PGP vs GnuPG in Big Business? 51
CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?
The problems with PGP (Score:4, Informative)
Personally, I prefer mutt with GnuPG, but PGP style encryption isn't the only alternative.
Support! (Score:3, Interesting)
We're using PGP to send data over email instead of sending that data with a courier on disk.
The main reason for using pgp was that at the time S/mime was not as standardized as it is now. We're a bank so we don't want to hassle with the software of our clients.
Now with the NAI contract we do not only get a "personalized install" but we also get support. We don't have to setup support for pgp ourselves but direct the question to NAI.
This saves us from doing techsupport (we're a bank not a software house), and we can concentrate on making sure the emails get send and arive. with GPG you need to do the support yourself. This costs money. It might be that NAI can do it cheaper than yourself.
Note, that their server side software is very expensive as well. That part could be replaced with GPG as the two are compatible!
A number of reasons... (Score:4, Informative)
There are several reasons to think about switching.
The first is trust: while people often talk about access to source code being essential for security (and then nobody looks at the code), with popular encryption software everyone looks at the source code. You can trust open source encryption software more than closed source. Nevertheless, there is no evidence to suggest that NAI's commercial PGP has a deliberate back door (whatever people might have heard or believe).
Another reason is licensing: the NAI PGP license is quite prescriptive, in terms of what it permits you to do with the product (or say about it). In big companies, you may have people travelling to countries controlled by nasty regimes. You don't want them to have to uninstall their encryption software before they go to a country because the license says so (being arrested at the airport is a different matter...). GPG is covered by the German export regime, which is much more friendly than that of the US.
A third is commercial: NAI have have scaled back development effort on PGP software, and may well sell PGP desktop. You could certainly end up paying for software which is not effectively supported.
All of this is a shame, because PGP had every chance of flourishing under NAI, and it was shaping up to be a really good little product. Even as it is, it has definitely raised the bar for the usability of encryption software. Technically, I still think its pretty good (even with the above issues) but commercially, its position is questionable.
When you are buying security software, you have to both trust the software and trust the people who make the software.
Re:A number of reasons... (Score:3, Interesting)
Luckily, there are only a few countries in the black list (and fewer in the last 6 months; India and Pakistan were bribed for their support against Afghanistan by removal from the list, and Afghanistan is now largely off the list too). Unfortunately, we do have bases in some of those countries, mainly in the Middle East (which should be a good hint as to what type of company it is...).
Back on topic; even if you're not based in the US, PGP may become a liability if you do business in a restricted country.
Re:A number of reasons... (Score:3, Interesting)
The company that I worked for considered using GPG for a project. I had pushed for it but it was met with a lot of resistance until it was discovered that another group in the company was using it (typical programmers don't know anything, will listen only to another PHB attitude). Unfortunately, the other organization that we would be sending the data to refused to accept it if it was anything other than the commercial PGP.
So you may win over people inside your company, but if the recipients are stuck in the 'proprietary software only' mindset you may have to keep PGP around for them. There are companies that have explicit IT dept guidelines banning open source, freeware, and shareware -- even if it's bundled with a commercial product. PeopleSoft claimed it had to ship an alternative commercial *nix web server with it's software for those companies where Apache would be against the set in stone policies.
Re:A number of reasons... (Score:2)
Or better yet: fix the problem. Sit down on their NT Server and take a look at FTP.exe in wordpad. Show them the licenses for some of the software on the NT and Windows 2000 resource kits. Show them the licenses for some of the packages in Solaris 8 Software 2 of 2. Then suggest they they either enforce their policy and immedately remove NT 4, Windows 2000, and Solaris 8 for their system (and do not upgrade their older machines to these versions) or remove the policy.
Re:A number of reasons... (Score:1)
http://news.zdnet.fr/story/0,,t118-s2097672,00.
If it's good enough for the German Govt.... (Score:5, Interesting)
See the press release [gnupg.de].
There's even a section titled 'Why not use PGP?'
PGP has an uncertain future... (Score:3, Informative)
... because NAI is putting it up for sale, according to this Register article [theregister.co.uk]. Of course, this hasn't actually happened yet, but the fact that they didn't deny it means that the commercial product is probably dead.
