PGP Corporation Logo
select United States productsPurchasedownloadssupportpartnersnewsroomcompanycareerscontact
.
.
/ Home / Company / Why PGP Corporation? / Published Source Code
.
Company
Corporate Overview
Why PGP Corporation?
Overview
FAQ
Published Source Code
Trusted PGP Products
Letter from the CEO
Management Team
Boards
PGP Glossary
PGP History
Corporate Keys
Careers
Contact Us
Customer Feedback
 .

To Prospective PGP Customers:

03 August 2005
PGP Corporation produces information security software that uses cryptography to control access to messages and data. Over the years, users of cryptographic software have had concerns about the quality of that software. These concerns focus not only on software quality control, but also the possibility of deliberate flaws in the software that have been introduced to allow governments or other parties to read encrypted data. The history of cryptographic systems is such that concerns about deliberate flaws, or “backdoors,” have been legitimate.

PGP software contains no backdoors. It contains no deliberate flaws. It is constructed with the full cryptographic strength of the algorithms it implements. No third party such as a national government or other agency has been permitted to tamper with PGP software. We, the executives of PGP Corporation, give our assurance that PGP software operates as its users would expect it to. The software we sign and distribute has been created with all the care we can provide.

However, we also understand customers may require more than a simple letter stating assurance. A long-standing mantra of security is, “Trust, but verify.” Some customers may have the legitimate fear that PGP Corporation itself has been unknowingly compromised, and despite our best intentions, the software we produce may still contain backdoors or other intentional flaws. Therefore, we offer a number of mechanisms our customers can use to verify, audit, or even produce the binary software. In short, when it comes to the quality of PGP software, our customers shouldn"t have to take our word for it. They should be able to verify and validate PGP software themselves.

As a matter of policy, we make the source code for PGP® Desktop available on our website for download at http://www.pgp.com/downloads/sourcecode/index.html. The software supplied here is the source code for the PGP Desktop product and includes the sources for the PGP Software Development Kit (SDK), the cryptographic toolkit we use to build all our products. Anyone, anywhere on the Internet may download that code and verify that it operates as advertised. Note that this source bundle does not include the build tools for the software or the sources for the installers. We are, however, willing to supply these to customers.

We do not supply the complete sources for PGP® Universal for unlimited download. PGP Universal is not application software, but a complete computer system, including cryptographic software, a base operating system, setup and shutdown procedures, automatic maintenance procedures, and a management console. The complete sources for PGP Universal are available as a product that we are happy to supply at reasonable cost. We do supply the sources for all GPL-licensed software we have modified as part of producing PGP Universal. These sources of GPL-software modifications are also available from the same page on our website.

We recognize that merely supplying source code is not sufficient for some organizations to trust the quality of PGP software. Even after verifying that the source supplied has no backdoors, it is a leap of faith to accept that the software we produce was built from those sources--and only those sources. Consequently, we are happy to supply at reasonable cost through our professional services organization the complete build environment we use to build our products so customers know the software they are using came from the source code they verified by building it themselves. Obviously, such customers must still abide by the software licenses for the software they build. Please also note that we do not sign any software build someone else produces; we only sign software built in our own environment with our own procedures.

Should a customer desire it, we can even supply at reasonable cost the complete source code management system we use for software management. This source repository contains all the modifications made to PGP software from version 5.0 through the latest version. Customers can thus examine every check-in made to the sources by all its developers from 1997 to the present.

To summarize, in addition to our assurances about the quality of PGP software, we are willing to provide the following:

  • Software sources to any products purchased so customers can audit and verify the quality of PGP products.
  • Code management trees of PGP products so customers can examine and verify the software at the module level as well as the individual modifications all our developers have made over the years.
  • Build environments for these products that enable customers to build these products so they know the software built from the verified sources actually came from those sources.

We value customer concerns about our software. We understand that information security software, particularly cryptographic software, is not like other software, and we are happy to work with customers to help them independently verify the quality of PGP products. Should there be any other requests or requirements customers have about audit and verification of our software, they should not hesitate to discuss these with us.

Kind regards,

Jon Callas,
CTO & Chief Security Officer

Phillip Dunkelberger,
President & CEO

 .
.

"PGP Corporation is the only commercial encryption vendor that publishes its source code, which has been under scrutiny by the world's cryptography experts for years. Even though we didn't read every line of code, this practice convinced us that its products were safe to use."

Keld Viftrup Møller, Security Designer,
H. Lundbeck A/S

.
.