Hi Werner, May I translate this into Japanese? Cheers, -- Hideki Saito
On Dec 20, 2007 1:55 AM, Werner Koch <[EMAIL PROTECTED]> wrote: > A Short History of the GNU Privacy Guard > ======================================== > > It's been a decade now that the very first version of the GNU Privacy > Guard [0] has been released. This very first version was not yet > known under the name of GnuPG but dubbed "g10" as a reference on the > German constitution article on freedom of telecommunication > (Grundgesetz Artikel 10) and as a pun on the G-10 law which allows the > secret services to bypass these constitutional guaranteed freedoms. > > Version 0.0.0 released on December 20th 1997 [1], was a barely working > replacement of PGP avoiding all patented algorithm by using Elgamal > and Blowfish instead of RSA and IDEA. It was prominently marked as a > test version but nevertheless included most of the features of the > current GnuPG. The data format however was not compatible with > OpenPGP but oriented towards the PGP 2 format with a few extensions > (e.g. to allow streaming of data). The OpenPGP working group was > founded back in fall 1997 and I learned a bit to late about it to > build "g10" according to the then existing draft. For copyright > reasons it was practically not possible to reverse engineer the format > used by PGP-5, so the establishment of the OpenPGP WG was the right > thing at the right time. > > Before talking about GnuPG we need to go some more years back in > history: To help political activists Phil Zimmermann published a > software called Pretty Good Privacy (PGP) in 1991. PGP was designed > as an easy to use encryption tool with no backdoors and disclosed > source code. PGP was indeed intended to be cryptographically strong > and not just pretty good; however it had a couple of inital bugs, most > of all a home designed cipher algorithm. With the availability of the > source code a community of hackers (Branko Lankester, Colin Plumb, > Derek Atkins, Hal Finney, Peter Gutmann and others) helped him to fix > these flaws and a get a solid version 2 out. > > Soon after that the trouble started. As in many counties the use or > export of cryptographic devices and software was also strongly > restricted in the USA. Only weak cryptography was generally allowed. > PGP was much stronger and due to the Usenet and the availability of > FTP servers and BBSs, PGP accidently leaked out of the country and > soon Phil was sued for unlicensed munitions export. Those export > control laws were not quite up to the age of software with the funny > effect that exporting the software in printed form seemed not to be > restricted. MIT Press thus published a book with the PGP source code > which was then scanned outside the USA to form the base of PGP-2i ("i" > for international). Since then that version was used widely. > > The criminal investigations against Phil ended in 1996 and he founded > PGP Inc to write PGP-5. The first public release was done in spring > 1997. The same year at the 39th IETF meeting at Munich in August Phil > Zimmermann and Jon Callas asked the IETF to setup a working group to > publish a standard for the protocol used by PGP-5 under the name > OpenPGP. The main drive behind this was to allow widespread use of > strong encryption even if at some point the new company would decide > to stop selling and supporting PGP. As it turned out PGP Inc was > acquired by Network Associates just a few months later and in 2002 > this company actually ceased support and development of PGP (though > the PGP product was later continued by the new PGP Corporation). > > Also often claimed to be Free Software, PGP has never fulfilled the > requirements for it: PGP-5 is straight proprietary software; the > availability of the source code alonedoes not make it free. PGP-2 has > certain restrictions on commercial use [2] and thus puts restrictions > on the software which makes it also non-free. Another problem with > PGP-2 is that it requires the use of the patented RSA and IDEA > algorithms. The patent on RSA was only valid in the USA but the > patent on IDEA was and is still valid [3] in most countries. > > Although the GNU project listed a requirement for a PGP replacement > for some years on its task list, it was not possible to start > implementing it as long as patents on all public key algorithms were > valid. That changed when in April 1997 the basic patent on public key > algorithms expired (the Diffie-Hellman US patent 4200770) and finally > in August when the broader Hellman-Merkle patent (4218582) expired. > > A month later, at the Individual-Network Betriebstagung at Aachen [4], > Richard Stallman continued his talk with a BoF session where he asked > the European hackers to start implementing public key software. The > arms trafficker laws of the USA prohibited the GNU project to write > such software in their country or even by US citizens working abroad. > Thus he told the European hackers that they are in the unique position > to help the GNU with crypto software. > > Being tired of writing SMGL conversion software and without a current > fun project, I soon found my self hacking on PGP-2 parsing code based > on the description in RFC-1991 and the pgformat.txt file. As this > turned out to be easy I continued and finally came up with code to > decrypt and create PGP-2 data. After I told the GNU towers that I > will take up the PGP replacement implementation I spent the rest of > the year replacing IDEA by Blowfish, RSA by Elgamal, implementing > streaming encryption, adding some key management and getting the code > into a reasonable shape. > > There used to be a plan for a free version of Secure Shell called PSST > (later known as LSH) with a somewhat populated mailing lists > maintained by Martin Hamilton. Martin was the so kind to setup a > mailing list for g10 too and announced it on that list. This way