[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Digital Signature Scandal
[The following is an official announcement from the League for Programming
Freedom. Please redistribute this as widely as possible.]
Digital Signature Scandal
Digital signature is a technique whereby one person (call her
J. R. Gensym) can produce a specially encrypted number which anyone
can verify could only have been produced by her. (Typically a
particular signature number encodes additional information such as a
date and time or a legal document being signed.) Anyone can decrypt
the number because that can be done with information that is
published; but producing such a number uses a "key" (a password) that
J. R. Gensym does not tell to anyone else.
Several years ago, Congress directed the NIST (National Institute of
Standards and Technology, formerly the National Bureau of Standards)
to choose a single digital signature algorithm as a standard for the
US.
In 1992, two algorithms were under consideration. One had been
developed by NIST with advice from the NSA (National Security Agency),
which engages in electronic spying and decoding. There was widespread
suspicion that this algorithm had been designed to facilitate some
sort of trickery.
The fact that NIST had applied for a patent on this algorithm
engendered additional suspicion; despite their assurances that this
would not be used to interfere with use of the technique, people could
imagine no harmless motive for patenting it.
The other algorithm was proposed by a company called PKP, Inc., which
not coincidentally has patents covering its use. This alternative had
a disadvantage that was not just speculation: if this algorithm were
adopted as the standard, everyone using the standard would have to pay
PKP.
(The same patents cover the broader field of public key cryptography,
a technique whose use in the US has been mostly inhibited for a decade
by PKP's assiduous enforcement of these patents. The patents were
licensed exclusively to PKP by the Massachusetts Institute of
Technology and Stanford University, and derive from taxpayer-funded
research.)
PKP, Inc. made much of the suspect nature of the NIST algorithm and
portrayed itself as warning the public about this.
On June 8, NIST published a new plan which combines the worst of both
worlds: to adopt the suspect NIST algorithm, and give PKP, Inc. an
*exclusive* license to the patent for it. This plan places digital
signature use under the control of PKP through the year 2010.
By agreeing to this arrangement, PKP, Inc. shows that its concern to
protect the public from possible trickery was a sham. Its real desire
was, as one might have guessed, to own an official national standard.
Meanwhile, NIST has justified past suspicion about its patent
application by proposing to give that patent (in effect) to a private
entity.
Instead of making a gift to PKP, Inc., of the work all of us have paid
for, NIST and Congress ought to protect our access to it--by pursuing
all possible means, judicial and legislative, to invalidate or annull
the PKP patents. If that fails, even taking them by eminent domain is
better (and cheaper in the long run!) than the current plan.
You can write to NIST to object to this giveaway. Write to:
Michael R. Rubin
Active Chief Counsel for Technology
Room A-1111, Administration Building,
National Institute of Standards and Technology
Gaithersburg, Maryland 20899
(301) 975-2803.
The deadline for arrival of letters is around August 4.
Please send a copy of your letter to:
League for Programming Freedom
1 Kendall Square #143
P.O.Box 9171
Cambridge, Massachusetts 02139
(The League for Programming Freedom is an organization which defends
the freedom to write software, and opposes monopolies such as patented
algorithms and copyrighted languages. It advocates returning to the
former legal system under which if you write the program, you are free
to use it. Please write to the League if you want more information.)
Sending copies to the League will enable us to show them to elected
officials if that is useful.
=====================================================================
APPENDIX G: THE LETTERS I INTEND TO SEND
========================================
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr Ross N. Williams
Rocksoft Pty Ltd (ACN 008-280-153).
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
Michael R. Rubin
Acting Chief Counsel for Technology
Room A-1111
Administration Building
National Institute of Standards and Technology
Gaithersburg, MD 20899
4 August 1993.
Dear Mr Rubin,
As a concerned member of the Australian public, and as a director of
an Australian software company, I am writing in response to the notice
"Notice of Proposal for Grant of Exclusive Patent License" published by
NIST in the U.S. Federal Register, Vol. 58, No. 108, dated June 8, 1993
under Notices and relating to U.S. Patent Application No. 07/738.431 and
entitled "Digital Signature Algorithm." This notice affects myself and my
company in its relationship to the US commercial environment and because
of the propagation of patent claims internationally. The notice states
that:
>The prospective license will be granted unless, within sixty (60)
>days of this notice, NIST receives written evidence and argument
>which established that the grant of the license would not be
>consistent with the requirements of 35 U.S.C. 209 and 37 CFR 404.7.
I am writing because I believe that the license is NOT consistent with
the requirements of 35 U.S.C. 209. Here's why.
