-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Watch the word wrap: http://developer.earthweb.com/earthweb/cda/dlink.resource-jhtml.72.1081. |repository||softwaredev|content|article|2000|10|03|SDLairdZim|SDLairdZ im~xml.0.jhtml?cda=true (PGP Signature applied with appreciation to PRZ) Meet Phil Zimmermann, creator of the Pretty Good Privacy (PGP) encryption suite and one of the world's best-known cryptographers. Published October 04, 2000 By Cameron Laird Page 1 of 2 1 2 Programmers can be celebrities too. Just ask Philip (Phil) Zimmermann. He's spent most of the last decade as a folk hero, and admits to having enjoyed that status. Just this summer, he suffered the flip side of fame as wildly inflated rumors circulated about his role in compromising the security of the PGP encryption suite, and he watched his e-mail inbox fill with venom. A Human Rights Project He recognizes it comes with the territory. Zimmermann is probably the world's best-known cryptographer. He created the Pretty Good Privacy (PGP) encryption suite in 1991. Since then, it has come to dominate the market for programming protection of online confidentiality. PGP has been heralded for its role in protecting numerous political dissidents around the world, and earned Zimmermann the prestigious Norbert Wiener Award for responsible use of technology in 1996, as well as the 1995 Chrysler Award for Innovation in Design, and a 1998 Lifetime Achievement Award from Secure Computing Magazine, along with at least a dozen other distinctions. It also brought him into highly public patent disputes with RSA Data Security Inc., and a nightmarish multi-year criminal investigation by the United States government. It began as a human rights campaign. As the '90s opened, Zimmermann was an experienced programmer -- and a pretty good one by all accounts, including his own -- specializing in data security and communications and real-time embedded systems. Electronic communications technologies were becoming widely available, and politically significant: combinations of underground radio, video tapes, satellite news updates, and e-mail are generally acknowledged to have been indispensable in the popular overthrow of Iran's Shah, Eastern Europe's Bolsheviks, and several dictatorships throughout the third world. Technical challenges remained. How, for example, could human rights monitors communicate their on-site findings without risking recrimination or distortion? How might any citizen communicate freely and fearlessly over channels subject to tapping? One technical solution was encryption: "scrambling" a message so it was unreadable except to the sender and intended receiver. Zimmermann had worked on commercial encryption systems during the '80s, and he envisioned that it could be applied more widely. He developed PGP as an "add-on" that any e-mail user could install to ensure confidentiality. A Response to Legislation And it worked. It also became controversial, which brought more attention, and encouraged even more users to experiment with it. Nowadays it's become part of the popular culture of computing. It has been so widely disseminated that even many industry participants who rely on it know nothing about Zimmermann, and assume it was first created for the commercial applications -- retail sales, banking, and so on-in which it is used today. Zimmermann, however, emphasizes that for him it remains a human-rights project. PGP was born in controversy. Zimmermann wrote version 1.0 as a response to United States Senate Bill 266. If it had been passed, this legislation would have required all communications vendors to embed "back doors" to permit government agencies to tap their products. He rushed a release of 1.0 into the hands of his computing friends, at least one of whom began to distribute it on bulletin boards throughout North America. Its circulation meant that any criminality resulting from passage of the bill would have been difficult to enforce. Code-sharing didn't stop at national borders, though, and there was nothing hypothetical about it: export of PGP outside the U.S. (with possible exceptions involving Canada) was definitely illegal. Everyone involved agreed that the Office of Defense Trade Control's enforcement of the International Traffic in Arms Regulations (ITAR) extended to cryptographic software. Whom to Prosecute? Whom could the US Department of Justice indict, though? Zimmermann just programmed and talked; he was careful not to engage in any "munitions exports" himself. Despite these precautions, criminal charges were brought against him. The programming and civil rights communities joined to create a legal defense fund. After three years of what Zimmermann calmly categorizes as "persecution," prosecutors dropped the case in early 1996 with as little comment as they had earlier justified it. Controversy didn't end there. Even before the criminal indictment, RSA notified Zimmermann that it considered PGP an infringement of its patents. Zimmermann had been careful to engage only in "educational use" of applicable documents and inventions. He consistently emphasized in his presentations that users were responsible for securing applicable licenses. The