ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "newbie" questions: GPG a.k.a. GnuPG versus PGP corporation's products ... ; et cetera

2009-02-03 08:17:22
from [Ian G] [Permanent Link] 

On 1/2/09 20:14, gerry_lowry (alliston ontario canada) wrote:


QUESTION # 1:  There seems to currently exist TWO forces in the PGP universe:

    (a) GPG -- GnuPG (OpenPGP initiative)
    (b) PGP -- PGP Corporation.

 To what extent are their goals aligned?
To the extent agreed in the OpenPGP RFC. They both produce working code to that document, and it seems to happily exchange messages. That is the point of the document. 



 More specifically, since (b) is a corporation
 which is driven by the profit motive and (a) would like to make a reasonable 
living
 but is likely more open than the average corporate culture, it's likely more 
in the
 interested of (b) to succeed in being universal but not too universal, i.e., 
to some
 degree, (b) could grab more market share by being somewhat proprietary.
 OTOH, it's possible AFAIK that (a) could not succeed without being 100%
 compatible with (b).
I think it is a reasonable question to ask about the structure of the OpenPGP microindustry, although rather hard to voice without appearing insensitive :)
The thing is, the market for OpenPGP (both paid and FLOSS) is very very small. In such a market, the competitors can actually do far better by working together. They can grow the market more easily that way.
If this were a "saturated market" and no growth were possible, then stealing a client from the competitor would represent the only growth possibility, so then we would expect to see some mutual canibalisation and hence what you might think of as bad behaviour.
To perhaps put a controversial spin on it, the question can be turned around. To what extent can we trust the various players to stick to their stated goals? Without talking about say GnuPG (which I know little about) I can suggest that it is pretty easy to pervert an open source organisation. Here's two common ways: 

    * cut a secret deal with them.

    * pay your developers to work on their project.
For both of those, a corporation has an easier time with the attack (which is balanced by other things of course).
If one were to do a scorecard on how aligned the stated goals were with the actual events and work done by the players, OpenPGP security community would score quite highly. Other security projects would score far more badly, and are a cause for serious concern. 

iang
PS: which reminds me, I did that a few years back, and PGP Inc did score pretty highly: 
http://iang.org/ssl/security_metrics.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "newbie" questions: GPG a.k.a. GnuPG versus PGP corporation's products ... ; et cetera, Werner Koch
Previous by Thread:  Re: "newbie" questions: GPG a.k.a. GnuPG versus PGP corporation's products ... ; et cetera, Werner Koch
Next by Thread:  Re: Series of minor questions about OpenPGP 6, Peter Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]