[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

My personal objection to NIST's DSS exclusive licensing proposal

[I encourage you to file objections too.  They don't have to be eight
 pages long!  One page will do.]

John Gilmore
PO Box 170608
San Francisco, California, USA  94117

August 5, 1993

Michael R. Rubin
Active Chief Counsel for Technology
Room A-1111, Administration Building,
National Institute of Standards and Technology
Gaithersburg, Maryland 20899
Phone: +1(301) 975-2803.
Fax: +1(301) 926-2569.

Dear Sir:

I am writing to provide written evidence and argument that the grant of
your prospective license for the Digital Signature Algorithm (DSA) to
Public Key Partners (PKP) would not be consistent with the requirements
of 35 U.S.C. 209 and 37 CFR 404.7.  I am also applying for a personal,
non-exclusive, sublicensable, and transferable license for the DSA.

I propose that instead of granting a license to PKP, the Government:

        Put its DSA technology into the public domain, and

        Standardize RSA as a digital signature algorithm.

In particular, the NIST proposal must meet the following criteria from
35 U.S.C. 209 (c)(1):

   (A) the interests of the Federal Government and the public will
   best be served by the proposed license, in view of the applicant's
   intentions, plans, and ability to bring the invention to practical
   application or otherwise promote the invention's utilization by
   the public;

I argue that interests of the Federal Government and the public
will best be served by my proposed approach to the problem.

The RSA cryptosystem was strongly considered as a digital signature
standard by NIST, and was reportedly rejected for two reasons:

	(1)  RSA is patented, while NIST wanted a royalty-free algorithm.

	(2)  The National Security Agency objected to the standardization
	     of RSA, for reasons it did not specify.

The first objection is interesting; both DSA and RSA are now controlled
by patents, and both would require royalty payments by users in the
United States.  However, the RSA patents only apply in the United
States, so that the public (which includes all people on the Earth)
will be better served by standardizing on the algorithm that is
available for royalty-free use in other countries.  Also, the RSA
patent is royalty-free to the government, because it was invented with
government grants.  The patents which control the DSA are in force
worldwide, and the government does not have free use of the algorithm.
This gives a clear edge to the RSA algorithm.

Also, the patents controlling RSA will expire at least ten years
earlier than the DSA patent (if issued) and more than seven years
before the Schnorr patent which controls use of DSA.  In particular,
the RSA patent will expire on September 20, 2000, and all other patents
which control the use of RSA expire in 1997.  The Schnorr patent
expires on February 19, 2008, and the DSA patent would expire seventeen
years after it is issued, which has not occurred yet.

The traditional model of market acceptance of technology begins with a
long slow climb, requiring years, and only peaks after this momentum has
built up the proper infrastructure to support the technology.  At the
peak, many millions of people use the technology (in some cases, almost
everyone in society).  Digital signature technology has followed this
model, and is widely expected to reach millions of people within the
next five to ten years.

This is important for two reasons:

	(a)  RSA's patent will expire before or near the point when
	     this technology enters the "mass market" of millions of
	     users.  This will benefit the public by reducing the cost
	     of deploying the technology to these users.  The size of
	     the market clearly provides an economic incentive
	     sufficient to cause its deployment even in the absence of
	     exclusive licensing.

	(b)  RSA digital signature technology has already been climbing
	     the curve for many years.  Standardizing on it will produce
	     quicker deployment of digital signature technology.

PKP is already licensing the RSA technology on terms similar to the
proposed DSA terms, and has promised non-discriminatory licensing if
RSA is standardized by NIST.

As for the second problem with standardizing on RSA, the objection
of the National Security Agency, there are two possible reasons:

	(a)  NSA does not want to see a digital signature technology
	     standardized if it would also allow data encryption, 
	     because that could make interception of intelligence
	     data harder.