If they want to pay... (Score:1)
Herbivore has an advantage over PGP-like systems isn that it is intended to be effort-free in normal use.
Re:Point is, you DO get what you pay for. (Score:4, Interesting)
Rubbish! Following the herd mentality of corporate america may be smart in the political aspects of business (so is knowing how to golf, but that's just as lame...), but not necessarily in the technical aspects.
Yes, you get what you pay for -- an unreasonable EULA and company that tells you "you're s.o.l." if anything should go wrong enough to cause your business damage, all for the yearly support cost of what could likely pay for a competent admin to deal with the software in-house. At least with GPL'd software, there's no pretense of accountability.
As for the techical comparison to PGP, I don't have the ability to evaluate code myself, so I must rely on those who care about security and have the ability to digest source code. To this end, if GPG support is good enough for users of Mixmaster anonymous remailers (these are some truly smart and paranoid folk) and for the OpenBSD maintaners, I'd have to say its okay for my needs.
And I'm pretty certain that GPG supports more algorithms than PGP, and you can be 100% certain that the out-of-the-box algorithms in GPG are not hindered by patents or license restrictions.
Just read this [slashdot.org] for how much responsibility software companies have to their paying customers.
Re:Point is, you DO get what you pay for. (Score:3, Interesting)
I would love to see them -- sincerely.
No outlook plugin (Score:3, Funny)
Re:No outlook plugin (Score:2, Informative)
http://www3.gdata.de/gpg/download.html [gdata.de]
Re:No outlook plugin (Score:1)
I can give you more details if you need it.
I stand corrected (Score:1)
Write this one down (Score:4, Informative)
Re:Write this one down (Score:2, Interesting)
If desktop integration is a big deal, you don't want PGP either -- You want to use the built-in SMIME/X509 capabilities in Outlook (and Netscape and Notes). PGP/GPG is a 3rd party hack and SMIME isn't.
Also, PGP has support for split keys.
I'm not sure what this is, but it sounds like some sort of PKI feature hacked on top of a distributed system that wasn't designed to support it. Again, save yourself the trouble and just do X509.
Re:Write this one down (Score:3, Informative)
Re:Write this one down (Score:1)
switched to KDE/KMail/gpg, and I find it easier
to use, as well as eliminating most of my security
problems. Encrypting on the wire is great, but
it does no good if some Outloook VBScript virus
has installed a backdoor on your machine.
Re:Write this one down (Score:1)
All in all, I'd say for company-wide deployment, the interfaces / integration for GPG just aren't there yet.
Re:Write this one down (Score:2)
Depending on the business needs, another solution which uses OpenPGP (the standard on which GPG is based) is the Hushmail service. This service works much like Hotmail (web access) but encrypts the mail using OpenPGP, and provides a PKI service.
The great thing about Hushmail to Hushmail messages is end-to-end security: not only are you using encryption to protect the files, the messages stay on the providers servers in another country. So, for baddies, even getting access to the files to attempt to decrypt them is tricky.
It's a commercial service which also provides an encrypted storage service, for a small charge.
Actually, they're right (Score:3, Insightful)
And if you insist on paying somebody money for proprietary security software, you're paying them to keep private information that you need to have public. I'm not an open-source true believer, but you can't get around the fact that the security of open-source products is objectively verifiable. With a proprietary product, you have to take the word of the vendor that it's secure. That's bad in and of itself -- and bad again when you recall that the vendor has every incentive to conceal his product's flaws.
Your friend (Score:1)
Fortune 500, eh? Why not have a friend start a company selling support for GnuPGP, start another company yourself with shares in the first, then get the place you work for to buy a contract from them (you)? That's how it's supposed to work, no?
Probably not... (Score:1)
on PGP (Score:1)
learn Just Another Command-Line Interface(TM),
but what I can say on PGP:
Do not use any versions other than
* pgp-2.6.3-ia
* pgp-2.6.3-in
The latter is a modificated version of
pgp-2.6.3-i made by the German IN-CA
(Certification Authority) and supports more.
Both use IDEA/RSA though, so be sure to get
an IDEA license additionally (they are available
from Ascom Tech, CH - check pgpdoc2.txt).
The source and RSA are freely available nowadays,
you can also use the NON-US version.
