-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Watch the word wrap:
http://developer.earthweb.com/earthweb/cda/dlink.resource-jhtml.72.1081.
|repository||softwaredev|content|article|2000|10|03|SDLairdZim|SDLairdZ
im~xml.0.jhtml?cda=true
(PGP Signature applied with appreciation to PRZ)
Meet Phil Zimmermann, creator of the Pretty Good Privacy (PGP)
encryption suite and one of the world's best-known cryptographers.
Published October 04, 2000
By Cameron Laird
Page 1 of 2 1 2
Programmers can be celebrities too. Just ask Philip (Phil) Zimmermann.
He's spent most of the last decade as a folk hero, and admits to
having enjoyed that status. Just this summer, he suffered the flip
side of fame as wildly inflated rumors circulated about his role in
compromising the security of the PGP encryption suite, and he watched
his e-mail inbox fill with venom.
A Human Rights Project
He recognizes it comes with the territory. Zimmermann is probably the
world's best-known cryptographer. He created the Pretty Good Privacy
(PGP) encryption suite in 1991. Since then, it has come to dominate
the market for programming protection of online confidentiality. PGP
has been heralded for its role in protecting numerous political
dissidents around the world, and earned Zimmermann the prestigious
Norbert Wiener Award for responsible use of technology in 1996, as
well as the 1995 Chrysler Award for Innovation in Design, and a 1998
Lifetime Achievement Award from Secure Computing Magazine, along with
at least a dozen other distinctions. It also brought him into highly
public patent disputes with RSA Data Security Inc., and a nightmarish
multi-year criminal investigation by the United States government.
It began as a human rights campaign. As the '90s opened, Zimmermann
was an experienced programmer -- and a pretty good one by all
accounts, including his own -- specializing in data security and
communications and real-time embedded systems. Electronic
communications technologies were becoming widely available, and
politically significant: combinations of underground radio, video
tapes, satellite news updates, and e-mail are generally acknowledged
to have been indispensable in the popular overthrow of Iran's Shah,
Eastern Europe's Bolsheviks, and several dictatorships throughout the
third world.
Technical challenges remained. How, for example, could human rights
monitors communicate their on-site findings without risking
recrimination or distortion? How might any citizen communicate freely
and fearlessly over channels subject to tapping?
One technical solution was encryption: "scrambling" a message so it
was unreadable except to the sender and intended receiver. Zimmermann
had worked on commercial encryption systems during the '80s, and he
envisioned that it could be applied more widely. He developed PGP as
an "add-on" that any e-mail user could install to ensure
confidentiality.
A Response to Legislation
And it worked. It also became controversial, which brought more
attention, and encouraged even more users to experiment with it.
Nowadays it's become part of the popular culture of computing. It has
been so widely disseminated that even many industry participants who
rely on it know nothing about Zimmermann, and assume it was first
created for the commercial applications -- retail sales, banking, and
so on-in which it is used today.
Zimmermann, however, emphasizes that for him it remains a human-rights
project.
PGP was born in controversy. Zimmermann wrote version 1.0 as a
response to United States Senate Bill 266. If it had been passed, this
legislation would have required all communications vendors to embed
"back doors" to permit government agencies to tap their products. He
rushed a release of 1.0 into the hands of his computing friends, at
least one of whom began to distribute it on bulletin boards throughout
North America. Its circulation meant that any criminality resulting
from passage of the bill would have been difficult to enforce.
Code-sharing didn't stop at national borders, though, and there was
nothing hypothetical about it: export of PGP outside the U.S. (with
possible exceptions involving Canada) was definitely illegal. Everyone
involved agreed that the Office of Defense Trade Control's enforcement
of the International Traffic in Arms Regulations (ITAR) extended to
cryptographic software.
Whom to Prosecute?
Whom could the US Department of Justice indict, though? Zimmermann
just programmed and talked; he was careful not to engage in any
"munitions exports" himself.
Despite these precautions, criminal charges were brought against him.
The programming and civil rights communities joined to create a legal
defense fund. After three years of what Zimmermann calmly categorizes
as "persecution," prosecutors dropped the case in early 1996 with as
little comment as they had earlier justified it.
Controversy didn't end there. Even before the criminal indictment, RSA
notified Zimmermann that it considered PGP an infringement of its
patents. Zimmermann had been careful to engage only in "educational
use" of applicable documents and inventions. He consistently
emphasized in his presentations that users were responsible for
securing applicable licenses.
