All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Phil Zimmermann is about to fight the biggest battle of his career. But this time Zimmermann isn't fighting against the US government; he's fighting against Microsoft and Netscape.
Zimmermann is, of course, that mythic crypto rebel hero. Back in 1991, Zimmermann wrote an email encryption program called PGP (pretty good privacy) and gave it away. PGP was "encryption for the masses." That made the US government nervous.
But PGP has had a big problem since its invention - the program was (and still is) extremely difficult to use. As a result, most people who have PGP rarely use it. Hell, I even wrote a book about how to use PGP, and I hate getting encrypted email; it's a pain. Still, the encryption program has been the de facto standard for six years.
Zimmermann and his start-up, PGP Inc., are trying to develop an easier-to-use version of the program, and a plug-in for Netscape Navigator to make encryption transparent. Unfortunately, they may be blowing into the wind. That's because both Netscape Communicator, bundled with Navigator 4.0, and Microsoft Outlook Express, bundled with Explorer 4.0, come with built-in support for email encryption, and they don't use PGP. Instead, they use a different technology, called S/MIME. S/MIME is an encryption standard developed by RSA Data Security.
What's developing here is one of those religious wars for which the computer industry is so well known. On one side, there is the alliance between Netscape, Microsoft, RSA Data Security, and much of the computer industry. They are pushing for S/MIME as a worldwide secure email standard. On the other side is PGP Inc., which says the S/MIME standard is fundamentally flawed because it requires support for 40-bit crypto, which is too weak to be of much utility, but exportable under federal law.
Charles Breed, PGP's director of technical marketing, says S/MIME turns its back on the thousands of Internet users who use PGP.
Netscape brushes off Breed's charges. "We don't want to get into religious wars on the mail standards," says Eric Greenberg, Netscape's security product manager. "There are a lot of PGP users out there, and we are pleased that PGP has offered a plug-in for our product."
For S/MIME, the real problem doesn't seem to be PGP but the Internet Engineering Task Force. RSA has offered S/MIME to the IETF as a proposed standard for sending encrypted email. But at the last IETF meeting in Memphis, Tennessee, a number of objections were raised:
__1.__S/MIME is a trademark of RSA Data Security. In order for it to be a standard, RSA would have to give up the trademark.
__2.__The S/MIME standard currently requires that any implementation be able to encrypt and decrypt data using the RC2 data-encryption algorithm and the RSA public key algorithm. Although RC2 has been published on the Internet, the algorithm is still officially an RSA Data Security proprietary technology, and the company has threatened to take legal action against any firm that implements the algorithm without a license. As for the RSA algorithm, it's patent isn't up until the year 2000.
__3.__Finally, S/MIME's requirement that any implementation be able to encrypt and decrypt messages with a 40-bit key doesn't sit well with IETF's technical gurus, who don't want to approve a standard that requires weak crypto just so US companies can sell their wares overseas. IETF's charter is to create the best standard possible, not to create a standard that is in the interests of US businesses.
"S/MIME in its current incarnation cannot become an Internet standard," says Jeff Schiller, who heads the IETF's section on security. "So basically, one of three things has to happen. One is that the RSA people give the IETF people the appropriate rights to the trademark. Either they have to give up on RC2 and allow other public key algorithms - it should be possible to implement this Internet standard without having to buy technology from RSA. Or the IETF needs to develop something [for which] all the rights are available."
RSA has until 1 July to make up its mind, Schiller says.
The standard may already be moot. With Microsoft and Netscape poised to ship millions of programs that implement S/MIME, there certainly will be encrypted email for anybody who wants it. On the other hand, it would be nice if there were an international email encryption standard that wasn't hobbled by 40-bit restrictions.
The real losers in all this are Phil Zimmermann and PGP Inc. That's because the same rules that prevent Netscape or Microsoft from selling strong crypto overseas also block PGP from doing the same. PGP's only market is the United States, and it is competing against Microsoft's free Outlook Express - which is a pretty darn good email program - and Netscape's Communicator, which does a much better job of integration than PGP can with its plug-in.
