Last week when I wrote this blog "Does Phil Zimmermann need a clue on VoIP", Zimmermann offered this passionate response. In his response, Zimmermann discounts the success of Skype, slams PKI while praising PGP, and then distances himself from the VoIP product that he used for his Black Hat demonstration. Not only did Zimmermann discount the success of Skype in cryptography, but he offered a blistering attack on PKI technology in general. To keep this debate in the scope of the original topic, I'm going to do a separate response in defense of PKI and stick to the topic of Skype versus Zimmermann.
Zimmermann started off his rebuttal by discounting the success of Skype by saying:
The reason why they (Skype) can make a PKI work so seamlessly is because they have a proprietary closed system, where they control everything– the servers, the clients, the service provider (namely, Skype), the protocol, everything. If I had that luxury, I could make a PKI work too.
It struck me that Zimmermann was actually acknowledging Skype’s success in creating a seamless and massive implementation of PKI for the purpose of building a secure VoIP solution, but was discounting Skype as a legitimate PKI solution. It’s almost as if Zimmermann is arguing that Skype had some kind of an unfair advantage or "luxury" as he put it that wasn’t available to him. My question to Zimmermann is: What "luxury" would that be? A little over a year ago no one had ever heard of the word Skype while Phil Zimmermann and PGP was almost universally known in the computing world for more than a decade. I somehow doubt that a Phil Zimmermann with his name recognition would ever have a problem in acquiring venture capital.
Skype in one year introduced more people to the world of cryptography than all of the other cryptography implementations (including Zimmermann’s own PGP) in the last decade combined -- and they did it using PKI. The only difference was that Skype wrote user friendly software that seamlessly registered digital certificates with Skype’s own PKI Certificate Authorities. If Skype can built such an exquisite and seamless cryptography implementation that defied conventional wisdom that PKI-based cryptography was fundamentally too difficult for the average Joe to ever grasp, are they to be discounted or is there a lesson to be learned? Is it really fair to discount Skype as a legitimate PKI cryptography solution or is it just sour grapes? Ironically, Zimmermann's complaints about Skype's success almost mirrors what the traditional SIP based VoIP companies were saying about Skype.
After his blistering attack on PKI based solutions, Zimmermann wrapped up by distancing himself from the VoIP telephony software that he used in the Black Hat demonstration explaining that it wasn’t his software to begin with and that he didn’t plan to use it for his final implementation. Zimmermann promised to use a proven VoIP product that bypasses all the NAT and Firewall traversal issues. Ironically, the only product that matches this description on the market right now is Skype which already has a massively successful PKI based cryptography implementation. Zimmermann argued that his VoIP demonstration using an open source VoIP client with inadequate VoIP features wasn’t a fair way to judge his cryptography scheme, but I never correlated the deficiency in NAT and Firewall traversal with the failure of exiting PGP based solutions that have failed to gain any mass market penetration.
As much as I respect Phil Zimmermann the legend, I have to realistically evaluate the relevance of any secure VoIP solution in a post-Skype world. Skype has set a new standard by proving that not only can VoIP be easy to use, but also prove that it is possible to painlessly deploy cryptography using PKI. Traditional VoIP vendors and traditional cryptography vendors can scream all they like about Skype's methodology in achieving such massive success, but it doesn't change the market dynamics one bit. Mr. Zimmermann response is always welcome and you can post your comments here and let us know your thoughts are on the whole debate.