Phil Zimmermann, the legendary creator of e-mail and file-encryption program PGP (Pretty Good Privacy), will become the chief cryptographer for Web-based e-mail company Hush Communications.
Citing differences with Network Associates -- which bought PGP in 1997 -- Zimmermann said he left the company so he could devote his time to making the open standard called OpenPGP more accepted in the industry.
"For the past decade PGP has been the gold standard for e-mail encryption but we've always had trouble expanding beyond the power users because of ease-of-use problems," Zimmermann said in a statement on Monday. "The OpenPGP standard will be well served by Hush's fresh approach to ease of use and its roaming capability."
Hush Communications, based in Dublin, Ireland, is a venture-capital funded company best known for its free, encrypted Hushmail and HushPOP services.
Zimmermann's departure from Network Associates caps a turbulent decade marked by the release of his first version of "Pretty Good Privacy" in 1991, his instant fame as a hero of the online privacy movement, a tussle with patent-holder RSA Data Security, and an agonizingly extended criminal investigation by the federal government for alleged violations of U.S. export laws governing cryptographic products.
When the antiwar-activist-turned-programmer sold his company, PGP Inc., to Network Associates and became a senior fellow, he began to have clashes with executives over the direction of PGP. Network Associates repeatedly flirted with the concept of key recovery -- endorsed by the Clinton administration but anathema to privacy advocates -- and has refused to publish the source code to the latest versions of PGP so outside experts can verify that no backdoors are present.
Network Associates' departure from the aggressive kind of full disclosure favored by security analysts has fueled a move in the open-source community toward GNU Privacy Guard, a free replacement for PGP that does not rely on the patented IDEA algorithm. But its graphical interface, GNU Privacy Assistant, still is being developed and is not a finished product.
Hush Communications pledges to continue publishing the source code to its Java client, and says it plans to make its e-mail system interoperable with the OpenPGP format.
"Phil's contribution to the field of cryptography and his commitment to privacy are unrivaled," says Jon Matonis, CEO of Hush Communications. "At Hush, we've committed our resources and energy to the mainstream corporate and consumer adoption of strong encryption."
The OpenPGP format is an Internet Engineering Task Force draft standard based on PGP 5.x that can be used by product developers to build in security services such as message encryption, key management and digital signatures.
In a PGP-signed farewell statement, Zimmermann said that all current versions of PGP produced by Network Associates, up to and including PGP 7.0.3, are free of backdoors.
"New senior management assumed control of PGP Security in the final months of 2000, and decided to reduce how much PGP source code they would publish," Zimmermann said. "If NAI ever publishes the complete PGP 7.0.3 source code, I am confident that the public will be able to see that there are still no backdoors. Until that time, I can offer only my own assurances that this version of PGP was developed on my watch, and has no backdoors."
Security holes in cryptographic products can be subtle and difficult to detect. In August, PGP confirmed a bug that exposes purportedly scrambled communications to prying eyes, and last November a bug in GNU Privacy Guard that allowed signatures to be forged was discovered.
In the mid-1980s, Zimmermann started work on what would become the first widely used public key encryption program, but for years his efforts were directed at creating his own algorithm he dubbed "Bass-O-Matic."
By 1991, he was close to having a working product that would become PGP. Then something happened to accelerate his efforts: Sen. Joseph Biden (D-Del.) introduced an FBI-backed measure to limit domestic use of encryption. Zimmermann released PGP 1.0 soon afterward, followed by PGP 2.0 in late 1992.
In his statement released Monday, Zimmermann said he also plans to help Veridis, a spinoff of the Belgian security firm Highware, create OpenPGP-compliant products, and he will be launching the OpenPGP Consortium.
