[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PGP vs. RSADSI--what conflict?



Cypherpholks--

Neither abandoning PGP nor antagonizing RSADSI seem necessary to me.
This letter makes a 3/4 page summary of that belief after which I 
mention some interesting side issues.

Eric Hughes' understanding of the situation confirms my intuitions--
	RSADSI pretty much has to either act the way it's acting
		or else just roll over.
and	They seem agreeable to a technically good PGP/RSAREF connection.
but	That's work.

On the middle point, in particular I don't think they'll insist we use
DES or a slow engine.  For people who don't get why those restriction seem 
to be there but aren't, I suggest rereading Eric's article.

Although I have strong feelings about the patent issue, and although it
affects the privacy issue, I definitely put the privacy issue first.
Given that it seems we can separate the two issues, I don't see why we
shouldn't.  
 
Although I agree with Tim that being non-confrontative with RSADSI is
smart, I don't see PGP and RSADSI as quite so hard to reconcile as he
seems to:

> If the government ever outlaws strong crypto, you can be sure I'll be 
> using outlaw crypto.  The difference with the current situation is 
> that crypto per se has not yet come under regulation.)

And PGP per se is not outlaw.  Only the current version and lack of license.
Let's conceptually separate PGP, Phil's RSA/MD5 engine (PGRE?), and using/
distributing PGRE in the USA.  Only the third is a problem with RSADSI.
  
> ...bootleg
> crypto (which is what PGP will remain in this country unless and until the
> courts overturn the patents or RSA suddenly decides to cave in)...

Pshaw.  Until it's worked out.  No "sudden caving in" is needed.  Tim, you 
were the one who reported that Jim Bidzos was sounding agreeable.

> Furthermore, neither Phil nor any other members of the development team are
> likely to ever make any money with this 
                                     ^^^^ PGRE
Phil could finally solicit shareware fees.

Now the side issues:

There could conceivably be an issue in the future for people working with 
RSAREF--who have SEEN THE CODE--and then wanting to develop other crypto
stuff later.  People have attempted to avoid this legal hassle in the past
by setting up a "clean room" where only specs and interfaces are known...

RSAREF is copyrighted stuff, right?, which puts you in a slightly different 
legal position when you have it/distribute it.  Assuming PGP gets a 
license to be shareware, I see this being less of a problem than the 
current situation.

But even if PGP gets some kind of license, would individuals still have
to sign agreements with RSADSI?  I feel more serious about personal
agreements than copyrights or patents.  Will it be the standard RSAREF 
individual license?  Does it require you to *act as if* they had rights
some of us care about them not having?  (Rights to the specific code don't 
bother me too much.)

> (isn't e-mail great?...Stanton posts it, and Jim Bidzos, the
> Pres. of RSA responds...no lawyers were needed, no lengthy delays.).

At the CFP conference that Tim missed ~{;o), Cliff Stoll was remarking that
eventually all sorts of nasty things happen related to the net--except
lawsuits.  We guessed that the availability of the quick, public response 
might have a lot to do with that.  Here we have a threat; can anyone 
think of an example of an email-related suit that was carried through?

-phnerd, er, fnerd
quote me
[email protected] (FutureNerd Steve Witham)