E-mail security gets a boost
Pretty Good Privacy, the de facto standard for secure e-mail, got a boost on Tuesday, when 11 organizations launched the OpenPGP Alliance, a group that will allow software creators to test their products with others' wares.
"These companies didn't know about each other developing OpenPGP products," said Phil Zimmerman, founder of the OpenPGP Alliance and creator of the original Pretty Good Privacy program, which was released almost 10 years ago. "By putting them together in the same alliance and having them talk to each other, we can make sure that different secure e-mail systems work together."
OpenPGP, an Internet standard for encryption, uses a "public" key specific to a certain recipient to scramble a message. When the message arrives at the recipient, the reader uses a "private" key--which is mathematically linked to the public key--to unscramble the text.
The encryption system has withstood the test of time, though OpenPGP's standard had a minor setback earlier this year, when two Czech researchers found a flaw in the specification that could expose people's private keys. The flaw has since been fixed.
Although 11 companies and organizations have signed on, one key company--Network Associates, the owner of the PGP trademark--has not joined the alliance.
Network Associates did not immediately respond to a request for comment, but Zimmermann believes the company simply didn't have time to decide whether to support the alliance and may join down the road.
"They are welcome to join," he said. "I only had about a week to wait for response, and they didn't get it in time."
Zimmermann left Network Associates in February after he and company management disagreed over the future of PGP. Although Zimmerman created Pretty Good Privacy, the Santa Clara, Calif., company owns the trademark to PGP and the copyright on the source code.
Other members include secure-communications software company SSH, e-mail software maker Qualcomm, privacy technology company Zero Knowledge Systems and open-source software project Gnu Privacy Guard.
"I think that PGP is an institution that is too important to leave in the hands of any one company," he said. "This OpenPGP alliance is something I should have done years ago. But now I am trying to Johnny Appleseed the protocol."
The alliance--and better interoperability--could give PGP a much needed boost among computer users, he added. Though PGP is used widely among people who encrypt their e-mail, the vast majority of computer users don't use encryption at all.
"If you draw a pie chart of e-mail, you find only a small wedge is encrypted," Zimmermann acknowledged. "But of that wedge, it's all PGP."