This objection is completely specious.  NSA does not have a valid role
in setting domestic policy.  It is a secret agency, not accountable to
the public, and explicitly prohibited by statute from operating in the
United States or against United States citizens.  Its advice to NIST
under the Computer Security Act is restricted to be of a technical
nature, not straying onto questions of policy.  NIST is required to
give full weight to the interests of the public when deliberating on
standards.  Secret agencies whose policies oppose the public interest
have no weight in NIST's standardization process.

In fact, the standardization of identical technology for digital
signatures and for key exchange and other data encryption uses would be
a *good* decision.  This technology has already been implemented in
Lotus Notes and Privacy Enhanced Mail, and is well proven to be
acceptable to users, implementable by manufacturers, and without fault
as regards domestic encryption policy.  Tens of thousands of copies
of these products are in daily use without any impact on domestic

	(b)  NSA knows of a technical reason why RSA is not suitable.

In this scenario, NSA has learned how to "break" RSA, either by 
factoring large composites, or by some other method.  The proper
response of the Government, in that case, is to publicize this
fact, in order to protect domestic communications.  Because if
NSA knows it, it's likely that opposing intelligence agencies also
know how to break RSA.  The United States is the most computerized
society, the most networked, the most communicative.  We have the
most to lose by having unsecured communications that we believe are

In addition, it's likely that the revelation of the NSA method of
breaking RSA would result in substantial progress in mathematics
in other areas besides cryptography, providing further benefit to the

Further reasons to standardize RSA rather than DSA:  The strengths and
weaknesses of the RSA algorithm are better understood by the technical
community.  More than ten years of research has gone into understanding
and implementing it.  The DSA has had much less research and thought
brought to bear on it.

A prominent cryptographer, Gustavus Simmons, alleges that the DSA
contains flaws which permit small amounts of secret information to be
conveyed in its digital signatures.  These flaws, which appear to have
been deliberately designed in, would permit the signing party to send
information to recipients of the signature, without the affected party
having any way to determine this.  For example, if a Government agency
provided a digital signature on a passport, it could secretly
communicate messages such as "this person should be searched at every
border crossing" or "this person is suspected of anti-American
leanings".  Such unproved `information' would not be tolerated by the
public if communicated on the face of the passport, but using the DSA,
an unscrupulous agency could use such suspicions to harass citizens
in the free exercise of their rights.

All of the above information should convince NIST that standardizing
the RSA technology and freeing the DSA technology would best serve the
interest of the Federal Government and the public, rather than granting
an exclusive license for the DSA technology to PKP.

The NIST proposal must also meet the following criterion from
35 U.S.C. 209 (c)(1):

   (B) the desired practical application has not been achieved, or is not
   likely expeditiously to be achieved, under any non-exclusive license
   which has been granted, or which may be granted, on the invention;

NIST's own experience with the Data Encryption Standard (DES) makes it
clear that releasing an encryption system for public use, without
assignment of exclusive rights to any organization, produces widespread
use within a short period of time.  The DES is clearly the premier
private-key encryption system in the country and in the world today.
It is used in every Automatic Teller Machine, in every bank, as well as
on the Fedwire interbank network.  A derivative algorithm is used in
the Unix password security system, which runs on more than a million
computers in daily use.  It is used in electronic mail privacy systems,
including Lotus Notes and the Privacy Enhanced Mail system for the
Internet.  It was used in secure telephones built by AT&T -- and in
fact the deployment there was too rapid for government comfort (the
FBI, NIST and NSA ended up rushing the Clipper/Skipjack program into
the public eye to prevent further deployment of telephones using this
algorithm.)  Whenever private-key encryption is used, DES is likely to
be there.  DES products are available worldwide from a large number of
chip, board, peripheral, system, and software vendors, providing data
rates ranging from very slow to a gigabit per second.

It is clear that the non-exclusive licensing of DES, as well as its
technical capability, was directly responsible for its widespread
adoption and use.  Had it been exclusively licensed, say to IBM, its
originator, it would not have enjoyed the wide use it has received.
IBM has built DES into products, but they did not sell well and capture
the market.  It was the innovative uses pioneered by others, who were
free to build on IBM's and NIST's standard without negotiations or
royalties, who produced the machines and software which has since
served large numbers of government users and the public.

