On 1/2/09 20:14, gerry_lowry (alliston ontario canada) wrote:
QUESTION # 1: There seems to currently exist TWO forces in the PGP universe:
(a) GPG -- GnuPG (OpenPGP initiative)
(b) PGP -- PGP Corporation.
To what extent are their goals aligned?
To the extent agreed in the OpenPGP RFC. They both produce working code
to that document, and it seems to happily exchange messages. That is
the point of the document.
More specifically, since (b) is a corporation
which is driven by the profit motive and (a) would like to make a reasonable
living
but is likely more open than the average corporate culture, it's likely more
in the
interested of (b) to succeed in being universal but not too universal, i.e.,
to some
degree, (b) could grab more market share by being somewhat proprietary.
OTOH, it's possible AFAIK that (a) could not succeed without being 100%
compatible with (b).
I think it is a reasonable question to ask about the structure of the
OpenPGP microindustry, although rather hard to voice without appearing
insensitive :)
The thing is, the market for OpenPGP (both paid and FLOSS) is very very
small. In such a market, the competitors can actually do far better by
working together. They can grow the market more easily that way.
If this were a "saturated market" and no growth were possible, then
stealing a client from the competitor would represent the only growth
possibility, so then we would expect to see some mutual canibalisation
and hence what you might think of as bad behaviour.
To perhaps put a controversial spin on it, the question can be turned
around. To what extent can we trust the various players to stick to
their stated goals? Without talking about say GnuPG (which I know
little about) I can suggest that it is pretty easy to pervert an open
source organisation. Here's two common ways:
* cut a secret deal with them.
* pay your developers to work on their project.
For both of those, a corporation has an easier time with the attack
(which is balanced by other things of course).
If one were to do a scorecard on how aligned the stated goals were with
the actual events and work done by the players, OpenPGP security
community would score quite highly. Other security projects would score
far more badly, and are a cause for serious concern.
iang
PS: which reminds me, I did that a few years back, and PGP Inc did score
pretty highly:
http://iang.org/ssl/security_metrics.html