One of the best known protocols for secure communication is OpenPGP. It all started with Philip Zimmerman’s creation of a public key encryption tool called PGP in 1991. Since then, ownership of the main codebase has changed hands a few times, and an encryption protocol standard called the OpenPGP standard has been created. A number of other pieces of software that implement that protocol have been created along the way as well.

For a long time, the only OpenPGP tools people used with any frequency were the official PGP and the GnuPG implementation.

In recent years, the custodians of the core PGP codebase have been PGP Corporation, and though it was operated as a closed source, commercial vendor for security software — an industry mostly filled with sketchy snake oil peddlers — PGP Corp was mostly staffed by people who liked open source software and cared about personal privacy. Customers could view the source, minus license enforcement components, which is not exactly the best practice for assurance of software security, but is a darn sight better than the way most security vendors handle things.

Alas, things are not looking well on that front. As of April 2010, Symantec Corporation announced an agreement to acquire PGP Corporation. Perhaps it is worth withholding judgment for now, but given Symantec’s reputation in the security community as a security software vendor in recent years one might be forgiven for thinking this is the end of an era for the Pretty Good Privacy tool.

GnuPG, meanwhile, was the GNU Project’s open source (the GNU people would say Free Software) implementation of the OpenPGP protocol. It kept up with the times in terms of encryption capabilities, but its features have become an eclectic mix of feature creep and lacking features, combining a “write output to file” option where a simple shell redirect would suffice with an inability to check multiple server sources to verify a cryptographic signature.

A number of articles about the use of GnuPG have been published at TechRepublic over the years, including the following:

Things have been proceeding apace, however. Neither strictly copyright-enforced PGP nor copyleft GnuPG filled a needed niche: an OpenPGP implementation that uses the best licensing model for security software. Less than two years ago, Options for OpenPGP offered a short list of copyfree licensed implementations:

Unfortunately, none of these four offerings served as a suitable replacement for either PGP or GnuPG. Each is old and outdated, designed for too narrow a purpose, or simply not intended as an end-user tool. Fortunately Alistair Crooks, of NetBSD fame, took it upon himself to resolve that little discrepancy. The result of his hacking on OpenPGP SDK sources is netpgp, what amounts to a drop-in replacement for GnuPG for most purposes.

It is still in development, and still needs testing for certain important uses such as Mutt integration. Basic encryption, decryption, and signing capabilities are reportedly stable, however, and Alistair Crooks is hard at work — with help from contributors, including Debian developers — on improving it. With luck, it should be a complete GnuPG replacement in no time. Then, we will be able to count the number of major production-ready OpenPGP applications at three.