The United States has a collection of programmers and cryptographers,
numbering in the hundreds, who have made significant contributions to
the development and deployment of cryptographic algorithms throughout
society.  I have seen at least ten different software implementations
of DES, freely available to everyone who wants them, including full
source code and commentary.  Each of these implementers was able to
study and build upon the work of the others, resulting in gradual
improvement of the speed and robustness of the implementations.  The
algorithm has been embedded into freely available software for
electronic mail (TIS-PEM and early PGP versions), computer network
security (Kerberos), clock synchronization (NTP), and networked voice
communications (VAT), just to name a few.  (Most of the work involved
in building these products was the software and infrastructure that was
built up AROUND the DES, by the way.)  If and when the DSA technology
is released for free use by the public, the same community will produce
widely available programs that employ it.

PKP may argue that the same development would occur, under its grant of
free noncommercial DSA licenses, but the point is that this
developement would occur WITHOUT granting an exclusive license to PKP.
And if this is true, then by statute, NIST cannot grant an exclusive

PKP may also argue that its ownership of the Schnorr patent would
prevent the development of noncommercial DSA products, unless it was
granted an exclusive license in return for allowing noncommercial use
of the Schnorr and DSA patents.  However, the record clearly shows that
even when a technology is patented (RSA, or Lempel-Ziv compression) and
when the patent owner does not have a policy of permitting
noncommercial use, the free software community will still produce
widely used programs (PGP and Compress) which produce great benefit for
the public and for the government.  These programs can be used
immediately by those willing to challenge the patent, or to whom the patent
does not apply, and can be used by everyone after the patent expires,
or if the patent owner's policy changes.

Furthermore, Public Key Partners is in the position of having paid a
lot of money for the Schnorr patent.  If the government doesn't
standardize DSA, and doesn't give PKP an exclusive DSA patent, then PKP
will have to CONVINCE people to use their expensive patent.  The
traditional way to do so is by licensing it cheaply and widely.  If
people end up wanting to use DSA even though it has not been
standardized, it's likely that a license for the Schnorr patent that
controls it will be available at a similar price to what PKP proposed
under the exclusive licensing scheme.  PKP has already granted
no-cost noncommercial licenses to other patents that it holds,
including the RSA patent, so it is certainly conceivable that it
would come to grant similar licenses for the Schnorr patent, for
the same reasons.

35 USC 209 (c)(1)(C) requires that exclusive or partially exclusive
licensing is "reasonable and necessary" to call forth capital to deploy
the invention.  The above discussion, particularly the DES evidence,
has shown that this condition does not hold.

35 USC 209 (c)(1)(D) requires that the proposed terms and scope of
exclusivity are not greater than reasonably necessary to bring the
invention to practical application.  The scope proposed by NIST is
exclusive to a single company for seventeen years.  My proposal is
partially exclusive to the same company for seven years, then would
eliminate the exclusivity completely.  The company has promised similar
terms for the licensing of the RSA patent, for that seven year period,
so the terms of the NIST proposal and my proposal are similar, though
the scope of exclusivity in mine is shorter.  My proposal continues to
provide the incentive for bringing the invention to practical
application, so condition (D) does not hold either.

The conditions in 35 USC 209 (c)(1) are joined with "and" and prefaced
with "only if"; failure to meet any one of the conditions denies the
agency the ability to issue an exclusive or partially exclusive
license.  All four conditions have failed to be met in this case, so
for NIST to grant an exclusive license to PKP would be unlawful.  The
public interest in this technology is substantial, and it is unlikely
that NIST would escape without being sued if it attempted to grant the
exclusive license anyway.  I myself contract for the full time of a
lawyer, who is currently engaged in suing the Federal Government for
its unlawful acts.  I believe that two such suits are currently in
process, against NSA and the Department of Justice.  I would not be
averse to adding NIST to the list.

