys — one is a
public key that you disseminate to anyone from whom you want to receive a
message. The other is a private key that you use to decrypt messages that
you receive.