May 1993 - cypherpunks-legacy

PGP on soda.berkely.edu
by Hal 01 May '93

01 May '93

-----BEGIN PGP SIGNED MESSAGE----- I want to thank Tim for taking the time to help clarify what he had in mind in proposing that we reconsider our support for PGP in the face of PKP's assertion of patent rights: > I completely agree and nothing I have ever said suggests we place all our > faith in his company or any other institution. What I have said--several > times, now--is that a frontal attack on the RSA patents, via highly public > postings of PGP and a "Fuck you!" approach to talking with patent owners, > is not the best strategy at this time. Speaking in generalizations can only go so far. It's more useful to consider specific actions which might be in keeping with this philosophical approach. I don't have many problems with our being civil to RSADSI. We don't need to spit in Bidzos' face whenever we meet him, refuse to shake his hand, whatever. Tact is OK. And the proposal to make a U.S.-legal version of PGP can't hurt anything, either. Moves in this direction have been going on for some time. Several months ago a patch was inserted to make certain data structures be compatible with RSA's PKCS standards, and therefore with RSAREF. This would allow RSAREF to be used if permission were gained to call it at an entry point not on the allowed list. However, this version of PGP would still be incompatible with pre-2.2 versions. To make a fully compatible version of PGP you not only have to call RSAREF at an undocumented entry point, you also have to modify the code slightly. All this has been going on for a few months. Eric Hughes deserves a lot of credit for encouraging progress in this direction, but I think Phil fundamentally agrees as well. One advantage of a U.S.-legal version of PGP is that its very existence would mean that no one HAD to use it. Sending out a PGP signed message would no longer be incriminating, even if you used the older (and presumably faster) version of PGP. There would be no way to tell from external observation which PGP users were using the legal one and which were using the illegal one. They would be functionally equivalent, but the legal one would be slower. (I find this rather amusing, actually, as it just goes to show the illogic of PKP's position.) What are some other issues that might arise in a move away from PGP, and an adoption of a less confrontational attitude towards RSADSI? One is the existance of PGP on the Cypherpunks server. Presumably this could be replaced by the legal version once that becomes available, but in the mean time it might have to disappear. I would oppose removing it unless a legal replacement were ready. Another suggestion that I have heard rumored is that Bidzos might be invited to join the list. I would strongly oppose this. I am also not comfortable with having him be a participant at Cypherpunks meetings but since I don't attend them I don't really have the right to complain. Tim has suggested, if I understand him, that we in some sense work to improve MailSafe and other RSA products. I don't really like the idea of doing unpaid consulting work for a commercial outfit. If I am going to work for free, on my own time, I'd like to see the software made freely available. So any work with RSA should be on freeware products, in my opinion. Improve RSAREF, not MailSafe. Another issue is whether people would be discouraged from discussing infringing projects on the Cypherpunks list or at the meetings. Suppose somebody wants to talk about a socket-based DC net protocol which uses Diffie-Hellman key exchange to initialize a shared PRNG for random bit generation. Oops, DH is a PKP patent. Again, I feel that this kind of project is entirely appropriate for the list and the group. Does this fall into Tim's confrontational category: "distributing infringing code whenever possible"? I'm not sure. (I have to confess, given the 15 hour delay in my message posting the other day (while a short message I dashed off 12 hours later appeared in a few minutes), that I thought perhaps a filter had been installed to prevent PGP-signed messages from appearing. Of course, my message did eventually appear, the delay being just a technical glitch. I assume that no one would support banning PGP-signed messages from appearing on the list.) A really sticky issue is our public attitude towards Bidzos cracking down on unauthorized crypto. What if some lone wolf out there does decide to go to the mat on PGP or some other infringing software? Whose side do we take? (Refusing to take a position is a de facto support of PKP, IMO.) I guess we'd have to hope that this never happens. Gee, it sure seems strange to HOPE that no one ever stands up to PKP. I have to say on this point that I can't accept the idea of Cypherpunks moving into a Sternlight position of support for PKP's crackdowns. I'd be interested in hearing other specific suggestions for changes which might result from Tim's suggestion. This might help focus the discussion better. === To the extent that Tim is proposing that we encourage efforts to make a U.S. legal version of PGP, and even replace the current version of PGP on the Cypherpunks FTP site with the legal version when that becomes available, I have no problem with it. To the extent that he suggests that we be polite and courteous in our public talk about RSADSI, I can accept that as well. But to the extent that anyone is proposing to go beyond this into some of the other areas I listed above (and I have no idea exactly what anyone has in mind specifically), I think the many problems I and others have listed in earlier messages provide strong arguments against such measures. Hal 74076.1041(a)compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK+KBE6gTA69YIUw3AQE77QQAnbYSx8cqvvraaJGeUXDKJT0mQVv/HbAj r5IehVCB5/fMeZiaY9ERdBOwllgvJiTRzN3tsHJAkd8QTz9Puv5UgVXLbjPWdQvS 5XPYFkH+A4Kaos+Rlwo1ufLQ1S3eFyV35L6e9CptgYqni/QQoZFhU7Wjqlv5QQmH KcE2xEMLMas= =JL8R -----END PGP SIGNATURE-----