we > got the first subscribers. Eventually I made the first tarball, put > it up to ftp.guug.de, the FTP server of the German Unix User Group, > and wrote an announcement [5]. > > Right the next day Peter Gutmann offered to allow the use of his > random number code for systems without a /dev/random. This eventually > helped a lot to make GnuPG portable to many platforms. The next two > months were filled with code updates and a lengthly discussion on the > name; we finally settled for Anand Kumria's suggestion of GnuPG and > made the first release under this name (gnupg-0.2.8) on Feb 24 [6]. > Just a few days later an experimental version with support for Windows > was released. (That release also fixed an alignment problem on Alpha > boxes which was detected due to kernel log files filling up the hard > disk and an admin asking whether they really need to be backed up. ;-) > > In July 1998 the first more or less OpenPGP draft compliant version > was released. Matthew Skala had contributed Twofish code done cleanly > From scratch (Twofish was at that time a promising AES candidate and > suggested by Schneier as a Blowfish replacement; however we had some > copyright concerns with the reference code). Michael Roth contributed > a Triple-DES implementation later the year and thus completed the > required set of OpenPGP algorithms. Over the next year the usual > problems were solved, features discussed, complaints noticed and > support for gpg in various other software was introduced by their > respective authors. > > Finally, on September 7, 1999 the current code was released as version > 1.0.0 with the major update of including Mike Ashley's GNU Privacy > Handbook [7]. A year later the RSA patent was to expire on September > 20; the patent holder placed the patent into the public domain 3 weeks > earlier and thus we could release 1.0.3 with RSA support already on > September 18. One of the major obstacles on widespread use public > cryptography had gone (far too late of course). > > Also in 1999 the German government decided that strong encryption will > not be regulated in any way and that its use is recommended for > everyone. To publicly support this statement the Ministry of > Economics funded the porting of GnuPG and related software to > Microsoft Windows [8]. The US government was not keen to see that and > tried to urge the German government to revise the decision to allow > unregulated distribution of crypto software [9]. That did not work > out and to the end the USA had no other way than to weaken their own > export rules. > > Although we still develop GnuPG using servers located in Europe the > new US export controls eventually allowed US hackers to contribute to > GnuPG development. In 2001 David Shaw joined the project and since > then he is one of the most active GnuPG hackers and the co-maintainer. > > It's now a long time since GnuPG could be managed as a fun project and > thus I now spend most of my professional life maintaining and extending > GnuPG. In 2001 I founded g10 Code, a Free Software company for the > development and support of GnuPG and related software. The most known > project is probably GnuPG-2 which started under the name NewPG as part > of the broader Aegypten project. The main goal of Aegypten was to > provide support for S/MIME under GNU/Linux and integrate that cleanly > with other mail clients, most notably KMail. Although having been > actively used since 2004, we released 2.0.0 only one years ago. > > It was not that much fun writing X.509/CMS (commonly named S/MIME) > software compared to the elegant and very interoperable OpenPGP > protocol. Having mastered that we meanwhile achieved to provide a > software which is really useful and works nicely with almost any other > S/MIME implementation. It also turned out that we could port GnuPG-2 > to Windows - despite my original claim that a modern POSIX platform > will be needed for GnuPG-2. This development also showed that it is > viable to develop Free Software as a business. > > With the new tools and from a user's perspective S/MIME and OpenPGP > will soon not make much of a difference anymore. However I had to > smile when I today read a report on the last RSA Europe conference > where a quick poll during a talk showed that OpenPGP is the mostly > used encryption protocol. > > Recall that GnuPG is just one tool; there are numerous other tools out > to solve related privacy problems. Kudos to all who worked on writing > and deploying privacy tools over all these years! > > > Happy Hacking, > > Werner > > > [0] http://www/gnupg.org > [1] ftp://ftp.gnupg.org/gcrypt/historic/g10-0.0.0.tar.gz > [2] from pgpdoc2.txt: "Finally, if you want to turn PGP into a > commercial product and make money selling it, then we must agree > on a way for me to also make money on it. [...] Under no > circumstances may PGP be distributed without the PGP > documentation, including this PGP User's Guide." > [3] "valid" is meant in the sense the patent holders use it and does > not imply that I regard patents on software a valid concept. See > http://www.fsfeurope.org/projects/swpat/background.en.html . > [4] http://www.dascon.de/IN-BT97/programm.html > [5] http://lists.gnupg.org/pipermail/gnupg-devel/1997-December/014131.html > There are just a few mails in December mainly discussing patent things. > [6] http://lists.gnupg.org/pipermail/gnupg-devel/1998-February/014208.html > [7] http://lists.gnupg.org/pipermail/gnupg-announce/1999q3/000037.html > [8] > http://partners.nytimes.com/library/tech/99/11/cyber/articles/19encrypt.html > [9] http://www.heise.de/tp/r4/artikel/5/5124/1.html > > > -- > Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. > > _______________________________________________ > Gnupg-announce mailing list > [EMAIL PROTECTED] > http://lists.gnupg.org/mailman/listinfo/gnupg-announce > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users