SCN: GnuPG

[Steve]

x-no-archive: yes

====================


(Bill Lamb, Salon)---When Network Associates halted development 
of its widely respected PGP (Pretty Good Privacy) desktop 
encryption software in late February, Julian Koh worried about his 
"postcards."  

Koh considers everything that passes across the Internet -- e-mail, 
mailing list postings, Web pages -- as no more private than 
postcards that can be read by anyone along their path. That 
realization long ago inspired an epiphany for the Northwestern 
University network engineer: "I was really amazed at the ease with 
which my network traffic could be intercepted and examined, even 
with no malicious intent whatsoever."  

It wasn't a question of Koh having secrets. There are just some 
things that are no one else's business. So for the past five years, 
both at work and at home, he has used PGP to routinely encrypt 
potentially sensitive communication, turning ordinary data into bits 
and bytes of meaningless gibberish readable only by those with 
the proper digital key.  

"Typically, I digitally sign most of my outgoing messages, and 
several people and organizations with whom I correspond regularly 
also require encryption of messages," he says.  

But online security, just like everything else, is subject to the ebb 
and flow of capitalism -- and the relentless releases of new 
software products with which one must be compatible. Updated 
operating systems from Microsoft and Apple require updated 
versions of PGP, but Network Associates is currently not making 
the necessary improvements. Koh and tens of thousands of other 
PGP users have been forced to seek alternatives.  

Increasingly, they're finding haven in a small corner of the open-
source software world, bringing both opportunity and new users to 
an oddly named and heretofore little-known programming effort 
fueled by volunteers: GnuPG.  

The synergies of the relationship are obvious: open-source 
software and cryptography are two sublimely geeky obsessions 
that go well together. But the story of how GnuPG is coming to the 
cryptogeek rescue also illuminates some of the limitations of open-
source, or free software. Even a relatively slick consumer product 
like PGP has been deemed too technically challenging by many 
normal computer users -- despite widespread anxieties about 
privacy on the part of the general Internet-using population. And 
making a software program easy to use is exactly the challenge 
that open-source software has historically been weakest at 
meeting.  

When programmer Phil Zimmermann dubbed his pet encryption 
software "Pretty Good Privacy" it was a master stroke of subtle 
understatement. PGP's mathematical heart is so complex that it 
defies any meaningful lay description. The result of using it, 
however, is easily grasped: data so jumbled that, according to its 
developers and some cryptography experts, our sun would burn 
out before all computers now in existence, working together, would 
have time to find the correct key for a single message. New 
advances in computing could ultimately change that, but for the 
moment, PGP is more than just pretty good.  

PGP is an implementation of public key cryptography in which the 
"keys" that lock and unlock the meaning of a message are 
produced in pairs, public and private. The public key is just that, 
and is distributed to anyone who might wish to send the user an 
encrypted message. The private key is kept by the user for 
decrypting messages, turning them back into readable form. 
Cryptographer and security specialist Bruce Schneier, in his book 
"Applied Cryptography," called the public key system "the most 
striking development in the history of cryptography."  

Software engineer and privacy activist Zimmermann put the system 
to practical use in 1991, creating the first crude version of PGP 
and releasing it as freeware. "PGP empowers people to take their 
privacy into their own hands," Zimmermann wrote in the original 
program's user guide. "There has been a growing social need for 
it. That's why I wrote it."  

PGP spread worldwide on the Internet, and Zimmermann faced a 
three-year federal investigation for violating then strict regulations 
regarding the export of cryptographic software. When the 
government case was dropped in 1996, Zimmermann formed PGP 
Inc., and the modern age of consumer desktop encryption was 
born. PGP Inc. became a part of Network Associates in 1997.  

Like the system itself, PGP is both public and private. While 
Network Associates' source code is proprietary and no longer 
released to the general public, PGP, as a concept, lives in the 
open through the OpenPGP movement, a set of design 
specifications intended to make all forms of PGP-like public key 
systems interoperable.  

Enter GNU (pronounced "guh-NEW") Privacy Guard, also called 
GnuPG.  

GNU (a "recursive acronym" meaning "GNU's Not Unix") was 
launched in 1984 to develop and maintain a free and open-source 
"Unix-like" operating system. The GnuPG project is an OpenPGP 
offshoot managed by the German Unix Users Group and begun in 
response to U.S. export restrictions.  

In a move seen as a rebuff of American pressure to tighten its 
restrictions on cryptographic technologies, the German 
government awarded the fledgling software effort a $177,000 grant 
in 1999. "In Germany, we are really free to do anything now," 
Werner Koch, head of the GnuPG movement, said of the German 
funding.  

Now, just two years later, Koch and his GnuPG team have a 
robust application available for multiple platforms -- and a new pool 
of potential users with which to grow.  

"I expected something like this," Koch said of PGP's demise. "They 
(Network Associates) have moved away from an encryption tool to 
a 'do everything security solution with the name PGP.' But it might 
have turned out that the name PGP didn't help that much in 
marketing."  

GnuPG's marketing amounts to little more than word-of-mouth and 
Web sites. But those appear adequate. Discussion of GnuPG 
slipped onto the scene in PGP-related newsgroups and e-mail lists 
with surprising stealth. No announcements, no fanfare. It was just 
there one day, being recommended to an increasing number of 
inquisitive Windows and Macintosh users as a possible 
replacement for PGP.  

