[982] in cryptography@c2.net mail archive
Re: [ANNOUNCE] Phil Zimmermann on recent FUD and PGP 5.0 plans
daemon@ATHENA.MIT.EDU (Peter Trei)
Mon Jun 9 15:09:31 1997
Date: Mon, 9 Jun 1997 14:17:32 -0400 (EDT)
From: Peter Trei <trei@zip1.ziplink.net>
To: cryptography@c2.net
[This has been sent to the following
ddt@pgp.com
prz@pgp.com
mnelson@pgp.com
cryptography@c2.net
pgp-dev@systemics.com
pgp-users@joshua.rivertown.net
but due to a screwup at my ISP, this is not reflected in the headers]
Dave Del Torto <ddt@pgp.com> writes:
> A message from our Fearless Leader...[prz]
>
> dave
>
>[...]
>
> I know that it is common practice for some companies to issue statements
> to "spin" the story about certain events, sometimes at the expense of
> truth. This makes a lot of people understandably skeptical about such
> explanations. I do have responsibilities toward my company, but no
> one could get me to deny a truth about the reasons for the restructuring.
> The truth is, the restructuring had absolutely nothing at all to do with
> the RSA lawsuit.
Indeed, skepticism of the completeness and accuracy of such
spin-doctor corporate statements is very common, and I'm glad you
recognize the problem. In that light, I hope that you will see the
necessity of clearing up an uncertainty left by your following
paragraph.
You say:
> I would now like to announce that we will be releasing PGP 5.0 in mid-June.
> It's in beta release right now on our web page (www.pgp.com). In keeping
> with my own dedication to personal freedom and privacy, we will be releasing
> a freeware version for noncommercial use through MIT's web site
> (web.mit.edu/pgp), just like in the old days before the company was formed.
> And we do plan to publish the full PGP source code for Mac, Windows 95,
> and Linux.
Skepticism can be bred as much by what is left unsaid as by what is
stated.
Could you please disambiguate your use of the term 'publish'? Will you
provide downloadable source code along with the freeware version, so
people can independently verify the code and build complete,
interoperable copies of PGP 5? There has been speculation that PGP
might "publish" the source only in book form, possibly with
electronically readable source available on a restricted basis only to
registered developers.
I recognize that PGP faces a bind here - if you release full source
code, you potentially ease the work of people who want to build free
PGP-compatible products, which might compete with PGP Inc's commercial
versions. But if you fail to release source code in a form that people
can compile and test, you risk losing the confidence of your users -
many of whom are suspicious as a way of life, and won't trust a
cryptographic product they have not compiled themselves.
PGP (the program) and Phil have tremendous reputation and goodwill,
based on the open availability of source and the history of the
author. PGP (the company) would be well-advised not to jepordize
this. A clear and unambiguous statement from PGP regarding the form
and availability in which it will "publish the full PGP source code"
would do a great deal to bolster the public's confidence in the
product.
> Philip Zimmermann
> Chief Technology Officer, PGP Inc.
Peter Trei
ptrei@acm.org
Disclaimer: The above is my own view, and should not be misconstrued
to belong to or represent anyone else.
PS: I'll see responses which are sent to cryptography@c2.net.
pt
