Goodbye PGP (hello OpenPGP!)

I think that I first started using PGP on the Mac in 1995.

For those of you who don’t know about PGP, there is a lot of history available, but briefly PGP stands for “Pretty Good Privacy” and was developed by Phil K. Zimmerman who wrote the application to implement public-key cryptography.  Public-key cryptography is widely used now, but PGP was a wondrous invention for those of us who understand that privacy issues around storage and communication of information on computers presents very different challenges than “classified files” stored on paper.

Like a lot of good ideas, PGP was implemented commercially, and has gone through several “owners” some of which were affiliated with Phil, but the commercial product is now owned by Symantec.  Although I’m a believer in Open Source software, I’ve felt up to now that the commercial products from PGP were worth supporting.

However, this has changed for several reasons:

  1. The PGP product sold by PGP Corporation is now much more than email encryption.  It includes lots of other encryption tools, such as Whole-Disk Encryption (WDE), a file “shredder”, and technologies to allow it to be used in a corporate environment.  But – I’m not using in a corporate environment, and so these tools add weight and complexity.  And cost.  (The latest evidence of the complexity have been three problems this year with applications affected by one of more functions of PGP.)
  2. PGP Corporation hasn’t shown an interest in keeping an email “plugin” working.  When you use encryption tools, it’s important for the end-user to have control over how the tool works.  When you’re using PGP, your email is encrypted or the signature is verified by another process running on your machine, and the only indication you have is a line added to your email, like:* PGP Signed on mm/dd/yy which is an issue, because, well, how can you tell that actually came from PGP?  Anyone could add a line in any email like that.  The point of a plugin is that when the Mail application itself tells you something, you have a bit more reason to believe it.
  3. OpenPGP has spawned Open-Source Projects.  In particular GNUPG (GNU Privacy Guard), true to its root, only does one thing, and that’s implement the PGP “engine” in an open-source application.  That means that other developers are free to add functionality by building around it using “front-ends”, or integrating it, depending on the aim.  GNUPG has kept up with technology and bug fixes, but has added basic functionality carefully.
  4. GPGMail gets better and better.  Speaking of products built for OpenPGP, GPGMail is a Mac OS X front-end for MacGPG.  GPGMail implements a plugin for Apple’s (the native mail program built into Mac OS X).  This solves the problem of believing what might in the content of an email message – since the Mail application itself is providing the verification.

I think I’ve been a good customer of PGP for a while, but for these reasons I’m no longer using it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s