From PGP to OpenPGP... Foreword by Philip R. Zimmermann PGP, the most popular email encryption product in the world, has come a long way since 1991 when I first released it. The PGP® product itself has been improved and rewritten many times by teams of engineers over the years, and indeed even the teams of engineers have had a significant amount of personnel turnover. This raises a question, what exactly is PGP? Which is the 'true' version? Was it the classic 1994 PGP version 2.6.2 command line product, which some diehard PGP users still cling to? Or is it the current PGP 8.0 GUI product from PGP Corp, which has almost no code in common with my old PGP 2.6.2? If these products are both regarded as PGP, then why not consider other code bases that implement the OpenPGP standard? The obvious answer is trademark. PGP is a trademark of PGP Corporation. More on that later. Let's go back to 1995, when I was still under criminal investigation by the US Justice Department for export control violations by letting PGP become exported from the US. At that time, I was approached by Olivier Merenne, who owned a software company in Brussels, who specialized in security and system software applications. Olivier wanted to sell PGP in Europe, but knew that the original code base I developed would always have a cloud hanging over it due to the taint of alleged violations of US export controls. He wanted to solve this problem by developing in Belgium a new code base to re-implement PGP from scratch. Then he could sell it in Europe with no legal problems. That was OK with me. Olivier proceeded with development, and was ready a year later to demo the new product to me. But in that same year, I won my fight with the US government, they dropped the case, and I started a new company called PGP Inc in the US. In the intervening years I have come to know Olivier and his engineering team (headed by Laurent Debonte and Sebastien Lemmens), and have developed respect for their code base that implements the OpenPGP standard. I joined their board of directors. I have worked with them, participating in engineering design sessions, reviewed critical parts of the code in their crypto library SDK, and I regard it as a good implementation of the OpenPGP standard. After a couple of years, my company ran out of money and I had to sell it to Network Associates (NAI), who never really understood PGP. In late 2000, NAI broke with PGP tradition and stopped publishing their source code. In February 2002, NAI pulled the plug on PGP, fired all the employees (I got out a year earlier), and tried to find a buyer of the assets. A new startup, PGP Corporation, bought the rights to the PGP products and trademark from NAI. But NAI held on to one version of PGP, the version that lacked a graphical user interface, the command line version. It was called PGP E-Business Server. After selling the PGP trademark to PGP Corporation, NAI called it the McAfee E-Business Server. This product is used by web commerce sites to encrypt credit card numbers and the like, or for moving bulk files around between corporate servers via FTP transfers. It had to be the non-GUI version, because it had to run in shell scripts without human intervention. The reason why NAI retained control of this product was because it was a cash cow for them. However, many PGP users were alienated by stratospheric pricing policies and lack of a low cost version for the non-server interactive users. Something had to be done, to relieve the pressure on the PGP community that depends on a command line product. We needed a licensing scheme that would address both the corporate server market as well as the interactive workstation user. PGP Corporation couldn't do anything, because they have an agreement with NAI that precludes them from competing with NAI by producing or selling a command line version of PGP. Fortunately, no other player in the OpenPGP community suffers from such a handicap. Including me. And Olivier's team, with their completely independent code base. So I'm introducing my own modest alternative to the old PGP command line product, and I'm basing it on the code developed by my friends in Belgium. I can't call it PGP because I don't own that trademark. I wracked by brain to come up with another name as inspired as Pretty Good Privacy, but just couldn't. So we had to make do with the perfectly servicable name of FileCrypt®. I think that at a technical level it's just as much like PGP as the current NAI E-Business Server product, and is as compatible with the OpenPGP standard as PGP. And keeping with the true PGP tradition, the source code will be available for peer review. We are offering an inexpensive version of FileCrypt for interactive users who simply prefer a command line product, and another version priced for corporate servers that run it non-interactively. If you want a nice GUI version of PGP, I suggest you get PGP Corporation's product, PGP. You can get it from me on my web site at www.philzimmermann.com/sales.shtml . Why should the business community opt for the OpenPGP standard? For years this standard dominated the world of email encryption. But during the last year of NAI's stewardship of PGP, the user community held back, deferring deployment decisions to see what would happen with PGP, creating a backlog of pent-up demand. Now, since PGP's rescue, OpenPGP has surged ahead of all other protocols for email and file encryption. Even the US military, previously committed to a different email encryption protocol with an inflexible PKI, now seems to be showing a renewed interest in embracing PGP. The handwriting on the wall is clear, OpenPGP is now unstoppable. Philip Zimmermann (Source: http://www.veridis.com/openpgp/en/index.asp)