Net Security Interview with Jon Callas

Sat Oct 5 06:42:21 PDT 2002

Net Security

http://www.net-security.org/article.php?id=195

Interview with Jon Callas
by Berislav Kucan

Jon Callas is an innovator and an acknowledged expert in all major aspects
of contemporary business security, including cryptography, operating system
security, public key infrastructure, and intellectual property rights.

For how long have you been involved in the development of PGP?

I joined PGP, Inc. in January 1997. I was Chief Scientist there. When NAI
bought PGP in December 1997, I became CTO at NAI, and stayed there until
April 1999. I am one of the co-founders of the new PGP Corporation.

I am the principal author of The IETF OpenPGP standard, which is presently
RFC2440, and have been doing that since mid '97.

What were your thoughts after Network Associates stopped selling PGP
products this March?

Oh, I was incredulous! I'm a Mac OS X user and had been on the beta list
for it in October. I kept waiting for them to find someone for it, myself.

When and with what plans was PGP Corporation started?

Phil Dunkelberger and I ran into each other at last year's RSA conference,
and started talking about a new security startup. We came up with some
ideas on how to make message security much simpler to use. We then started
working with Will Price, who had then recently left Network Associates
after the PGP cancellation. He had his own ideas that meshed in with our
ideas, and that led to us deciding that PGP would fit in well with our
combined plans.

What products were bought from Network Associates?

We bought all products from Network Associates, including ones that are in
progress except for the Windows VPN and firewall, and the command line
versions. Network Associates still sells the command line PGP under the
name McAfee eBusiness Server. We are under an eighteen-month non-compete
for the command line PGP, so it is theirs for that time.

Our products include the traditional PGP for Windows and Macintosh, the
Palm and WinCE products, the PGP key server, and so on.

What's your opinion on open source?

I think if you buy a software product, especially one that is a
security-related product, you should be able to know how it works. You
should be able to see that it doesn't have horrid flaws in it, by accident
or design.

We haven't quite worked out the details of PGP's open source license, but
here are the goals I have, pending language:

If you have a legally obtained copy of PGP, then you read, compile, modify,
hack, etc. the source for that type of PGP you have, for your own purposes
and not for redistribution. What I mean by this is that if you have PGP
freeware (which you are using for non-commercial use), then you may do all
those things with PGP freeware. If you bought a copy of the retail product,
then you may do those things with the retail product or the freeware
product.

This isn't quite the same as what some other open source people believe
constitutes "open source," but our philosophy on source is completely in
line with the principles that the FSF and LPF were founded to defend -- the
right to look under the hood.

Part of the reasons we're of this mind is that as makers of a security
system, there are safety and reliability issues that we have to deal with.
We have a responsibility to combat the appearance of PGP clones that are of
lower security. Worse, what constitutes "lower security" is something about
which gentlepersons can disagree. I know some people with extreme opinions
about all sorts of security issues (including us). I, personally, as the
OpenPGP author try to be moderate. There are things allowed in the standard
that personally I disagree with. We solve that by saying that in our
implementation of the standard, we're not going to do those things. You can
think this as being the software equivalent of having an editorial voice.
I'll defend your right to use feature X, but it isn't going in my product.
But I digress.

I support your right to look at my software. I think it's fine if you
modify it for your own use. If you quietly give it to your friends, I'm not
going to complain -- provided they're using freeware features or paid for
it.

We provide reseller agreements and we license our toolkit, the PGPsdk --
quite liberally, I might add. If you want to do resell or make a product
based on our source code, we can work something out. You just need to talk
to us first.

After stopping the PGP product line, Network Associates spokeswoman
Jennifer Keavney said: "The reality is it didn't become a large enterprise
sell, and it maintained its perception as a freeware product. People around
the world are still using it for free". Won't PGP Corporation have the same
problem?

We believe we can be successful. Our funders, who include Venrock, the
venture arm of the Rockefeller family, believe we can be successful.

Will your company stop offering PGP source code in the future?

No. Source code is vital. We believe in it. Our funders believe in it.

Will PGP Corporation produce Linux versions of PGP products?

We are considering it. We can produce a GUI version of PGP similar to the
ones we do for Mac OSX and Windows. The biggest question for us is whether
or not Linux people would find such a thing valuable enough to want to buy.
There are a number of freeware systems available now -- should we bother
making something we charge for, or should we just interoperate with what's
out there?

Are there plans for the development of new products in the PGP line in the
near future?

Oh, yes. We weren't funded just to pick up the PGP business. We were funded
for our new product plans. Without giving it away, our aim is to make
products that are extremely easy to use. Think of it as PGP for people
whose VCRs flash 12:00.

Is there a possibility for you to discontinue any of the PGP products?

I can't think of one.

What do you think about the whole segment of handheld computers security?
Where does PGP Corporation stands at this topic?

We already have versions of PGP for Palm OS and WinCE. We have Symbian's
OS. We believe this is a huge opportunity for us.

What is your perspective on full disclosure of vulnerabilities?

I am a proponent of full openness. I'm a proponent of published source
code, so by necessity vulnerabilities will be disclosed -- just look at the
differences in the source.
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com