Follow Slashdot stories on Twitter


Forgot your password?
GNU is Not Unix

PGP vs GnuPG in Big Business? 51

CygnusTM asks: "I work for a Fortune 50 company, and we need to expand our PGP installation. We have a quote from Network Associates, but I'd really like to convince the higher-ups that GnuPG is the way to go. The traditional resistance to open source is that there is no one to call when there is a problem, but I also sense there is a little "You get what you pay for" in there, also. How do I get them past this? With enough ammo, maybe I can open the door for other open source software." What are the real advantages and disadvantages of deploying GnuPG over PGP in a corporate environment?
This discussion has been archived. No new comments can be posted.

PGP vs GnuPG in Big Business?

Comments Filter:
  • by danpat ( 119101 ) on Saturday February 09, 2002 @05:30AM (#2978650) Homepage
    I've recently had to look at the same issue where I work. Management wanted to start sending financial information to each other via email, but didn't want to send it unencrypted (they at least have that many smarts). For management/admin, we're a mostly w2k shop, which means they all use outlook/IE. I found that the easiest way to implement encryption was to use the built in X.509 certificate stuff.

    Personally, I prefer mutt with GnuPG, but PGP style encryption isn't the only alternative.
  • Support! (Score:3, Interesting)

    by Anonymous Coward on Saturday February 09, 2002 @05:59AM (#2978688)
    [posting anonymously to protect the utterly paranoid (that would be me)]

    We're using PGP to send data over email instead of sending that data with a courier on disk.

    The main reason for using pgp was that at the time S/mime was not as standardized as it is now. We're a bank so we don't want to hassle with the software of our clients.

    Now with the NAI contract we do not only get a "personalized install" but we also get support. We don't have to setup support for pgp ourselves but direct the question to NAI.

    This saves us from doing techsupport (we're a bank not a software house), and we can concentrate on making sure the emails get send and arive. with GPG you need to do the support yourself. This costs money. It might be that NAI can do it cheaper than yourself.

    Note, that their server side software is very expensive as well. That part could be replaced with GPG as the two are compatible!

  • by Kirruth ( 544020 ) on Saturday February 09, 2002 @06:12AM (#2978706) Homepage

    There are several reasons to think about switching.

    The first is trust: while people often talk about access to source code being essential for security (and then nobody looks at the code), with popular encryption software everyone looks at the source code. You can trust open source encryption software more than closed source. Nevertheless, there is no evidence to suggest that NAI's commercial PGP has a deliberate back door (whatever people might have heard or believe).

    Another reason is licensing: the NAI PGP license is quite prescriptive, in terms of what it permits you to do with the product (or say about it). In big companies, you may have people travelling to countries controlled by nasty regimes. You don't want them to have to uninstall their encryption software before they go to a country because the license says so (being arrested at the airport is a different matter...). GPG is covered by the German export regime, which is much more friendly than that of the US.

    A third is commercial: NAI have have scaled back development effort on PGP software, and may well sell PGP desktop. You could certainly end up paying for software which is not effectively supported.

    All of this is a shame, because PGP had every chance of flourishing under NAI, and it was shaping up to be a really good little product. Even as it is, it has definitely raised the bar for the usability of encryption software. Technically, I still think its pretty good (even with the above issues) but commercially, its position is questionable.

    When you are buying security software, you have to both trust the software and trust the people who make the software.

    • by larien ( 5608 )
      The US export regime is, as you say, very limiting. I work at a large company and we had to go to a US export control presentation, even though we're based in the UK. Reason being, anything which begins its life in the US is subject to US export restrictions. For example, if I took a Windows laptop I purchased in the UK to e.g. Iraq, I'd be in trouble because Windows originated in the US. Yup, it's really that bad.

      Luckily, there are only a few countries in the black list (and fewer in the last 6 months; India and Pakistan were bribed for their support against Afghanistan by removal from the list, and Afghanistan is now largely off the list too). Unfortunately, we do have bases in some of those countries, mainly in the Middle East (which should be a good hint as to what type of company it is...).

      Back on topic; even if you're not based in the US, PGP may become a liability if you do business in a restricted country.