In 35 U.S.C. 209. part (c)(1), the requirements specify a list of conditions
(A)..(D) all of which must be met before a U.S. Federal agency may grant an
exclusive or partially exclusive license. Part (A) says:
>(A) the interests of the Federal Government and the public will
>best be served by the proposed license, in view of the applicant's
>intentions, plans, and ability to bring the invention to practical
>application or otherwise promote the invention's utilization by
>the public;
I do not wish to debate this clause as satisified or not satisifed except
to note that this clause defines NIST's primary goal as the public benefit,
not the private.
>(B) the desired practical application has not been achieved, or is not
>likely expeditiously to be achieved, under any non-exclusive license
>which has been granted, or which may be granted, on the invention;
There is no reason why the DSA standard should not be widely
implemented without the benefit of any patents at all. I am aware of
the potential conflict that prospective implementers might have with
Public Key Partners (PKP) of Sunnyvale California. However, I believe
that this problem should be resolved by the free market and the patent
system rather than by NIST.
>(C) exclusive or partially exclusive licensing is a reasonable and
>necessary initiative to call forth the investment of risk capital and
>expenditures to bring the invention to practical application or
>otherwise promote the invention's utilization by the public; and
The history of innovation and technology diffusion in the computing
industry clearly indicates that, in the absence of PKP, there would be
no requirement to boost risk capital with the use of patents in order
to diffuse the technology. As soon as a technologically workable
standard is proclaimed, it will be adopted. In particular, the cost of
implementing the standard in software is likely to be less than
$30,000. As a result there will soon be many implementations.
>(D) the proposed terms and scope of exclusivity are not greater than
>reasonably necessary to provide the incentive for bringing the invention
>to practical application or otherwise promote the invention's
>utilization by the public.
It is clause (D) to which I mainly take exception. In (A) I asserted
that the goal of NIST should be the public good. In (B) and (C) I
asserted that for a much-awaited cheap-to-implement standard such as
the DSA, patents are not required in order to attract risk capital.
These two clauses in combination with (D) imply that NIST should be
doing its best to deliver the standard into the public domain, and if
this is not possible, licensing it in the least-restrictive manner
possible.
Under the current proposal, NIST will license the DSA patent to PKP
indefinitely; that is, until it runs out in the year 2010. However,
PKP's patents, (which in the light of (A),(B), and (C) should be the
sole motivation for the license proposal) expire in 1997 or soon
after. This flies in the face of clause (D) which permits NIST to
grant at most only the minimum reasonable license, in this case a
license lasting only until 1997, after which the DSA patent should be
placed in the public domain. This argument applies independent to any
arguments stating that PKP have committed to behave in a certain
"limited" way once granted the DSA patent licence; my argument applies
to the time period over which the patent license is granted not the
manner in which PKP conduct themselves during the period in which it
is granted. Ideally thought, NIST should not grant DSS to PKP at all.
I hope that the above provides a convincing argument that NIST would
not be complying with the requirements of 35 U.S.C. 209.(c)(1)(D)
if it executed the proposed license.
--O--
There are many alternatives to the proposed license that NIST could
pursue. For example, NIST could simply issue a general public license
to DSA. Or NIST could use it's patent powers to impose the following
condition on all implementors:
Condition: All implementations of the DSA must be constructed in
accordance with <<new standard that NIST suboffice can create>>
so that DSA can be quickly and cheaply replaced with other algorithms
at a later date.
If this move were adopted now, it would pave the way for RSA in 2000,
or perhaps for an even better, hitherto uncreate, algorithm.
Other, more aggressive strategies exist that could solve the problem
too, the extreme being the taking of PKPs patents by "eminant domain".
However, I realize that this would be extreme and am writing primarily
to submit the objections given above.
In addition to the above, I enclose three letters applying for:
1) A license of DSA for myself to use DSA.
2) A license of DSA for myself to implement and distribute DSA for free.
3) An unlimited commercial license for my company Rocksoft Pty Ltd,
or failing this a non-commercial license.
I would like to end this letter on a lighter note...
During times of drought a farmer noticed that his cow was looking a bit
thin so he sent his son out with the cow to find some nice green grass
to munch on so that the cow would grow fat and yield lots of milk. The
son walked the cow for miles and miles (making the cow even thinner in the
process), but couldn't find any grass (this is actually the Australian
outback). In the end he found a nice green paddock and set the cow grazing.
Later the son returned to the homestead:
Farmer : How'd it go son? Do we have a happy cow now?
Son : Well sort of; I had trouble finding a grassy paddock.
