25 Years of PGP Encryption
A quarter century ago, Phil Zimmerman wrote Pretty Good Privacy (PGP), an email encryption program offering virtually unbreakable codes for the regular public. Despite American export laws in the 1990s, the code still achieved international distribution and became a standard measure of security for groups and individuals needing privacy. Over it's first fifteen years, the software saw various upgrades and versions of the software as it matured, but its promise of high security never faltered. Today, PGP technology is available as a commercial desktop product or freeware command-line utility to anyone. Although, most e-mail encryption is now done through corporately managed PKI S/MIME.
Most people cannot remember the time when Internet software came in two versions, one with domestic "strong" 128 bit encryption and one for international distribution with "weak" 56 bit encryption. This was a requirement of the American government to ensure that monitoring suspicious activity or keeping tabs on international interests could be done with ease. Despite the laxing of export restrictions and the ubiquitious nature of SSL and PKI encryption, most users still do not even know how to tell if their sessions are secure … nor do they care.
In our contemporary world of communications, should public encryption become commonplace or is the measure overkill? Should a "trusted" escrow agent hold keys to decrypt traffic for national security? Are you comfortable knowing criminals and terrorists can communicate securely with impunity?
In the wake of Edward Snowden's leaks about government surveillance capabilities, the venerable PGP revealed its applicability once again. Many of the more dominant mail encryption solutions rely on centrally managed PKI certificate trust (typically corporate) or data-at-rest encryption methods (typically personal). When data security is outsourced, it always begs a question as to the integrity of the servicing entity. Even transmission paths between entities such as TSL and SSL are losing trust requiring more intense algorithms to reinforce. None of these methods offer trust managed directly by the user except for PGP which usually requires explanations to end users to go through the various steps of getting the software, self-generating and exchanging keys, and proper data handling.