Phil Zimmerman: PGP Marks 10th Anniversary
Jun 06, 2001, 02:55 (6 Talkback[s])
(Other stories by Phil Zimmerman)
[ Thanks to Alan Olsen for the tip ]
Date: Tue, 5 Jun 2001 17:26:41 -0700
From: Philip Zimmermann <firstname.lastname@example.org>
Subject: PGP Marks 10th Anniversary
Today marks the 10th anniversary of the release of PGP 1.0.
It was on this day in 1991 that I sent the first release of PGP to a
couple of my friends for uploading to the Internet. First, I sent it
to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized
in grassroots political organizations, mainly in the peace movement.
Peacenet was accessible to political activists all over the world.
Then, I uploaded it to Kelly Goen, who proceeded to upload it to a
Usenet newsgroup that specialized in distributing source code. At my
request, he marked the Usenet posting as "US only". Kelly also
uploaded it to many BBS systems around the country. I don't recall
if the postings to the Internet began on June 5th or 6th.
It may be surprising to some that back in 1991, I did not yet know
enough about Usenet newsgroups to realize that a "US only" tag was
merely an advisory tag that had little real effect on how Usenet
propagated newsgroup postings. I thought it actually controlled how
Usenet routed the posting. But back then, I had no clue how to post
anything on a newsgroup, and didn't even have a clear idea what a
It was a hard road to get to the release of PGP. I missed five
mortgage payments developing the software in the first half of 1991.
To add to the stress, a week before PGP's first release, I discovered
the existence of another email encryption standard called Privacy
Enhanced Mail (PEM), which was backed by several big companies, as
well as RSA Data Security. I didn't like PEM's design, for several
reasons. PEM used 56-bit DES to encrypt messages, which I did not
regards as strong cryptography. Also, PEM absolutely required every
message to be signed, and revealed the signature outside the
encryption envelope, so that the message did not have to be decrypted
to reveal who signed it. Nonetheless, I was distressed to learn of
the existence of PEM only one week before PGP's release. How could I
be so out of touch to fail to notice something as important as PEM?
I guess I just had my head down too long, writing code. I fully
expected PEM to crush PGP, and even briefly considered not releasing
PGP, since it might be futile in the face of PEM and its powerful
backers. But I decided to press ahead, since I had come this far
already, and besides, I knew that my design was better aligned with
protecting the privacy of users.
After releasing PGP, I immediately diverted my attention back to
consulting work, to try to get caught up on my mortgage payments. I
thought I could just release PGP 1.0 for MSDOS, and leave it alone
for awhile, and let people play with it. I thought I could get back
to it later, at my leisure. Little did I realize what a feeding
frenzy PGP would set off. Apparently, there was a lot of pent-up
demand for a tool like this. Volunteers from around the world were
clamoring to help me port it to other platforms, add enhancements,
and generally promote it. I did have to go back to work on paying
gigs, but PGP continued to demand my time, pulled along by public
I assembled a team of volunteer engineers from around the world.
They ported PGP to almost every platform (except for the Mac, which
turned out to be harder). They translated PGP into foreign
languages. And I started designing the PGP trust model, which I did
not have time to finish in the first release. Fifteen months later,
in September 1992, we released PGP 2.0, for MSDOS, several flavors of
Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in
about ten foreign languages. PGP 2.0 had the now-famous PGP trust
model, essentially in its present form.
It was shortly after PGP 2.0's release that US Customs took an
interest in the case. Little did they realize that they would help
propel PGP's popularity, helping to ignite a controversy that would
eventually lead to the demise of the US export restrictions on strong
Today, PGP remains just about the only way anyone encrypts their
email. And now there are a dozen companies developing products that
use the OpenPGP standard, all members of the OpenPGP Alliance, at
What a decade it has been.
5 June 2001
Philip R Zimmermann http://web.mit.edu/prz
tel +1 650 347-9743 email@example.com
fax +1 650 348-4849 See web site for PGP keys