Farmer : But you found one in the end didn't you?
Son : Yes, and I put the cow in the paddock. But soon another farmer
came running out. He said it was his paddock --- he had rented it
for three years --- and that I couldn't graze my cow there without
giving him some milk. It was the only green paddock there was.
Farmer : So what did you do?
Son : I gave him the cow.
Thank you for your kind attention. Please do not hesitate to contact
me if you require any more information or clarification of the above.
Yours sincerely,
Ross Williams
-------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr Ross N. Williams
Rocksoft Pty Ltd (ACN 008-280-153).
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
Michael R. Rubin
Acting Chief Counsel for Technology
Room A-1111
Administration Building
National Institute of Standards and Technology
Gaithersburg, MD 20899
4 August 1993.
Dear Mr Rubin,
I am writing in response to the notice "Notice of Proposal for Grant of
Exclusive Patent License" published by NIST in the U.S. Federal Register,
Vol. 58, No. 108, dated June 8, 1993 under Notices and relating to
U.S. Patent Application No. 07/738.431 and entitled "Digital Signature
Algorithm." The notice states that:
>Applications for a license filed in response to this notice will be
>treated as objections to the grant of the prospective license.
>Only written comments and/or applications for a license which are
>received by NIST within sixty (60) days for the publication of this
>notice will be considered.
As such, I would like to apply, on behalf of my company Rocksoft Pty Ltd
for a license of this patent. The following information is provided in
accordance with 37 CFR 404.8.
(a) Identification of the invention:
Title: "Digital Signature Algorithm (DSA)."
Patent Application Serial Number: 07/738.431.
United States Patent Number: To be issued as 5,231,668, I believe.
(b) The type of license required is a commercial license requiring
no royalties, OR FAILING THAT A NON-COMMERCIAL (i.e. non-profit) LICENSE
requiring no royalty payments.
(c) The organization applying for the license is "Rocksoft Pty Ltd",
a company incorporated in Australia, whose formally registered address is
c/- Nelson Wheeler
200 East Terrace
Adelaide 5000
Australia
whose Australian Company Number is 008-280-153, and whose postal
address (please address correspondence to this address) is:
16 Lerwick Avenue
Hazelwood Park 5066
Australia.
(d) The representative of Rocksoft is:
Name : Dr Ross N. Williams.
Address: 16 Lerwick Avenue, Hazelwood Park 5066 Australia.
Phone: +61 8 379-5020.
(e) Rocksoft is a software consultancy employing only Ross Williams.
The company has not yet successfully commercialized any products.
(f) Source of information concerning availability of a license: various
sources, including your Federal Register notice.
(g) I am unable to determine whether Rocksoft Pty Ltd may be formally
classified as a small business firm under 404.3(c). However, I would
be very surprised if it is not, unless there is some requirement for
it to be incorporated in the US.
(h) Development plan. If a license is granted, Rocksoft will attempt
to create an implementation of the DSA and either sub license it as a
component or embed it in products requiring digital signatures. No plans
more specific than this can be provided at this time.
(1) Rocksoft expects that many hundreds of programmer hours could be
committed to the project. Very little capital is available.
However, if a license is secured, this may become available.
(2) NO further statement on a development plan can be made at present.
(3) Fields of use: Rocksoft wishes to use the technology in many
diverse fields.
(4) Geographic are of use: The whole world. Failing this, just Australia.
(i) No previous licenses have been granted to Rocksoft under Federally owned
inventions.
(j) Known uses of DSA by industry or government: I have heard that ISC
sells a product called dsaSIGN, and that Bellcore has implemented DSA.
(k) Any other information. I am aware that one of the goals of the
licensing of Federally owned inventions is to promote small business
in the US and Rocksoft is a small business in Australia. I am
hoping however that this application will be successful because it
is an application for a non-exclusive, non-transferrable license.
I understand that NIST may grant an exclusive DSA license to PKP,
and that this license application will be treated as an objection
to the PKP license. I would like this application to be treated as
such.
Thank you for your kind attention. Please do not hesitate to contact
me if you require any more information or clarification of the above.
Yours sincerely,
Ross Williams
-------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr Ross N. Williams
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
Michael R. Rubin
Acting Chief Counsel for Technology
Room A-1111
Administration Building
National Institute of Standards and Technology
Gaithersburg, MD 20899
4 August 1993.
Dear Mr. Rubin:
I hereby apply for a personal license to use the Digital Signature
Algorithm.