Koch, who oversees GnuPG development from Germany, said the 
number of visitors to the GnuPG site each week has almost 
doubled since Jan. 6, rising from 11,249 to 20,689. While 
download numbers are difficult to measure since approximately 30 
sites mirror the GnuPG files, Koch said GnuPG's main server is 
registering approximately 2,000 downloads per week for the 
application's Windows version and about the same for the Unix 
version. That's up from approximately 1,700 each earlier this year, 
he said.  

Downloads of the relatively new GnuPG version designed for 
Apple's new operating system, Mac OS X, have also jumped 
sharply, and new user interface tools for OS X have been 
introduced within the past month -- and updated since then.  

"I don't really have time for a full quantitative analysis, but I think 
that interest is about three times what it was," said Gordon Worley, 
a 19-year-old Orlando, Fla., computer science student who 
oversees the Mac OS X version of GnuPG. "A lot of work is getting 
done in the MacGPG project because users of PGP are realizing 
that they have to find a solution when migrating to OS X."  

Zimmermann, now a consultant who remains active in the 
OpenPGP movement, indicated the Network Associates 
experience should be an example to privacy advocates.  

"... It is dangerous to put all your eggs in one basket, and we can 
clearly see now how bad it can be to allow PGP to be buried by a 
company that owns it exclusively," he said. "We are all fortunate 
that GPG was developed."  

After Network Associates purchased PGP, commercial releases 
began to include services not required by the average user -- 
virtual private networking, software firewall protection, key sharing 
and even a third-party corporate key recovery system. GnuPG, on 
the other hand, concentrates on the basics of digital signatures, e-
mail and file encryption, and key management.  

And that's all that is required to protect Koh's postcards: "My 
prediction is that I will eventually end up with GnuPG installed on 
my machine."  

But what about the rest of the world?  

The open-source software movement, long the domain of highly 
talented and motivated programmers working toward a socio-
technical ideal and for love of the craft, now is confronting the 
different expectations of a PGP consumer base unwilling to 
surrender ease of use.  

Network Associates, building on Zimmermann's work after 
purchasing his company, made significant strides in hiding the 
arcane and promoting the simple. Both Windows and Mac users 
finally could point-and-click their way to a more secure desktop 
and communications environment. At least a rudimentary 
understanding of the nature of public and private keys, and how to 
use them, was still required, but a comprehensive guide 
accompanying the software put the issues in as plain terms as 
possible.  

"Ease of use is critical," said Zimmermann. "E-mail encryption is 
used by only a small segment of the population of e-mail users 
largely because of ease-of-use issues."  

The GnuPG project isn't yet that advanced when it comes to the 
user experience, Koch concedes.  

GnuPG is the engine that drives the encryption system: encrypting, 
decrypting, signing and verifying, and creating and managing 
public and private keys. Yet it relies on command-line entries. 
Installation requires some minimal direct input of text commands. 
Graphical interfaces are available, but they are separate, not part 
of the basic GnuPG package.  

Even Mac OS X users will find that installation of the basic 
MacGPG package requires inputting text commands. And Worley, 
the Mac team's leader, is very aware that Mac users are 
accustomed to more polish. "We have preliminary versions of most 
of the software that the average PGP user will need on OS X, but 
more work is needed. Our software does not fulfill the expectations 
of the Mac experience yet."  

Open-source can also mean "closed climate," with developers 
working only to meet their own desires and those of a relatively 
small and stable base of users and fans. The strength of the 
movement -- distributed development by volunteer programmers 
worldwide -- isn't geared toward the sudden appearance of 
clamoring consumers with questions, complaints and wish lists in 
hand.  

Eric S. Raymond, president and co-founder of the Open Source 
Initiative, says the system will adjust.  

"In fact, I think this kind of bombardment is a good thing. I think it is 
exactly what open-source developers need to get a clue about the 
way actual end-users think."  

The commercial adage that the customer is always right still rules, 
he said.  

"Much of the open-source community is still weak at end-user UI. 
Most hackers have not yet assimilated the knowledge or the 
attitude necessary to serve end-users like these. This will change, 
but it won't change overnight."  

Despite its surge in user popularity, GnuPG may not remain the 
long-term sole source for new PGP applications. Network 
Associates' new code is locked away, but the company still hopes 
to sell it. And the OpenPGP standard means that anyone with the 
will or the money -- or both -- can create and market a new 
product. Privacy advocates say that's precisely the point.  

"The general public seems very unaware and unconcerned with 
basic issues of privacy and how their use of the Internet 
contributes to major loss of privacy," said Tom McCune, a PGP 
user from Holland Patent, N.Y., who maintains a popular Web site 
dedicated to PGP issues. "For those with some level of 
awareness, there is a basic attitude of just not wanting to be 
bothered with doing something about it, and this is tremendously 
complicated by general lack of technical skill."  

Advocates believe open development by several companies, 
private organizations and individual programmers will lead to even 
more improvements, wider use and, ultimately, greater protection 
of personal privacy.  


Copyright 2002 Salon.com





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *