|
Philip Zimmermann |
|
Where to Get PGPIn August 2002, the PGP software and related intellectual property was acquired from NAI by a new startup, PGP Corporation. It is now possible to get PGP from PGP Corp, at www.pgp.com. But it would be even better if you buy PGP from me instead of PGP Corp, because now I am a reseller of PGP.  A bit of history: From January 1998 when Network Associates (NAI) acquired PGP Inc, until February 2002, when NAI shut down its PGP activities, NAI was the primary source of PGP software. Now you can't get it from them anymore, which is just as well, since the PGP community was never happy with NAI's stewardship of PGP. And the old NAI versions (up through 7.x) didn't run on Windows XP or Mac OS X. The good news is that since August 2002, you can get PGP from its new owner, PGP Corporation, at www.pgp.com, or better yet buy it from me. After PGP Corp released version 8.0, it ran on Windows XP and Mac OS X. The Dark Times are over. PGP is back! PGP Freeware and Source CodeNAI had suspended the long-standing tradition of publishing PGP source code for peer review, a reckless move that eroded public confidence in the product. The new PGP Corp has reinstated this tradition, which allows anyone to download and inspect the PGP source code for bugs, and also shows that it has no back doors. And they still offer freeware versions for noncommercial use. When you click through to their page, you will see that they now call it trialware. Before you jump to the wrong conclusions, note that despite the fact that they call it trialware, it's still freeware. It reverts from full-featured trialware to freeware after 30 days. I still get angry email from people because they immediately stop reading as soon as they see the word "trialware". From the beginning of PGP, there have always been freeware versions available for noncommercial use, and that is still true today. But bear in mind that if too many people just use the freeware without upgrading to a paid-for version, the engineers that develop PGP will have to find other work to feed their families. PGP suffered a near-death experience at the hands of NAI, and now has a new chance for life with PGP Corp. If you want PGP to survive this time around, you'd better ante up and pay your dues. You may have a constitutional right to use crypto software, but someone has to pay the developers. Free Speech is not the same as Free Beer. PGP Command-line ProductsIf you need a command-line version of PGP, you can get it from PGP Corp. You can also get other OpenPGP-compliant command-line products from other people, such as Gnu Privacy Guard (also known as GnuPG or GPG) and FileCrypt. All of these OpenPGP-compliant command-line products run on a variety of Unix platforms, as well as the Windows command-line shell. The www.pgpi.org siteFor a wide assortment of freeware versions of PGP, visit the International PGP Home Page at www.pgpi.org. That site is not run by PGP Corp, but by PGP activist Stale Schumacher, who has been operating that site in Norway since long before PGP became a commercial company. His site also includes a lot of general information about PGP, including frequently asked questions about PGP, PGP source code, and where else to get older versions of PGP from all over the world. It also has information on where to get other OpenPGP software. Note that this web site does not have the newer (8.0 or later) versions of the PGP freeware from PGP Corp. You can download the latest version of PGP freeware from PGP Corp. HushMailIf you want a highly mobile way to do PGP-style encrypted email, you might consider HushMail, from Hush Communications. HushMail is a web-based encrypted email service that uses a downloaded Java applet to encrypt and decrypt email in your browser. There's nothing to install, because it's all done in your browser. Which greatly simplifies deployment in large corporate environments. It's also handy for road warriors who might need to check their encrypted email from an Internet cafe. And for all you Macintosh fans, HushMail also works with Safari on Mac OS X. Sign up to try out HushMail for free, but if you pay for an upgraded subscription, you get better service and you will be keeping another OpenPGP vendor in business, which the OpenPGP community really needs. No differences in cryptographic strengthThere is no significant difference between any version of PGP you get inside the US and the corresponding version you get from outside the US, as far as cryptographic strength is concerned. There is no difference in key sizes, quality of the cryptographic algorithms, or any other differences in cryptographic security characteristics. Regardless of whether you got it from the MIT site, Network Associates, PGP Corporation, or the www.pgpi.org site, all versions of PGP that I have been associated with are secure, and no versions have ever been weakened for export or for any other reason, in the history of PGP since the first release in 1991. This is true at least up through PGP version 9.5. If my own assurances are not convincing enough, you can always download the PGP source code and check it yourself. Some people mistakenly assume that the PGP international versions must have been weakened for export in some way. There are complicated reasons why there were different PGP versions made outside the US back in the 1990s, when there were US export restrictions on cryptographic software. These laws had a loophole that allowed cryptographic source code in printed books to be exported. We cleverly exploited this loophole by publishing books containing the complete PGP source code, exported these books to Europe and then arranged for them to be scanned via OCR back into a computer. The resulting source code was published for peer review on web sites in Europe. This unconventional and labor intensive approach resulted in international versions that were essentially identical to the ones made in the US, with absolutely no compromises in cryptographic strength. After a long political battle, the US export restrictions on crypto software finally ended in early 2000, so we no longer have to resort to such wild and crazy measures to export PGP. The MIT web siteIn the past, many PGP users in the US have obtained freeware versions of PGP (versions 6.5.8 and earlier, including source code) on the MIT PGP web page at http://web.mit.edu/network/pgp.html. But the MIT site no longer has the current versions of PGP, because it's no longer necessary now that PGP has a stable home at PGP Corp. Also, the MIT site still has some mechanisms in place to impede downloads outside the US, because MIT has not updated their web site since the US export restrictions were lifted in 2000. I suggest you instead use the www.pgp.com site. You can find other providers of OpenPGP-compliant software at openpgp.org, under the "Members" tab. |