1. Title of invention: Digital Signature Algorithm (DSA).
2. Patent Application Serial Number: 07/738.431.
3. United States Patent Number: To be issued as 5,231,668, I believe.
4. Source of information concerning availability of a license: Various
sources, including your Federal Register notice.
5. Name and address of applicant:
Dr Ross N. Williams
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
6. Applicant's representative: not applicable.
7. I am an Australian citizen.
8. Approximate number of persons employed: not applicable.
9. I am not a small business firm.
10. Purpose: I would like a personal license allowing me to implement
and use DSA. See #12.
11. Business and commercialization: not applicable; see #10.
12. Plans: I plan to use DSA to attach digital signatures to a variety
of electronic documents, primarily for authentication. I plan to use DSA
implementations, initially in software but perhaps later in hardware,
from a variety of potential future sources. Investments: I may spend
many hours programming a DSA implementation.
13. Fields of commercialization: not applicable; see #10.
14. I am not willing to accept a license for less than all fields of use
of DSA.
15. I intend to implement and use DSA throughout the world. However,
failing this a license for Australia and the U.S.A. would be appreciated.
Failing this, a license for just Australia would still be useful.
16. Type of license: I would like a non-exclusive license which does not
require royalty payments.
17. I have never been granted a license to a federally owned invention.
18. Known uses of DSA by industry or government: I have heard that ISC
sells a product called dsaSIGN, and that Bellcore has implemented DSA.
19. Other information: I understand that NIST may grant an exclusive
DSA license to PKP, and that this license application will be treated as
an objection to the PKP license.
Please note that PKP has stated its intent to make DSA free for personal
use. Therefore, if NIST grants PKP a license and PKP acts according to
its stated intent, there is no harm to anyone if I am granted this
personal license. However, I do not trust PKP to act according to its
stated intent, and I do not want to have to apply for a license from PKP
even if it is royalty-free. So I ask that you grant me a license
directly.
Thank you for your kind attention. Please let me know if you need more
information.
Yours sincerely,
Ross Williams
-------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dr Ross N. Williams
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
Michael R. Rubin
Acting Chief Counsel for Technology
Room A-1111
Administration Building
National Institute of Standards and Technology
Gaithersburg, MD 20899
4 August 1993.
Dear Mr. Rubin:
I hereby apply for an implementor's license permitting me to sublicense
the use of the Digital Signature Algorithm.
1. Title of invention: Digital Signature Algorithm (DSA).
2. Patent Application Serial Number: 07/738.431.
3. United States Patent Number: To be issued as 5,231,668, I believe.
4. Source of information concerning availability of a license: Various
sources, including your Federal Register notice.
5. Name and address of applicant:
Dr Ross N. Williams
16 Lerwick Avenue
Hazelwood Park 5066
Australia
Net : [email protected].
Fax : +61 8 373-4911 (C/-Internode Systems)
Work : +61 8 379-9217
6. Applicant's representative: not applicable.
7. I am an Australian citizen.
8. Approximate number of persons employed: not applicable.
9. I am not a small business firm.
10. Purpose: I would like a license allowing me to let others freely
use my implementation of DSA, i.e., allowing me to sublicense the use of
DSA at no cost. See #12.
11. Business and commercialization: not applicable; see #10.
12. Plans: I plan to create a source-code implementation of DSA in
software, using computer resources which are already available to me.
I plan to give this implementation to anyone who asks, and perhaps to
publish this implementation via electronic or non-electronic means, for
study and use by the academic and non-academic communities. I hope to
have people hear about this implementation by a variety of means,
including word of mouth.
13. Fields of commercialization: not applicable; see #10.
14. I am not willing to accept a license for less than all fields of use
of DSA.
15. I intend to implement DSA in Australia (but distribute my implementations
throughout the world).
16. Type of license: I would like a non-exclusive license which does not
require royalty payments.
17. I have never been granted a license to a federally owned invention.
18. Known uses of DSA by industry or government: I have heard that ISC
sells a product called dsaSIGN, and that Bellcore has implemented DSA.
19. Other information: I understand that NIST may grant an exclusive
DSA license to PKP, and that this license application will be treated as
an objection to the PKP license.
Let me emphasize that this is not a commercial license application. I do
not intend to collect any fees for the use of this implementation.
Thank you for your kind attention. Please let me know if you need more
information.
Yours sincerely,
Ross Williams
-------------
=====================================================================
---<End of Document>---
Paul Ferguson | "Government, even in its best state,
Network Integrator | is but a necessary evil; in its worst
Centreville, Virginia USA | state, an intolerable one."
[email protected] | - Thomas Paine, Common Sense
I love my country, but I fear its government.