In my previous post I offered the views of another. In this one I add my own views.
Topher Belknap wrote:
> On Tue, 30 Dec 1997 12:17:54 -0800, David Sternlight
> <da...@sternlight.com> wrote:
> >In a post to another list, a highly experienced and knowledgeable observer
> >makes the argument that PGP is dead but the PGP community doesn't yet realize it.
> I would assume that the 'life' of a piece of software would be
> measured by the amount that it is used. With that metric, the above
> makes no sense. So, what metric should be used?
> >One pillar of his argument is that among significant hardware and software
> >corporations only Qualcomm supports PGP (excluding from the count, of course,
> >Pretty Good Privacy Inc. or its successor), while S/MIME is supported by just
> >about everyone else--IBM, DEC, Apple, Netscape, Microsoft, etc. etc.
> >(excluding from the count, of course, RSADSI).
> I suspect that it will be supported if the users (of all encryption
> software) demand it (with obvious caveats for Microsoft).
Almost no one with significant money "demands" a particular crypto package.
And much (if not most) of PGP use is via "free" users, who thus carry little
marketplace weight in vendor decision making. I have the sneaking suspicion
(this is not an assertion nor do I have any data) that when the historical
data is finally seen, PGP's full-package sales will be found to be derisory
compared to the size of the free user base, and not enough to justify an
acceptable-return-on-investment commercial operation at scale. After all, if
it were otherwise why would the Pretty Good Privacy Inc. stockholders have
sold out at this relatively early date in their corporate history, and for
what some readers here have felt was so little?
> I would say that the usage of encryption in e-mail etc. is in it
> infancy and that the potential for growth is huge.
I agree. But I think a 30-million or more installed base already for S/MIME
(and each copy with royalties paid to RSADSI by the software vendor) tells the
story. How many royalty-paid copies of PGP are out there in the Eudora pro
package? How many copies of the full commercial PGP package have PGPI2 sold?
> I would predict
> that eventually at least 90% of all (non-spam) email will be
> encrypted. Given that, it would seem a little early to accurately
> predict the eventual outcome, to say nothing of a single winner.
You may be right.
> similar prediction made about WWW browsers at the (to me) same stage
> in its growth would have made mosaic the big winner.
Mosaic was not a commercial product and indeed was a near-first iteration. As
soon as a better product came out it vanished, for all practical purposes.
This discussion isn't about freeware (as I understand the original writer's
contention) but about commercial success in the marketplace. I think there
will always be free copies of PGP available, and there may even eventually be
free stand-alone versions of SMIME 3 (though I doubt it since that has to be
bound in with productivity software to be really useful).
Even there, how long can free PGP users resist the massive penetration of
S/MIME in the marketplace installed base? More and more PGP users will
discover that they cannot communicate securely with, or authenticate traffic
from users who "turn on" what they already have. More and more, I think PGP
will become marginalized to small, niche networks where it is most useful.
> >Another pillar of his argument is that Pretty Good Privacy Inc. was just
> >barely rescued from bankruptcy.
> Since it is now owned by a healthy company, it hardly seems a good
> basis for a prognosis of ill-health. If he was saying that it was
> unprofitable, that is another question, though I suspect that the same
> could be said of any encryption program at the moment.
He was saying just that, as I understand it. And it cannot be said for RSADSI,
which (as I understand it) is not only happily profitable and busily
collecting royalties for many products (including S/MIME) but also is
expanding and running a major crypto research lab out of their cash flow. They
have huge and rapidly growing world-wide attendance at their annual conference
(which costs about a thousand bucks to go to, excluding transportation). Did
PGPI2 even have such a conference?