In the event that NIST fails to follow my recommendation that the
DSA technology be made freely available to the public, I hereby request
a personal, non-exclusive license to practice it.  The information
required under 37 CFR 404.8 for such an applicant is:

	Invention:  Digital Signature Algorithm
	Patent application number:  07/738.431

	Type of license:  Personal, non-exclusive, sublicensable, and
	My name, address, email address, and phone number:
		John Gilmore
		PO Box 170608
		San Francisco, California, USA  94117
		[email protected]
		+1 415 903 1418

	My citizenship:  USA

	My representative to correspond with:  myself.

	Nature and type of my business:  I am a privacy advocate,
	a programmer, an entrepreneur.  Personally, I have no employees at
	this time, though I am co-founder and part owner of a business
	which employs 40 people.  I am also co-founder and on the Board of
	Directors of a foundation which employs about ten people.  I
	contract with a lawyer for his full-time services, though he
	is not an employee.

	Products and services which I have successfully
	commercialized:  I was employee #5 at Sun Microsystems, and
	contributed significantly to the success of the company, which
	is now one of the world's largest computer companies.  I have
	co-founded several businesses.  I have written several
	substantial pieces of software which enjoy wide use, including
	PD Tar, a tape archive program, GNUUCP, which provides low-cost data
	communications, and GDB, which is a very widely used debugger.
	All of these programs were developed under an intellectual
	property technology that involves giving away the program
	itself, and selling services related to the program.  The
	40-person business mentioned above supports itself solely by
	this method, and provides commercial support for GDB among many
	other products.  I am also a co-founder of the Electronic
	Frontier Foundation, which, as a non-profit educational
	foundation, has commercialized the services of advocating
	privacy and the public interest in electronic media, and the
	service of defending the public against unconstitutional or
	unlawful searches, seizures, and restrictions on rights in
	electronic media.  I have successfully organized several
	volunteer teams of programmers and writers to produce products
	which were made available to the public, without requiring
	significant investment, by leveraging the goodwill of the
	people involved, and the availability of low cost computers and
	communications media.

	Source of information concerning the availability of the license:
	Internet electronic mail, including copies of the Federal Register.

	Statement indicating whether I am a small business:  As an
	individual, I am probably not considered a small business.
	I do not seek use of the patent for business purposes, but for
	my activities in advocating privacy and anonymity in electronic

	Detailed description of plans for developing or
	marketing the invention:

		If granted this license, I would immediately sublicense
		all persons who wished to use the patent, at no charge.
		I challenge any other proposed licensee to provide a greater
		benefit at a lower cost.

		I would market the invention via online and printed
		communications, making the public and the software
		development community aware of their ability to freely
		use the invention without restraint from me or from
		the Government.

		I would negotiate with Public Key Partners to come to an
		agreement on terms by which noncommercial use of the
		Schnorr patent could proceed.  Such availability would
		lead the way to commercial applications, as has happened
		with the RSA algorithm.

		I believe that minimal time and investment capital
		would be required in this endeavour:  less than a month
		of my personal time, spread across several months of
		elapsed time, and less than $20,000 in investment,
		which I have available from personal funds.

		My capability and intention to fulfill the plan is shown
		by my record of achievements listed above.

		I and my sublicensees intend to practice the invention
		in all fields of use.

		I and my sublicensees intend to practice the invention
		in all geographical areas, limited only by Government-
		imposed export restrictions.

	I have not applied for nor been granted previous licenses for
	federally owned inventions.

	I believe that the DSA is being practiced by a small number
	of companies in private industry, and is being practiced by
	the Government and its contractors in conjunction with the
	Capstone program of the NSA.

	Further information which I believe will support a determination
	to grant me the license:  If NIST truly wishes that the public
	be granted the maximum capability to use this invention, then
	granting me this license, or in the alternative, granting a
	royalty-free license to everyone, would best achieve that goal.


John Gilmore