Options for OpenPGP

For quality open source OpenPGP-compliant public key encryption tools, GnuPG isn’t the only game in town.

Back in 1991, Philip Zimmerman — one of the original Cypherpunks — created an encryption tool he called PGP. He released it to the world at large for free use, and in privacy-conscious circles it gained a very positive reputation. It effectively became the standard by which other privacy tools were judged.

Since that time, in no particular order:

• a business has been built around that tool and the other tools built on it, ultimately in the form of the PGP Corporation
• an open standard encryption protocol was released, based on the design of PGP-based systems, called OpenPGP (see RFC 4880 for details)
• the GNU project developed an open source implementation of the OpenPGP standard called GnuPG, which has been widely adopted by users of open source software

The Major Players

In the blue corner . . . PGP Corporation:

Naturally, I have discussed the inadvisability of trusting a brand in the past. If you really do want to pick a brand to trust, though, you could definitely do worse than PGP Corporation. Despite the fact that encryption that doesn’t trust the user isn’t trustworthy in general, there are some closed source software vendors with a more believable reputation for honesty and competence than others. PGP Corporation is, by all accounts, somewhere in the neighborhood of the top of the list.

I don’t personally have much use for the PGP Corporation’s products, and I haven’t done the sort of work where I’d be in a position to recommend them to clients for a couple of years. If I were to get back to that sort of work, though, I’d be happy to recommend them where their functionality is needed.

In the red corner . . . the GNU Project:

GnuPG, meanwhile, is actually open source software with a strong reputation for good security practice as well — and it is both open to deeper scrutiny than the proprietary, only mostly viewable source code of PGP Corporation’s offerings, to say nothing of the fact that both are widely peer-reviewed. The downside for GnuPG in a comparison of the two is that PGP Corporation’s software offers much greater functionality for enterprise deployments. In fact, it does things that may not be worth the effort of trying to do with GnuPG in many cases. When you don’t need to do those things, GnuPG is the tool to use.

I use GnuPGP extensively. I’ve also written about it a fair bit here:

• Using OpenPGP on UNIX/Linux systems with GnuPG
• 10 tips for effective use of OpenPGP with GnuPG
• Using GnuPG with Mutt to sign or encrypt e-mail
• Using GnuPG encryption tools with Gpg4win

The Licensing Problem

Aside from its rather narrower capabilities, GnuPG has another problem: it uses copyleft licensing. This shouldn’t be a big surprise for anything with “GNU” in the name, of course, since the GNU project was created by the same guy who invented the world’s most widely used copyleft license, the GPL: Richard Stallman.

Many might object to the characterization of the use of the GPL as a “problem”, of course. Licensing philosophy is a touchy subject of discussion, to put it mildly. It is especially critical, however, that you Choose the right licensing model for security software. Regardless of more abstruse considerations such as fundamental ethical theory, there are specific and overriding concerns when it comes to security tools that prompt me to favor (and advocate) a copyfree licensing policy, all else being equal.

Copyfree Options

There are a number of other open source OpenPGP implementations available, however — with varying degrees of functionality and completeness. A few examples are listed here:

• OpenPGP SDK: BSD License; library that implements OpenPGP specification
• OpenPGP Reference Implementation: BSD License; developed as a reference implementation while the standard was being worked out
• pgpdsa: Public Domain; minimalistic OpenPGP compatible DSA signature code
• PGP Stealth: Custom License (see source files); steganogrpahic OpenPGP tool

I personally find the OpenPGP SDK the most interesting and encouraging of them — though PGP Stealth has its points of interest as well. OpenPGP SDK version 0.9 was released this very month, signaling the rapid approach of a 1.0 stable release, and proving it is a vibrant, active project, unlike some others. I’ll be keeping an eye on it.