It’s one of the best paradoxes of 1998: the Security Product of the Year is not a product.
Readers voted overwhelmingly for the OpenPGP standard proposed by the Internet Engineering Task Force (IETF) because the standard may herald a new era in electronic commerce.
OpenPGP (the PGP stands for “Pretty Good Privacy”) is a method for encrypting e-mail messages. It assures security by using the digital signatures of an informal “Web of trust,” a group of e-mail correspondents who can vouch for one another.
But the protocol means more than e-mail security. “It’s not just important for e-mail, but for e-commerce as well,” says Steven Hirschman, security systems engineer for the aerospace communications division of ITT Industries Inc. of Clifton, N.J.
Steve Elliot, an analyst with market research firm DataQuest Inc. of San Jose, agrees: “OpenPGP adds security and creates a solid foundation for security in electronic commerce.” Security for e-commerce, and even e-mail and messaging, has been a big worry for many companies, he adds. “For those who have been concerned about using e-commerce, some of the murkiness is beginning to clear up.”
PGP started life on the Internet in 1991 as a protocol written by author Phil Zimmerman and passed through Pretty Good Privacy Inc., which was acquired by Network Associates Inc. of Santa Clara, in late 1997. Though Network Associates has developed–and plans to continue developing–products around PGP, OpenPGP was turned over to the IETF in 1998 and became a proposed standard in November of that year.
Selling points for OpenPGP are its ease of use (especially compared to the S/MIME standard with which it competes) and its use of passwords, digital signatures, and encryption.
“It means companies can feel comfortable using it,” says Elliot, “knowing that it has the backing of the IETF and that they won’t have to worry about paying royalties.”
OpenPGP still faces a challenge from S/MIME, another standard being developed under the IETF umbrella. The IETF OpenPGP working group also acknowledges that the emerging protocol will have to deal with those companies already using a version of PGP. According to official IETF policy: “because there is a significant installed base of PGP users, the working group will consider compatibility issues to avoid disenfranchising the existing community of PGP users.”
In terms of the Security Product of the Year balloting, OpenPGP ran away from the field, gathering almost three times the votes of its nearest rival. Another Network Associates product, the Net Tools Secure suite, came in second. It represents the trend toward “one-stop shopping” for network security. Net Tools Secure was one of the first products to integrate such features as antivirus, encryption, policy management, and firewalls in the same package.
SOS (Save Our System) Pro, from Sterling Strategic Solutions Inc., of Woodlands, Texas, came in third. An inexpensive software package that combines desktop version control and Internet filtering, the package allows managers to keep track of what their users are up to.
But the runners-up couldn’t come close to the popularity of the “Product that Isn’t,” OpenPGP. It isn’t the protocol itself that’s important, says ITT’s Hirchman. “Unless it’s integrated into an application, it’s going to be difficult to use,” he says. “But if e-commerce applications have it built in, it means that I can feel more confident that those applications are secure.”
Gerald Lazar is a freelance writer in Tenafly, N.J. His own vote for product of the year went to the Furby. He can be reached at [email protected].