Subject: PGP CREATOR, NAI SPLIT OVER OPEN SOURCE DIFFERENCES
From: Keith Bostic <bostic@sleepycat.com>
Date: Fri, 23 Feb 2001 12:54:20 -0500 (EST)

Information Security magazine's Security Wire 2/21/01

*PGP CREATOR, NAI SPLIT OVER OPEN SOURCE DIFFERENCES

Citing ideological differences over the future of the Pretty Good Privacy
(PGP), the controversial creator of the cryptography application this week
left his job of nearly four years at Network Associates Inc. (NAI) to
pursue multiple other ventures.

PGP guru Philip Zimmermann says Network Associates's decision to withhold
the latest PGP source code from the open-source community runs contrary to
his software development philosophy. Rather than staying with the software
conglomerate, Zimmerman is assuming positions at Hush Communications and
Veridis, as well as launching the OpenPGP Consortium to facilitate
interoperability of different OpenPGP standards.

"I think that things [at NAI] are moving exclusively in the direction of
corporate communications," says Zimmermann, in a phone interview with
Security Wire Digest yesterday. "While I think that's a valuable thing to
do, I also want PGP to be protecting personal privacy."

NAI acquired PGP from Zimmermann in 1997, retaining him as a senior
fellow. His involvement in the development and management of PGP was
"minimal" from that point on, a company official says.

NAI regrets Zimmermann's sudden departure, saying he's been a positive
figure in the development of PGP and has a unique ability to generate
publicity for the security technology. However, company officials say
Zimmermann's and NAI's business philosophies and approaches have always
differed.

"Right up to the end, Phil was more concerned about the non-paying
freeware customers than the significant paying customers that keep PGP
alive and well," says Jeff Jones, vice president of marketing for NAI's
PGP Security Group.

Since creating PGP in the early 1990s, Zimmermann has actively solicited
the review and criticism of the application from the open-source
community. He believes this type of broad peer review is healthy for the
development of secure software and for ensuring new applications don't
contain any backdoors.

"Users of encryption software want to be reassured by the availability of
the source code, to examine all of it to make sure that compromises,
either intentionally or otherwise, haven't been put in," Zimmermann says.

Late last year, NAI decided not to publish the source code of PGP 7.0.3's
non-security modules, including its management tools and GUI interfaces.
However, Jones says the company will continue to publish the encryption
and security components. In addition, NAI will provide certain customers
with the opportunity to fully test PGP in control environments.

While PGP 7.0.3 has not gone through the rigors of an open-source review,
Zimmermann is confident that it's free of backdoors--at least the last
time he saw it.

"I have no reason to believe [NAI] would ever put any [backdoors] in, but,
for a lot of people, they want more than my assurance," he says.

Zimmermann's departure from NAI is not surprising to members of the
cryptography community, who say he was somewhat of an oddball in the
security company's rigid corporate culture. Many consider his move in
character for protecting the integrity of his creation.

The PGP creator is widely respected for his contributions to encryption
applications, but also has a checkered past. He has long been heralded as
a privacy advocate and "cyber-libertarian," and in the early 1990s ran
afoul of national security policy on applied cryptography.

At Hush Communications, an Ireland-based provider of the Hushmail
encrypted e-mail service, Zimmermann will assume the chief cryptographer's
position, helping to incorporate the OpenPGP standard in the company's
future products. For Veridis, a maker of file and data encryption
products, he will be working on OpenPGP applications for certificate
authorities.

"I think the emergence of more than one strong commercial implementation
of the OpenPGP standard is necessary for the long-term health of the PGP
movement, and will, incidentally, ultimately benefit NAI," Zimmermann
says.