Rethink your position. (Score:4, Informative)
The parameters of how they may exercise this right are matters of considerable debate. E.g., must the company give notice that communications are being monitored? Must the company stop monitoring if it's an email or a phone call to your spouse? Etc. There's a lot of room for debate on that issue, but the basic fact remains that corporations need some way to make sure their secrets aren't being sent out to their big competitors.
In the crypto world, there are two major ways of doing this. One is key escrow (a technology which appears to have finally died the ignominious death it deserved). The other is the Additional Decryption Key (ADK). The difference between the two of them is that the ADK is a request to encrypt to an additional (corporate-controlled) key, and escrow requires the private key be held by some "trusted party", just in case.
Escrow technology is a big can of worms, and ADKs are smaller cans of worms. They're unsuitable for private users because they wind up being security risks. And, in fact, PGP's most critical vulnerability since the 2.6.x days came from an ADK bug.
However, corporations view the risks of not having ADKs to be much greater than the risks of having ADKs.
Corporations demand either escrow or ADK. GnuPG supports neither, and Werner Koch has said that GnuPG will never support them. He has his reasons for saying that, and his reasoning is pretty sound. But, then again, so is the corporate logic for insisting on escrow/ADKs.
Moreover, GnuPG doesn't have any pretty GUIs. WinPT is making a good attempt for Win32, and GNU has their own (apparently stalled) GTK+ front-end, but neither one is anywhere near done. In any business setting, 95% of the people will be stark raving terrified of the prospect of using a command-line app. For this 95%, PGP is the only option. There simply isn't anything else.
This is sort of a shame, given that NAI's reputation for being an attentive, responsive vendor is
For me, personally, I use GnuPG and love it. I wholeheartedly recommend people use it. But I simply can't see it taking off in the enterprise for the reasons listed above.
Re:Rethink your position. (Score:2)
Simply put, WinPT's UI is not up to the level that corporate customers expect. I expect that, provided WinPT development keeps going and doesn't stall, in a year or eighteen months it'll be comparable to the PGP UI. But for right now it just isn't there.
If you think polish doesn't matter, I suggest you search the Web for "Why Johnny Can't Encrypt", which is a usability study of PGP. Even with a modern, well-polished UI, PGP's usability by average users is awful. Really terrible.
If it doesn't integrate seamlessly with the OS, people won't use it. It doesn't matter how simple or gentle the learning curve is; people will just choose to not learn instead.
5% of computer users are geeks, and that may be optimistic. The remaining 95% are the Real Users. Live in fear and terror of them.
Seahorse (Score:1)
"Seahorse is a GNOME front-end for GnuGP. It can be used for sign, encript, verify and decrypt text and files. The text can be taken from the clipboard, or written directly in the little editor it has. Seahorse is also a keymanager, which can be used to edit almost all the properties of the keys stored in your keyrings.
Seahorse currently consists of two projects. Along with Seahorse itself, a bonobo component called Seahorse-bonobo is being developed. This bonobo component will serve as a backend to Seahorse, as the most gnupg common functions are being implemented in it.
All the dialogs and windows had been developed using Glade, and they are loaded in runtime execution using libglade.
Both Seahorse and Seahorse-bonobo are released under the terms of the General Public License (GPL)." [from the website]
It's really nice. Has a whole keymanager, simplifies creating keys and (de)(en)crypting messages. Easy to use.
Update (Score:1)
Clarification (Score:1)
That's easy (Score:2)
Problem solved.
Phil Zimmerman Likes OpenPG (Score:2)
My experience: don't. (Score:2)
I created a basic, plain-jane key, exported the public key, and sent it out to several installations using PGP. Unanimously, they couldn't get it to work. 4 different sites, each with a similar problem. On their side, the program would choke on adding the key. I tried creating side keys, sub keys, etc, etc. On some I think it was due to the real PGP not dealing with El Gamal correctly, on others the key size was probably screwy, but overall it didn't work.
I had been really looking forward to using GPG for this, but not in this case.
That being said- try it out. You may very well have better luck than I. I hope so.
Why not look at non PGP encryption (Score:1)
Only down I know about this alternative is lack of *nix support at this time. RSA: Listen UP and support *nix with this excellent product!