A Statement from Philip R. Zimmermann
Senior Fellow, Network Associates
Founder, PGP Inc.
<![CDATA[
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'd like to address the rumors concerning the cryptographic
integrity of PGP, including recent versions made by Network
Associates, as well as recent freeware versions built and
released by Stale Schumacher on his website in Norway at
http://www.pgpi.org. These rumors allege that these versions
of PGP contain back doors for the US Government to access the
plaintext messages or keys. I do not know how such
sensationalist conspiracy theories get started, but they seem
to come from people who believe that The X-Files is a documentary.
Let me assure everyone that all versions of PGP that are released
from Network Associates have the same cryptographic integrity as
all previous versions of PGP that were released since the old
days before I started my company, PGP Inc. In fact, no version
of PGP in which I have been personally involved has ever had any
back doors or any other mechanism to intentionally weaken PGP.
That includes versions released by MIT, PGP Inc, Network
Associates, or Stale Schumacher.
After all the hardship and legal persecution that I endured to
bring PGP to the world, I find it surprising and offensive that
anyone would think that I would quietly stand by and tolerate
any compromise in the cryptographic integrity of PGP.
When Network Associates acquired my company in December 1997,
they also acquired the same engineering team that we had put
together at PGP Inc, a team dedicated to the same principles of
personal privacy that led me to create PGP. This team is still
working on PGP today, and will continue to help me protect the
integrity of PGP. Network Associates has not shown the slightest
interest in compromising the integrity of PGP. They recognize
that it would not be in their business interests to do so.
We have always published the source code for every version of PGP
for peer review purposes, and Network Associates has carried on
that tradition. Anyone may download the source code for PGP from
www.pgpi.org and examine it for any back doors. Stale Schumacher,
an independent PGP activist who is not an employee of Network
Associates, has done all the builds since PGP 5.0i for the
freeware versions of PGP in Europe. I have known Stale for
several years and I know that he is committed to the same
political principles of privacy as I am. I feel confident that
Stale would never compromise the integrity of PGP in the versions
that he builds for distribution on his site. Nonetheless, anyone
who worries if the binary executables for PGP are trustworthy may
compile the code themselves and rebuild the binaries for their
own personal use, as long as they do not redistribute such
rebuilt binaries for others to use.
Philip Zimmermann
http://www.pgp.com/phil
28 October 1999
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBOBjV4GPLaR3669X8EQItwACfd/1OGzgiemOiWzB6Zw23W8XKpTAAoPLE
hAZjB37PKSmSwMe40hcEiEbk
=MYsO
-----END PGP SIGNATURE-----
]]></plaintext></p></body></div>