While most people might not know what PGP encryption is, almost everyone with access to an email account uses it regularly. It’s one of the most popular ways to digitally sign, encrypt or decrypt emailed documents, adding an additional level of security of email communications. But what might sound like a fairly dry and mundane tool has a history fraught with intrigue, peril, spy agencies and very real threats to the creator, a computer scientist named Phil Zimmerman.
Zimmerman first developed PGP encryption in 1991, after reading a New York Times article about proposed legislation that would require programmers to write a “back door” into encryption programs allowing government agencies to read anyone’s email messages. Concerned by what he thought would be an outrageous breach of personal rights and the death of secure email, Zimmerman created the first version of Pretty Good Privacy.
Friends of Zimmerman distributed PGP 1.0, even going so far as to upload it to BBS server via late-night calls on pay phones over fears of government intervention. Those fears came true in February 1993, as he was investigated for “munitions export without a license” – in this case the “weapon” was the PGP encryption program, which had been globally circulated by users. This lead to a lengthy and protracted legal battle which turned Zimmerman into something of a folk hero among computer experts before the charges were eventually dropped.
Today, PGP encryption is not only widely accepted but is now used as a standard for high-level data encryption. PGP is one of only two email-related encryption standards accepted by the National Institute of Standards and Technology to provide adequate protection for financial data regulated in the Sarbanes-Oxley Act of 2002 (which enforced tougher reporting standards on Wall Street companies). The other is S/MIME.
LuxSci – Your Secure Email Hosting Provider
LuxSci’s SecureLine service provides PGP, S/MIME and other email encryption facilities to its users.
“almost everyone with access to an email account uses it regularly”
I’m afraid you’re going to have to supply some evidence to substantiate that claim Erik – I don’t know anyone who uses PGP any more, either in the commercial world, or private (which shows how big and untouched the market is that McAfee and PGP simply never collide). It’s hardly as ubiquitous as you imply (though I agree, it’s still one of the most usable solutions). With direct send methods rather than store-and-forward, the whole idea of email encryption has taken a back seat in the last 10 years. Sure, lots of people talk about it, but few actually execute.
As for it being a standard, that does not equate adoption. There’s nothing clever involved in being a standard – only the onerous creation of substantiating paperwork. I believe Voltage IBE is close to becoming a “standard” itself?
Encrypted email will never take off until the root problem of PKI is solved – ie how do we share public keys of everyone between dissimilar technology platforms.
Yes, direct PGP use is not widespread due to key sharing issues and due to the fact that PGP does not come pre-installed in most email clients due to licensing considerations. However, PGP use on the back-end for securing data is very prevalent and many providers use it in one for or another for this purpose. So, even if the emailer him/herself is not sending a PGP-encrypted message, it is quite possible that some part of the message or the sender or recipients profile data is touching systems that use PGP to some degree.
We generally refer newbies to S/MIME over PGP as the barriers to entry are smaller in terms of getting certificates and getting setup in whatever your favorite email program is. Same problem of PKI, however.
PGP does try to address the PKI problem to some extent using keyservers, though that is not super reliable and you still have to rely on PGP’s trust mechanisms.
LuxSci’s SecureLine service addresses the issue by making all keys, PGP and S/MIME, of all users available to everyone else automatically — so you never have to look them up or import/export them. One message can automatically go to some users using PGP and others using S/MIME without you having to care what is which. The SecureLine system also allows plugging in 3rd party PGP and S/MIME certificates and sending/receiving to/from people without any kind of PGP or S/MIME capability using a notify and pickup system (SecureLine Escrow) for sending and a special portal (SecureSend) for sending a secure message to a user. This goes a long way to solving the PKI issues and allows people to use whatever technology is most appropriate for them.