-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QUESTION # 1: There seems to currently exist TWO forces in the PGP
universe:
(a) GPG -- GnuPG (OpenPGP initiative)
(b) PGP -- PGP Corporation.
To what extent are their goals aligned?
More specifically, since (b) is a corporation
which is driven by the profit motive and
(a) would like to make a reasonable living
but is likely more open than the average
corporate culture, it's likely more in the
interested of (b) to succeed in being
universal but not too universal, i.e., to some
degree, (b) could grab more market share
by being somewhat proprietary.
OTOH, it's possible AFAIK that (a) could
not succeed without being 100%
compatible with (b).
Frankly, this is an insult. The suggestion that because we make a
living at this we must therefore be corrupt ticks me off.
What do *you* do for a living, and when did you stop cheating *your*
customers?
We do this because we think it's a way to make the world a better
place, that we can also make a living at it as well. Hal was one of
the major developers of PGP 2 and was one of the people who risked
going to jail for it. I was still heavily involved in OpenPGP during
the years when it wasn't my job, as well. We are doing this because we
love it. We happen to be good enough at it to also make a living. The
suggestion that because we are making a living we must therefore be
shafting the community says a lot more about your personal morals than
ours.
That doesn't mean we're perfect, it means our hearts are in the right
place. If you think we're doing the community wrong, send me an email
and let me know.
Now then, let me go on to some other things. We think that the GnuPG
guys are friends and allies who make things that we *can't* make.
Ditto for the new library that Ben and Rachel did. We applaud them.
The world needs more OpenPGP, and the best way to get it is to have
more Open Source.
There are differences between GnuPG and PGP, and that's somewhere
between irrelevant and a good thing. As John Clizbe pointed out, the
success of the standard is interoperability. It's actually a good
thing to have two implementations that aren't completely in lock-step,
but have a "friends can disagree" attitude about some things. We also
as a community put that into the standard itself, that there are many
things that gentlepersons can disagree on.
For example, in the days we first created the OpenPGP standard, there
was a lot of debate about symmetric ciphers. Two major ones were CAST5
and Blowfish. To avoid an endless, useless debate about it, they were
both put in. In the post-AES that debate is almost entirely historic.
But PGP didn't implement Blowfish because Phil Zimmermann hates it --
he was a huge CAST5 proponent. His opinion carries on to this day
because no one is screaming for us to put Blowfish in (it's mostly
historic, as I said). When PGP Corporation was formed, we put in
decryption of Blowfish because it aids interoperability and wouldn't
require UI and documentation changes. Odds are, this is probably all
news to you and that shows how well the standard works.
We consider interop bugs to be serious. Whenever we find some rough
edge, you'll likely find me, Hal, David, and Werner huddling in the
back room to figure out what to do. Sometimes that turns into a note
on this list. Sometimes one or the other or both of us fix the
problem. We're friends with common goals and different user bases.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFJhzK3sTedWZOD3gYRAqEoAJsEbBkiatdZzdTybmjtrGc5cHiI3gCeNRL0
Y+qFadhwSTy/Lw8C+KH5ipg=
=SVKb
-----END PGP SIGNATURE-----