    • by ksheff ( 2406 )

      The company that I worked for considered using GPG for a project. I had pushed for it but it was met with a lot of resistance until it was discovered that another group in the company was using it (typical programmers don't know anything, will listen only to another PHB attitude). Unfortunately, the other organization that we would be sending the data to refused to accept it if it was anything other than the commercial PGP.

      So you may win over people inside your company, but if the recipients are stuck in the 'proprietary software only' mindset you may have to keep PGP around for them. There are companies that have explicit IT dept guidelines banning open source, freeware, and shareware -- even if it's bundled with a commercial product. PeopleSoft claimed it had to ship an alternative commercial *nix web server with it's software for those companies where Apache would be against the set in stone policies.

      • So you may win over people inside your company, but if the recipients are stuck in the 'proprietary software only' mindset you may have to keep PGP around for them. There are companies that have explicit IT dept guidelines banning open source, freeware, and shareware -- even if it's bundled with a commercial product. PeopleSoft claimed it had to ship an alternative commercial *nix web server with it's software for those companies where Apache would be against the set in stone policies.

        Or better yet: fix the problem. Sit down on their NT Server and take a look at FTP.exe in wordpad. Show them the licenses for some of the software on the NT and Windows 2000 resource kits. Show them the licenses for some of the packages in Solaris 8 Software 2 of 2. Then suggest they they either enforce their policy and immedately remove NT 4, Windows 2000, and Solaris 8 for their system (and do not upgrade their older machines to these versions) or remove the policy.

    • Actually, Network Associates is eliminating PGP according to this article (in French):,,t118-s2097672,00.h tm l
  • by steve.m ( 80410 ) on Saturday February 09, 2002 @08:00AM (#2978832) Journal
    then its good enough for you.

    See the press release [].
    There's even a section titled 'Why not use PGP?'
  • by disappear ( 21915 ) on Saturday February 09, 2002 @09:08AM (#2978911) Homepage

    ... because NAI is putting it up for sale, according to this Register article []. Of course, this hasn't actually happened yet, but the fact that they didn't deny it means that the commercial product is probably dead.

  • If they feel a need to pay for software, they are welcome to pay me [mailto] to develop and improve Herbivore [] for their requirements.

    Herbivore has an advantage over PGP-like systems isn that it is intended to be effort-free in normal use.

  • by gruntvald ( 22203 ) on Saturday February 09, 2002 @10:39AM (#2979045) Homepage Journal
    As there's no outlook plugin (just one for express), you'll have to convert your users to emacs for mail, but other than that, the cost savings will be huge. Of course, there's no unattended deployment tools either, so you'll have to visit each desktop, but again, the cost savings will be huge. Folks, this is sarcasm, sometimes a development project needs to tackle the unsavory aspects of windows to make sense.
  • Write this one down (Score:4, Informative)

    by autocracy ( 192714 ) <> on Saturday February 09, 2002 @02:20PM (#2979629) Homepage
    Because it's not likely I'll say it again anytime soon. Go with PGP for your corporation. Server side GPG may be better, and it makes more sense to run an open-code key server - but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this. You TCO will be less with NAI here. Also, PGP has support for split keys. For a corporation, this can be VERY important. Open Source stuff is usually that much better - but not this time. When it gets an interface as clean as NAI's for Windows and carries support for some of the extras, then it'll be worth it. Of course, I opt for the CKT build :)
    • by Anonymous Coward
      but for the desktop you'll want PGP. This is because it's interface is that much easier and you don't have time to train people for this

      If desktop integration is a big deal, you don't want PGP either -- You want to use the built-in SMIME/X509 capabilities in Outlook (and Netscape and Notes). PGP/GPG is a 3rd party hack and SMIME isn't.

      Also, PGP has support for split keys.

