[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PGP: Re: Tough Choices: PGP vs. RSA Data Security
- To: Cypherpunks <[email protected]>
- Subject: PGP: Re: Tough Choices: PGP vs. RSA Data Security
- From: [email protected] (Edgar W. Swank)
- Date: Mon, 03 May 93 13:37:17 PDT
- Comments: Liberty!
- Organization: SPECTROX SYSTEMS (408)252-1005 Cupertino, Ca
The conflict between RSA and PGP -may- be about to be solved. You all may
recall my "announcement" of an effort to create a USA-Legal version of
PGP by incorporating RSAREF code. Among several offers to help, I
received the following messages:
========================================================================
To: spectrx!edgar (Edgar W. Swank)
Subject: Re: PGP: USA-Legal PGP Project
In-Reply-To: Your message of "Wed, 28 Apr 93 01:02:23 PDT."
<[email protected]>
Date: Wed, 28 Apr 93 12:37:30 -0600
From: "L. Detweiler" <szebra!longs.lance.colostate.edu!ld231782>
>I confirmed with Jim Bidzos, President of RSA, who was
>present at the meeting, that a USA Legal version of PGP could be
>constructed by just replacing certain sections of code with free code
>from RSAREF. Since source for both PGP and RSAREF are available, this
>sounds like an easy job. Since no-one's actually done it yet, perhaps
>it's not, but I will try. I hope I haven't bitten off more than I can
>chew. At best, I can compile and test only the MSDOS version of PGP. I
>will certainly need help if USA-Legal MAC, AMIGA, UNIX, etc. versions
>are to be available.
I'm sorry Mr. Bidzos didn't tell you, but the PGP development group is
already looking very seriously into integrating RSAREF, and one person
[email protected] (Paul Rubin) has already done it. If you would
like to join the list send mail to [email protected] (Philip
Zimmermann).
==========================================================================
Date: Wed, 28 Apr 93 19:32:55 PDT
From: szebra!america.Telebit.COM!phr (Paul Rubin)
Message-Id: <[email protected]>
To: spectrx!edgar
Subject: PGP: USA-Legal PGP Project
>I confirmed with Jim Bidzos, President of RSA, who was
>present at the meeting, that a USA Legal version of PGP could be
>constructed by just replacing certain sections of code with free code
>from RSAREF.
Not quite true. RSAREF's license requires that the RSAREF routines
be called only in certain ways unless special permission is obtained.
Calling the RSAREF routines in the generally permitted manner won't
work with PGP because PGP's file format is different than what RSAREF
expects. PGP needs to call RSAREF in a non-standard way which is
easy technically, but needs special permission from Bidzos. Attempts
to get such permission have thus far been inconclusive.
======================================================================
I am msging Phil Z. to ask to be placed on "the list". I'm also
trying to get more details from Paul Rubin, offering my assistance,
and forwarding to him the other offers of assistance I received.
It remains to be seen whether RSA's witholding of permission to use
non-standard interfaces to RSAREF is reasonable or designed to be
obstructive. When we find out, I think we should choose sides (if we
-need- to choose sides) accordingly. It looks like the PGPers have
made a good faith effort to at least meet RSA halfway.
A "PGP-like" "consumer" crypto product which does not exchange keys
and messages with PGP will -not- be acceptable. Any such product
produced here will almost certainly be export restricted. I am -not-
willing to give up my present ability to exchange keys and encrypted
data with PGP users outside the USA. (I'm currently exchanging
encrypted e-mail with persons in Poland(!!), Germany, and Taiwan).
PGP is currently an -international- standard, and, because of ITAR,
it's likely to be the -only- international standard for a long time to
come.
Note that current PGP is legal outside the USA -only- for
non-commercial purposes (Phil Zimmerman's "copyleft"). If a
USA version is approved by RSA, it will be legal only for
non-commercial use inside the USA (RSA's patents & copyrights on
RSAREF).
If PGP becomes popular (even more so than at present, it's already the
leader) worldwide for individual non-commercial use, businesses are
going to want a PGP-compatible product they can use for exchanging
encrypted data with their (non-business) -customers-.
For example, encryption is a good idea if you're ordering merchandise
with your credit-card number.
Jim Bidzos has told me that Phil Z. or anyone else can get a license
from RSA for $20,000 plus minimum $10,000/yr. royalties. If we say we
don't want to spend more than 50% of our revenues on licensing, then
if Phil can get $60,000 of firm orders for a -commercial- USA version
of PGP, he's in (a very profitable) business. $60,000 might be 600
copies at $100 or six site licenses at $10,000.
Also, if a -foreign- software producer wants to license a commercial
version of PGP useable only overseas, he only needs to deal with Phil
(& maybe the other PGP co-authors). But the effect of this would just
be to increase the market for a USA commercial version (for businesses
who wanted to exchange encrypted data with other businesses, or their
own subsidiaries, overseas).
I guess anyone who wants to can get onto Phil's list. I'd prefer if
you all didn't bombard Paul Rubin with E-mail. I'll post more details
of this project here as I get them (unless I'm asked not to).
--
[email protected] (Edgar W. Swank)
SPECTROX SYSTEMS +1.408.252.1005 Silicon Valley, Ca