RSA battle ended as undramatically as the ITAR one had. Zimmermann and Public Key Partners (PKP), an RSA affiliate, signed an agreement that Zimmermann would continue not to distribute RSA inventions and PKP would not sue Zimmermann. RSA threatened Zimmermann and the Massachusetts Institute of Technology (MIT) for various alleged infringements. Zimmermann programmed around legal problems, and MIT shielded him from others in pursuit of its own intellectual rights. While the publicity around these disputes served as valuable marketing for PGP, it also made it hard to move on. Hecklers continue to believe, for example, that Zimmermann had secretly acquiesced to government demands and somehow weakened PGP. Although it's hard to prove covert arrangements do not exist, it's equally difficult to imagine how Zimmermann might contaminate source code available for public review, which PGP was. PGP Inc. With the disposal of the government case, Zimmermann founded PGP Inc. in 1996 to finance maintenance and enhancement of PGP. Late the next year, he sold the company to Network Associates (NAI), while agreeing to stay on as senior fellow. The programming fraternity continues to honor Zimmermann in its characteristic ways: T-shirts are silk-screened with him as subject, he speaks regularly at conferences and in the classroom, and people who haven't met him often speculate on Usenet and other public forums about his motives and interests. He is often addressed with the reverence accorded an accomplished software engineer martyred for resistance to governmental invasions of privacy. PGP's Present and Future So where are PGP and Zimmermann in the year 2000? He still has a full schedule. Between his assignments with NAI and independent consulting, he sometimes fails to make adequate time for sleep, let alone pack carefully for his many professional travels. He does little coding these days. However, he sees his contribution as critical, believing that "encryption software architectural decisions must be made by knowledgeable cryptographers, not software engineers." He has very firm opinions, for example, about Gnu Privacy Guard (GnuPG), an open source competitor to PGP. There's no doubt in Zimmermann's mind that GnuPG suffers for being managed by programmers. He offers the Blowfish encryption method as an example: "I would never, ever allow Blowfish to be implemented in PGP, because it's not as good a design as Twofish; Twofish is superior. PGP 7 implements Two fish. Yet we see GnuPG implemented Blowfish." Even the Internet Engineering Task Force (IETF) makes cryptographic mistakes, he says. Zimmermann asserts, "I would never allow El-Gamal signatures to be put in PGP. I don't know how that got in" RFC 2440, which defines the OpenPGP standard. NAI still has a large backlog of serious technical work to do: integration of new algorithms and functionality, ports to new architectures, and more. Embedded systems -- encryption processing within telephones, automobiles, and so on -- are likely to be particularly important during the next few years. Also, the original RSA patent expired just a couple of weeks ago, and NAI is already offering products that exploit this. Minor controversies continue to dog PGP. Just within the last year, two small faults in the released code were discovered. While experts agree that neither one presented any practical danger to the security of PGP-based communications, both sparked arguments about NAI's ability and even its intentions. In the first case, a fault in a specific version for Unix could, in principle, compromise a key generated by a method PGP had always deprecated: automatically, without user input. Then, in mid-August, German researchers spotted an error in PGP's Additional Decryption Key (ADK) functionality. Like the key-generation error, it was quickly fixed, and detailed investigations confirmed it was unlikely that any real keys had ever been tampered with, let alone any messages cracked. However, before all the facts came out, speculation erupted that Zimmermann had personally installed a deliberate vulnerability, or perhaps allowed NAI to do so. Zimmermann promptly published an extensive personal statement through the PGP Web site, and most observers now grant that, as he concludes there, "If NAI tried to put a back door in PGP, all the engineers on the PGP team would quit in a highly visible protest, and I would be talking to the press about it. There is no way that I would let this happen." The Future Is Busy Zimmermann's personal scheduling often leaves him in what he calls "decapitated chicken mode." Apart from the frustration of overload, he likes what he does, and proudly regards it as important technically and politically. He's just beginning to redevelop PGPphone on his own, outside NAI: "I think it's a cool project." He continues to speak before university and industry groups, often in Europe. However painful the name-calling and conspiracy theorizing is to him, he plans many more contributions to cryptography and computing. -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBOgpEWyavYwibXjmcEQL6BgCgs/fOglVgSiXKVIjsel6IIN1uWhcAoNY8 mEuqj4uT1WKyUFmLGQt4OgAO =tFYW -----END PGP SIGNATURE-----