      I'm not sure what this is, but it sounds like some sort of PKI feature hacked on top of a distributed system that wasn't designed to support it. Again, save yourself the trouble and just do X509.
      • If you have no clue what a split key is or what its signicance is, then please don't judge its importance. Split keys are not a hacked on feature, but rather a method of splitting a key in a way that multiple people are required in order to decrypt / sign. Not in the X.509 standard. And in a corporate environment, PGP has a smaller learning curve.
    • I stopped using windows/outlook/pgp, and
      switched to KDE/KMail/gpg, and I find it easier
      to use, as well as eliminating most of my security
      problems. Encrypting on the wire is great, but
      it does no good if some Outloook VBScript virus
      has installed a backdoor on your machine.
    • I have to concur. I've tried using both in a W2K / Outlook environment, NAI PGP winns usability hands down.
      • Outlook Integration: There is an outlook plugin for GPG so for basic encrypt/decrypt operation both are reasonably usable,
      • Key Management: Here's where GPG falls flat on its face; managing keys is nearly impossible with the GPG gui keymanger, performance completely breaks down if the size of your keyring goes up a bit (about 150 keys on my ring currently). adding / signing new key is pretty much instantaneous in PGP while it takes > 60 seconds in GPG!
      • Corporate goodies: Having features like aditional decryption keys or split keys available can also be important for corporate use
      • Availability / Reliability: Here I'd give points to GPG: There's good commitment and a broad developer base for GPG while NAI has publicly announced that it actually wants to be rid of PGP, so there's really no saying how long PGP support or further development will be available from NAI.
      alternatives: PGP/GPG have great advantage over other options: cross platform availability; you'll be hard pressed to find ANY computer where there there ISN'T a version of PGP or GPG available. On the other hand, if you don't actually need that diversity, going with the Windows/Outlook builtin X.509 stuff could be your best option. Easy to use, pretty foolproof, supported by almost all external crypto devices.
      All in all, I'd say for company-wide deployment, the interfaces / integration for GPG just aren't there yet.
    • Depending on the business needs, another solution which uses OpenPGP (the standard on which GPG is based) is the Hushmail service. This service works much like Hotmail (web access) but encrypts the mail using OpenPGP, and provides a PKI service.

      The great thing about Hushmail to Hushmail messages is end-to-end security: not only are you using encryption to protect the files, the messages stay on the providers servers in another country. So, for baddies, even getting access to the files to attempt to decrypt them is tricky.

      It's a commercial service which also provides an encrypted storage service, for a small charge.

  • by fm6 ( 162816 ) on Saturday February 09, 2002 @03:00PM (#2979771) Homepage Journal
    You do get what you pay for. But if "what you pay for" is somebody to call when things get broken, open-source versus proprietary is neither here nor there. What's important is whether the people you call are worth the money you're paying them. The people who wrote the software aren't always the best at supporting it. That was true even when Open Source wasn't an option.

    And if you insist on paying somebody money for proprietary security software, you're paying them to keep private information that you need to have public. I'm not an open-source true believer, but you can't get around the fact that the security of open-source products is objectively verifiable. With a proprietary product, you have to take the word of the vendor that it's secure. That's bad in and of itself -- and bad again when you recall that the vendor has every incentive to conceal his product's flaws.

  • Fortune 500, eh? Why not have a friend start a company selling support for GnuPGP, start another company yourself with shares in the first, then get the place you work for to buy a contract from them (you)? That's how it's supposed to work, no?

  • But the Fresh Prince might know.
  • I didn't try gpg because I don't want to
    learn Just Another Command-Line Interface(TM),
    but what I can say on PGP:

    Do not use any versions other than
    * pgp-2.6.3-ia
    * pgp-2.6.3-in
    The latter is a modificated version of
    pgp-2.6.3-i made by the German IN-CA
    (Certification Authority) and supports more.

    Both use IDEA/RSA though, so be sure to get
    an IDEA license additionally (they are available
    from Ascom Tech, CH - check pgpdoc2.txt).
    The source and RSA are freely available nowadays,
    you can also use the NON-US version.
  • by rjh ( 40933 ) <> on Monday February 11, 2002 @04:42AM (#2985779)
    For the time being, GnuPG has one enormous shortcoming in the corporate world. Namely, it's possible for individual users to send traffic that the corporation itself can't eavesdrop on. This may sound like a nonissue, or even an offensive one, but the fact is that if you're sending communications on the company dime, using company equipment, the company does have a right to make sure you're not sending corporate secrets to the competition.

    The parameters of how they may exercise this right are matters of considerable debate. E.g., must the company give notice that communications are being monitored? Must the company stop monitoring if it's an email or a phone call to your spouse? Etc. There's a lot of room for debate on that issue, but the basic fact remains that corporations need some way to make sure their secrets aren't being sent out to their big competitors.

