As business use of the Internet was taking off in mid-1998 I began hearing this consistent message from IBM AS/400 users: “We need encryption to protect our data as it moves over the Internet.” I only needed to hear this a few times before I began looking at incorporating encryption options into our file transfer applications.
My research included talking to a handful of encryption vendors, before finding an application called “Pretty Good Privacy,” or PGP. The application was the work of Phil Zimmermann and a small cohort of fellow off-the-map developers. I researched Phil a bit before contacting him, and — uh oh — I found he had been in trouble with the US government back when encryption was considered a “munition.” So it was with a little hesitation that I decided to place a call to this “outlaw” programmer.
By this time, the controversy over Phil’s activities had died down, and many of the restrictions on encryption had been relaxed. I found it surprisingly easy to get his phone number, get Phil on the phone, and see what he thought about using PGP on large systems.
We had a good conversation about PGP and its prospects for becoming a commercial standard for data protection. Phil was very helpful and we discussed some of the technical issues in porting PGP to the AS/400. He encouraged me to take the leap into the PGP project, and gave me referrals to the development team in charge of the commercial version of PGP. That call and his encouragement were crucial to our efforts over the next 10 years to bring PGP encryption to large IBM platforms.
After some twists and turns, and a few months of laboring in the trenches, we released the first version of PGP for the AS/400. The port to the AS/400 turned out to be a really big challenge. The C compiler was in its infancy, and we struggled with its limitations. And the ASCII to EBCDIC conversions were a nightmare. But we got the product released in 1999. It was very popular and remains so today. We now have hundreds of customers using PGP to protect their data.
PGP is now the de facto standard for whole file encryption in eCommerce. It is deployed by banks, insurance companies, medical suppliers, payroll servicers, and a wide variety of other organizations. Almost every organization on planet Earth deploys PGP to protect sensitive data. Phil’s vision of PGP becoming a widely accepted method of protecting data has become a reality.
Of course, PGP has been through some changes over the years. New encryption algorithms have been added such as AES and Elliptic Curve Cryptography. The product found a new home at PGP Corporation, and has undergone steady development since then. We have a great relationship with the folks at PGP, and many of them have been working with the product from the first days.
PGP Corporation recently completed a FIPS-140 certification of the PGP technology, and this was an important step. As we watch the evolution of security standards, I believe that independent certification by NIST will be crucially important in the months and years ahead. I know from personal experience that certification is hard to do and demands a deep commitment on the part of an encryption vendor. But there is no substitute for the rigor and discipline that it requires.
Here at PTSS we continue to incorporate PGP into new solutions. It’s a rock-solid platform on which to build. I’m happy to continue working with PGP Corporation, and you’ll be hearing from us soon about some of our new developments that incorporate PGP encryption.
After all these years, I’m grateful for Phil’s words of encouragement back in 1998. And am reminded to never underestimate what a few encouraging words can do. Thanks Phil!
Tags: as400, eCommerce, encryption, FIPS-140, PGP, Phil Zimmerman