Tough Choices: PGP vs. RSA Data Security

[Eric Hughes <hughes@soda.berkeley.edu>]

Copyright (c) 1993 Eric Hughes.  Unlike most everything else I write,
I do not grant right to use this without my express permission.  If
you want it sent somewhere else, ask me.  I'll probably just send it
there myself.

I'm going to try to give an overview of the RSADSI and PGP situation.
This is long.  I've put it in the form of premises, assertions, facts,
lemmas, theorems.  I know that below I am mostly trying to justify
RSADSI's actions.  I offer the following so that you may understand
how they view themselves.  

I also wish to offer my personal view on RSADSI.  I do not consider
them the enemy; I consider the enemy to be NSA/COMINT and those who
would destroy privacy to create Big Brother.  The RSA patent expires
in seven years; the NSA will be around long after that.  I have a
clear priority here.  This long term battle is worth winning to the
exclusion of some other desiderata.

	"Patents don't kill people.  Tyrants kill people."

I do not think we should pick fights with our allies.  The patent
battle will not be won by mere defiance, but by careful planning.  PGP
is not the right vehicle for this fight.

Every argument below is predicated on the first premise.  I know lots
of people are stronly opposed to the patents; I myself am of two minds
on the subject.  I do wish to point out that the validity of the
patents is not what I argue from, but their pragmatic effect in the
legal world.

Premise: The RSADSI patents are _de facto_ effective.  This is a
completely separate issue from whether the ought to exist, whether the
public really should have them, etc.  The fact is, the PTO granted
them, the courts will find them valid unless a lot of money is spent
in a legal challenge whose outcome is by no means guaranteed.  A large
organization with lots of money to spend (not the LPF) might have a
chance of a successful overturning, but that course of action is not
in sight.

Premise: Jim Bidzos is not in a unconstrained position; he has
repsonsibilities and restrictions and can't do whatever he might want.
The effectiveness of the patents gave rise to a commercial
opportunity.  That commercial opportunity is embodied in PKP and
RSADSI.  That opportunity was successful by any reasonable measure.
The success directly created a fiscal responsibility for the agents of
the patent owners to make money for the owners.  Bidzos can't take
actions which can reasonably be seen as threatening to his business;
the point of view here is that of the owners, no one else's.

Premise: PGP threatens the business of PKP and RSADSI.  This is fairly
explicit in the documentation; PGP intends to threaten their business.
The patent claims are denounced, variously, as unethical, immoral, and
stolen.  The docs says "Hey! we tried to get a license, and they
wouldn't give it to us, but here's the software anyway."  The point is
that the truth or falsity of these claims is not the issue.  These
statements on their face can be taken as harmful; that is sufficient.

Premise: RSADSI and PKP will defend themselves.  Seems obvious, eh?
The way to counter rhetoric is with more rhetoric, and the rhetoric of
business is the law and threats of legal action.  To my knowledge, no
actual legal actions have been made by RSADSI, but lots of threats
have been.  I also believe that RSADSI is ready to take legal action,
however.

Premise: RSADSI's main business is licensing, and licensing
individuals is not very profitable.  RSADSI has had enormous
commercial success in getting large corporations to sign up.  The only
reason to license individuals is to allow them to use non-commerical
software of one form or another.  The brute fact of the matter is that
most people just don't use non-commercial software, as a percentage of
market.  (If you disagree, consider the size of the PC deployed base
vis a vis Unix, and then consider that most of those PC's are owned by
companies, who purchase their software.)

Lemma: Licensing patents is different than licensing software.  With
software, most of your revenue stream in the long run is upgrades, not
initial purchases.  The incremental cost to produce an upgrade over
its sale price is far less than for the initial version.  With a
patent license, you get one sale and that's it.

Premise: RSADSI created RSAREF in order to license individuals.  The
purpose of RSADSI is not to suppress cryptography--it is to promote
it.  They lose very little by making a free version and they gain a
lot in terms of goodwill and preparing and educating people to use
commercial versions.  Since they don't make any money from it, there's
no reason for them to spend much money paying lawyers to draft license
agreements for products which bring in no income.  Therefore they want
all non-income uses of the patents to be filtered through a single
license.

Fact: Commercial licenses to RSAREF are available.  They have not been
advertised widely as yet, though.

Assertion: The reason that RSADSI requires that individual licenses be
mediated through RSAREF is that non-commercial software is inevitably
used in commercial contexts.  Remember, their main business is
licensing.  All software used in a commercial context must be
licensed, otherwise their main business is imperiled.  Were they to
make separate licenses for every low end product, they would be in the
same situation as if they licensed individuals--high overhead, small
return.  Therefore, they license RSAREF to companies; this allows
RSADSI to economically offer licensed use for all such low end
software packages.

Theorem: PGP does not need to threaten RSADSI's business.  By using
RSAREF, PGP can satisfy RSADSI's business requirement to control
licensing and satisfy PGP's requirement to have a free license.

Fact: RSAREF has a restricted interface which does not allow for
direct RSA cryptosystem operations.

Assertion: RSADSI is protecting their good name by restricting the
default RSAREF interface.  Jim Bidzos has told me that the reason they
use a restricted interface is to prevent people from making stupid
cryptographic mistakes and then claiming that the lack of security was
the fault of RSADSI.  Given the number of cryptographic numbskulls out
there, this concern is not unrealistic.

Fact: PGP cannot use the default RSAREF interface.  For one, DES is
embedded into that interface.

Fact: RSADSI has allowed products to go behind the RSAREF interface
before.  Their concern is that your not doing anything stupid.  PGP
isn't, so that concern is satisfied.

Fact: RSAREF requires a written request to go around the standard
interface.  Licensing is a legal issue; written words are pretty much
required in order to be responsible.

Fact: No one has ever made such a written request for PGP.  Part of
the reason has been that moving to RSAREF entails some architectural
changes, and these are still being debated.  The recent clipper
announcement delayed things as well.

Fact: RSAREF is slow.  It's only C code.  The 386 assembly code in PGP
runs about 15 times faster than the C code in RSAREF.  RSAREF
explicitly allows modifications for improved performance.  The plan is
to make the PGP assembly speedup modules available as RSAREF speed
improvements; this is another delay in getting a port done.

Fact: RSAREF can't be legally exported from the US because of the
ITAR.  Bidzos is seeking a Commerce Jurisdiction ruling for RSAREF,
which would mean that it would be permitted for export.  But until
then, PGP would have to support two versions: an RSAREF one for US
use, and a non-RSAREF one for non-US use.  This requires more
wrappers, and thus more work.

Fact: PGP development is already moving in the direction of RSAREF.
As I've stated, however, there are a number of practical problems that
have to be straightened out before software ships.

Eric