    In the crypto world, there are two major ways of doing this. One is key escrow (a technology which appears to have finally died the ignominious death it deserved). The other is the Additional Decryption Key (ADK). The difference between the two of them is that the ADK is a request to encrypt to an additional (corporate-controlled) key, and escrow requires the private key be held by some "trusted party", just in case.

    Escrow technology is a big can of worms, and ADKs are smaller cans of worms. They're unsuitable for private users because they wind up being security risks. And, in fact, PGP's most critical vulnerability since the 2.6.x days came from an ADK bug.

    However, corporations view the risks of not having ADKs to be much greater than the risks of having ADKs.

    Corporations demand either escrow or ADK. GnuPG supports neither, and Werner Koch has said that GnuPG will never support them. He has his reasons for saying that, and his reasoning is pretty sound. But, then again, so is the corporate logic for insisting on escrow/ADKs.

    Moreover, GnuPG doesn't have any pretty GUIs. WinPT is making a good attempt for Win32, and GNU has their own (apparently stalled) GTK+ front-end, but neither one is anywhere near done. In any business setting, 95% of the people will be stark raving terrified of the prospect of using a command-line app. For this 95%, PGP is the only option. There simply isn't anything else.

    This is sort of a shame, given that NAI's reputation for being an attentive, responsive vendor is ... well, pretty pathetic. But for time being, NAI--and PGP--is the only game in town on the corporate front.

    For me, personally, I use GnuPG and love it. I wholeheartedly recommend people use it. But I simply can't see it taking off in the enterprise for the reasons listed above.
    • []

      "Seahorse is a GNOME front-end for GnuGP. It can be used for sign, encript, verify and decrypt text and files. The text can be taken from the clipboard, or written directly in the little editor it has. Seahorse is also a keymanager, which can be used to edit almost all the properties of the keys stored in your keyrings.

      Seahorse currently consists of two projects. Along with Seahorse itself, a bonobo component called Seahorse-bonobo is being developed. This bonobo component will serve as a backend to Seahorse, as the most gnupg common functions are being implemented in it.

      All the dialogs and windows had been developed using Glade, and they are loaded in runtime execution using libglade.

      Both Seahorse and Seahorse-bonobo are released under the terms of the General Public License (GPL)." [from the website]

      It's really nice. Has a whole keymanager, simplifies creating keys and (de)(en)crypting messages. Easy to use.
  • Just thought you /.ers might want an update on my progress. I've written a document selling the idea. My boss likes it and now it goes up a level. If she likes the idea, GnuPG is in.
  • We are only looking at GnuPG for server-based command-line file encryption. We already use NAI's PGP for desktop/e-mail encryption. The premium they want for basicly the same product on a server is, IMO, ridiculous.
  • Do this in front of your boss:
    1. Call NAI
    2. Start talking about PGP. Ask if their source code is publicly accessible.
    3. Laugh at the rep on the other end of the phone, and ask sarcastically "Well how are we supposed to know if it's secure? Just trust you?? HAH!"
    4. Submit your evaluation the next day.

    Problem solved.

  • Remember with PZ quit NAI because of the source code issues. He is fully on the GnuPG/OpenPG solution over NFI's PGP.
  • I tried to roll it out, but with real bad success. I'm a relative basic PGP/GPG user, so take this for what it's worth.

    I created a basic, plain-jane key, exported the public key, and sent it out to several installations using PGP. Unanimously, they couldn't get it to work. 4 different sites, each with a similar problem. On their side, the program would choke on adding the key. I tried creating side keys, sub keys, etc, etc. On some I think it was due to the real PGP not dealing with El Gamal correctly, on others the key size was probably screwy, but overall it didn't work.

    I had been really looking forward to using GPG for this, but not in this case.
    That being said- try it out. You may very well have better luck than I. I hope so.
  • RSA's Keon can do everything PGP can do, but is backed by a company which believes in its product and supports it. It is also completely compliant with s/mime, as an added benefit, something even PGP can't do. (For bean counters, s/mime support is free in Notes, Outlook/Exchange and Netscape Communicator.) Also supports smartcards.
    Only down I know about this alternative is lack of *nix support at this time. RSA: Listen UP and support *nix with this excellent product!

I am more bored than you could ever possibly be. Go back to work.