The RSA battle ended as undramatically as the ITAR one had. Zimmermann
and Public Key Partners (PKP), an RSA affiliate, signed an agreement
that Zimmermann would continue not to distribute RSA inventions and
PKP would not sue Zimmermann. RSA threatened Zimmermann and the
Massachusetts Institute of Technology (MIT) for various alleged
infringements. Zimmermann programmed around legal problems, and MIT
shielded him from others in pursuit of its own intellectual rights.
While the publicity around these disputes served as valuable marketing
for PGP, it also made it hard to move on. Hecklers continue to
believe, for example, that Zimmermann had secretly acquiesced to
government demands and somehow weakened PGP. Although it's hard to
prove covert arrangements do not exist, it's equally difficult to
imagine how Zimmermann might contaminate source code available for
public review, which PGP was.
PGP Inc.
With the disposal of the government case, Zimmermann founded PGP Inc.
in 1996 to finance maintenance and enhancement of PGP. Late the next
year, he sold the company to Network Associates (NAI), while agreeing
to stay on as senior fellow.
The programming fraternity continues to honor Zimmermann in its
characteristic ways: T-shirts are silk-screened with him as subject,
he speaks regularly at conferences and in the classroom, and people
who haven't met him often speculate on Usenet and other public forums
about his motives and interests. He is often addressed with the
reverence accorded an accomplished software engineer martyred for
resistance to governmental invasions of privacy.
PGP's Present and Future
So where are PGP and Zimmermann in the year 2000? He still has a full
schedule. Between his assignments with NAI and independent consulting,
he sometimes fails to make adequate time for sleep, let alone pack
carefully for his many professional travels. He does little coding
these days. However, he sees his contribution as critical, believing
that "encryption software architectural decisions must be made by
knowledgeable cryptographers, not software engineers." He has very
firm opinions, for example, about Gnu Privacy Guard (GnuPG), an open
source competitor to PGP. There's no doubt in Zimmermann's mind that
GnuPG suffers for being managed by programmers. He offers the Blowfish
encryption method as an example: "I would never, ever allow Blowfish
to be implemented in PGP, because it's not as good a design as
Twofish; Twofish is superior. PGP 7 implements Two fish. Yet we see
GnuPG implemented Blowfish."
Even the Internet Engineering Task Force (IETF) makes cryptographic
mistakes, he says. Zimmermann asserts, "I would never allow El-Gamal
signatures to be put in PGP. I don't know how that got in" RFC 2440,
which defines the OpenPGP standard.
NAI still has a large backlog of serious technical work to do:
integration of new algorithms and functionality, ports to new
architectures, and more. Embedded systems -- encryption processing
within telephones, automobiles, and so on -- are likely to be
particularly important during the next few years. Also, the original
RSA patent expired just a couple of weeks ago, and NAI is already
offering products that exploit this.
Minor controversies continue to dog PGP. Just within the last year,
two small faults in the released code were discovered. While experts
agree that neither one presented any practical danger to the security
of PGP-based communications, both sparked arguments about NAI's
ability and even its intentions. In the first case, a fault in a
specific version for Unix could, in principle, compromise a key
generated by a method PGP had always deprecated: automatically,
without user input.
Then, in mid-August, German researchers spotted an error in PGP's
Additional Decryption Key (ADK) functionality. Like the key-generation
error, it was quickly fixed, and detailed investigations confirmed it
was unlikely that any real keys had ever been tampered with, let alone
any messages cracked. However, before all the facts came out,
speculation erupted that Zimmermann had personally installed a
deliberate vulnerability, or perhaps allowed NAI to do so.
Zimmermann promptly published an extensive personal statement through
the PGP Web site, and most observers now grant that, as he concludes
there, "If NAI tried to put a back door in PGP, all the engineers on
the PGP team would quit in a highly visible protest, and I would be
talking to the press about it. There is no way that I would let this
happen."
The Future Is Busy
Zimmermann's personal scheduling often leaves him in what he calls
"decapitated chicken mode." Apart from the frustration of overload, he
likes what he does, and proudly regards it as important technically
and politically. He's just beginning to redevelop PGPphone on his own,
outside NAI: "I think it's a cool project." He continues to speak
before university and industry groups, often in Europe. However
painful the name-calling and conspiracy theorizing is to him, he plans
many more contributions to cryptography and computing.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQA/AwUBOgpEWyavYwibXjmcEQL6BgCgs/fOglVgSiXKVIjsel6IIN1uWhcAoNY8
mEuqj4uT1WKyUFmLGQt4OgAO
=tFYW
-----END PGP SIGNATURE-----