I think a brief visit to the SEC data base will tell the story on both Pretty
Good Privacy Inc. and RSADSI, though I haven't the time to do that. Perhaps
our skillful researcher and pointer-catcher, Ed Stone, would like to take on
As to the current owners of PGP, as I understand it (and please correct me if
I'm wrong), they said they bought it to use incorporated in their own
specialized products. While they won't (and probably cannot) turn away service
and support for the existing product line, whether they'll push it with any
vigor and what that will accomplish remains to be seen. Of course I wish them
success--competition is always good for all parties, and there are important
applications where web-of-trust is appropriate. But I don't see them competing
successfully against Netscape and Microsoft in mail markets.
> >I'd source him directly, but the arguments above have nothing to do with the
> >persona making them, and that might be an interference for some in addressing
> >substance. (No, I'm not talking about myself as the source.)
> Well, the persona is important if you are going to claim him to be
> 'highly experienced and knowledgable'.
That was just my throat-clearing. Please ignore it--it has nothing to do with
the substance of this discussion.
> >Comments on substance?
> It is a little thin. For instance, this is the first I have heard on
> this forum, that PGP Inc. was in jeopardy of bankruptcy. Do you have
> any more information on that? Also have any of the above companies
> said that they would _not_ support PGP, especially if it is part of
> the IETF spec?
Beats me. Bankrupt is bankrupt and is an event in the here and now, not in the
"might be someday". There is a limit to which arms-length capitalists will go
in pouring money into a company, and Pretty Good Privacy Inc.'s backers
weren't the committed creators of PGP, but rather "ordinary" high-tech
capitalists with the conventional decision rules about sunk costs being sunk
(bygones being bygones) aka not throwing good money after bad. And they can
read events, markets, and cash flow statements as well as the next man. As I
warned almost a year ago, once Netscape and Microsoft committed to S/MIME
rather than PGP, the game was pretty much over once they delivered on that
commitment (as they have). My position then, as it is in this paragraph, is
that of a business economist and not a partisan of one approach or another.
Don't get me wrong. I LIKE PGP for many purposes, and use it where I think it
appropriate. But liking isn't the same as business success, as any Beta home
VCR buyer can tell you.
Putting it another way, the only arena in which PGP can have continuing
success, in my view (here I part company with the original commentator) is in
the "free" community. And that will require both an ongoing body of developers
willing to give away their time and effort, and a willingness of users to use
a pre- and post- crypto processor as competing offerings become more and more
tightly embedded in productivity software.
The cost to the end user of an integrated crypto capability is so low that it
seems free when embedded in (say) a Netscape and Microsoft product. At the
same time the royalty stream from the software vendor to the crypto firm is
massive. It's the same principle as gasolene profits as a percentage of the
pump price. It is the choices of the vendors that will count as long as the
users aren't so dissatisfied as to create an opening for Microsoft (say) as
against Netscape (say) to offer something different and take on the
compatibility issue as well. Again we're back to the Beta vs. VHS matter in
That is why the original advocate cited the massive vendor adoption of S/MIME,
vs. only Qualcomm's adoption of PGP, as significant. Consider the royalties to
PGP from the number of copies of Eudora Pro out there. Now consider the
royalties to RSADSI from the number of copies of Netscape Communicator and
Microsoft Internet Explorer out there, plus other applications that use
S/MIME. It's a pretty dramatic story and what is more with the huge base of
NS/MS mail flowing out there, how long can Qualcomm resist before itself
And Qualcomm may not matter to this issue. From the rave reviews and reviewer
adoptions for Outlook Express (bundled with Explorer) as their mailer of
choice, Eudora Pro's PC market share must thereafter have taken a noticeable
drop. With the Mac release of Outlook Express soon to follow (Eudora owes part
of its success to the Mac market), another drop is sure to follow. And the
final nail in the coffin will be the new version of Microsoft Office, which
will include Outlook Express as a component.
> At what point does it get to fuzzy to tell who won anyway, are we
> talking about algorithms, or formats, or programs? If the exact PGP
> format and algorithms are adopted by everyone, but PGP Inc. goes
> bankrupt did they win? Is PGP dead?
Beats me. If a tree falls in the forest and no one hears it, did it make a
sound? How many angels can dance on the head of a pin?