For how long have you been involved in the development of PGP?
I joined PGP, Inc. in January 1997. I was Chief Scientist there. When NAI bought PGP in December 1997, I became CTO at NAI, and stayed there until April 1999. I am one of the co-founders of the new PGP Corporation.
I am the principal author of The IETF OpenPGP standard, which is presently RFC2440, and have been doing that since mid '97.
What were your thoughts after Network Associates stopped selling PGP products this March?
Oh, I was incredulous! I'm a Mac OS X user and had been on the beta list for it in October. I kept waiting for them to find someone for it, myself.
When and with what plans was PGP Corporation started?
Phil Dunkelberger and I ran into each other at last year's RSA conference, and started talking about a new security startup. We came up with some ideas on how to make message security much simpler to use. We then started working with Will Price, who had then recently left Network Associates after the PGP cancellation. He had his own ideas that meshed in with our ideas, and that led to us deciding that PGP would fit in well with our combined plans.
What products were bought from Network Associates?
We bought all products from Network Associates, including ones that are in progress except for the Windows VPN and firewall, and the command line versions. Network Associates still sells the command line PGP under the name McAfee eBusiness Server. We are under an eighteen-month non-compete for the command line PGP, so it is theirs for that time.
Our products include the traditional PGP for Windows and Macintosh, the Palm and WinCE products, the PGP key server, and so on.
What's your opinion on open source?
I think if you buy a software product, especially one that is a security-related product, you should be able to know how it works. You should be able to see that it doesn't have horrid flaws in it, by accident or design.
We haven't quite worked out the details of PGP's open source license, but here are the goals I have, pending language:
If you have a legally obtained copy of PGP, then you read, compile, modify, hack, etc. the source for that type of PGP you have, for your own purposes and not for redistribution. What I mean by this is that if you have PGP freeware (which you are using for non-commercial use), then you may do all those things with PGP freeware. If you bought a copy of the retail product, then you may do those things with the retail product or the freeware product.
This isn't quite the same as what some other open source people believe constitutes "open source," but our philosophy on source is completely in line with the principles that the FSF and LPF were founded to defend -- the right to look under the hood.