1 0

*** ACT NOW !!! ***
by x62727g2＠usma8.USMA.EDU 01 May '93

01 May '93

I thought this list was supposed to have a lot of technical stuff--something on the order of disseminating new ideas on the cutting edge of crypto-technology. Most everything I see these days seems purely political. If there are problems with RSA v. PGP or the Wiretap Chip (and there definitely are!!!) then we should concentrate on designing our own. We can do things like redesign and code the engine in PGP which is normally handled by the RSA proprietary code and we can work to come up with voice encryption alternatives to the Wiretap chip. In other words, let's start using resources other than talk. Talk is cheap but actions are the catalysts of change. I am interested in working with people (perhaps you) on projects involving crypto, computers, and telecommunications. If any of you are serious enough to do more than talk, perhaps we can organize a team to vigorously pursue these projects. Anthony J. Gatlin |-------------------------------------| Cadet Private, Co. G-2 |PGP Public Key available on request. | United States Military Academy |-------------------------------------|

1 0

Re: Tactics.
by uni＠acs.bu.edu 01 May '93

01 May '93

>From which: promulgating underground crypto *as a safety measure*, *just in case* is one thing, but doing it to get in RSA's face is way premature. I'd say start by working with RSA to the extent possible, keeping at it until there is success, and then if the govt tries to slam public key, that's the time to break out the insurrectional approach. But not before. The adrenaline rush of a big bad confrontation is a feel-good drug to a lot of people but we have to be *smarter than that.* -gg *** So spoke gg(a)well.sf.ca.us I agree.... After reading my message over, I realized that many might see what I said as a call to arms. It is not. Instead I suggest we all stay OUT of RSA's face. But neither in my opinion shall we find outselves unwitting partners with RSA only to find ourselves sold out. uni (Dark)

1 0

Re: Tactics.
by George A. Gleason 01 May '93

01 May '93

Re confrontation vs realpolitik: in political action there is something called "premature escalation of tactics." That means things like having a sit-in before you've even tried having a petition drive. Once you've escalated it's very very hard to go back to a less intense tactic, because it looks like you're vacking down. So good organisers escalate gradually: letter writing, then petitions, then voter initiatives, then maybe mass rallies, then maybe peaceful civil disobedience, and only if those things fail, then more confrontational tactics. We should take a clear lesson from that. Look at some of the ones who succeeded: Martin Luther King, Cesar Chavez, and so on. Start moderate, get more intense only if moderation fails. >From which: promulgating underground crypto *as a safety measure*, *just in case* is one thing, but doing it to get in RSA's face is way premature. I'd say start by working with RSA to the extent possible, keeping at it until there is success, and then if the govt tries to slam public key, that's the time to break out the insurrectional approach. But not before. The adrenaline rush of a big bad confrontation is a feel-good drug to a lot of people but we have to be *smarter than that.* -gg

1 0

Re: 800 numbers
by George A. Gleason 01 May '93

01 May '93

Outdial services: we most certainly will as soon as we install our first digital exchange (Community Dialtone; email me for more if you're interested). Now we've got a bit of a quandary here, what if someone uses it to make bomb threats or such? So I was thinking, save the CDR data on that and make it available under court order? What's the general consensus of opinion here as to our responsibility in these areas? More on outdial services: if you want to set up your own, I can provide a Teltone M-106 adaptor, for which you'll need a 24-volt key system power supply and some 8-pin phone hardware and two lines. Dial in on one, connect, and out on the other. We have a bunch of these in stock right now; I gave some to some friendly folks for setting up a service, but they haven't yet. So maybe giving them away means the price is too low...? Okay, send me $200 for one, or tell me you're definitely committed to using it once you have it. (gg(a)well.sf.ca.us) -gg ..

1 0

Tactics.
by uni＠acs.bu.edu 01 May '93

01 May '93

Let me phrase the issue in slightly different terms. Which of the following strategies do you folks think will best improve the chances that strong crypto remains legal? 1. CONFRONTATION: We fight RSADSI at every step. We engage them in legal battles, we distribute infringing code whenever possible. We get PGP spread to thousands of users, perhaps tens of thousands of users at bootleg, underground sites. (Remember that businesses cannot use PGP without fear of prosecution, fines, whatever...unless the Cypherpunks win their lawsuit against RSADSI, sometime around 1997 or so, at the rate these cases move through the courts.) 2. REALPOLITIK: We concentrate instead on spreading strong crypto into as many ecological niches as possible: individuals, corporations, e-mail packages, attorney-client transactions, and so on. We emphasize the legal, constitutional right to communicate messages in the language of our choice (that is, we have no obligation to speak in languages eavesdroppers can more easily understand). To head off government moves to act against PGP and similar systems, the parts of PGP that conflict with RSA's patents are modified, thus becoming legal to use (and Phil even has a chance to make some money, which he sure as hell can't do now). *** So spoke Tim May. I don't see these issues as mutually exclusive. What may be necessary is to seperate the efforts, to bring the PGP operation farther underground. To remove the connection between PGP distrubtuion and the more "Realpolitik" move to keep crypto legal. I admit that some users like Tim, and the more progfessional of us might find this impossible, but for the academics and others who don't have to don a suit and work everyday, underground crypto might be the only real answer. Consider this, no one ever wins when you fight the government at its own game. If they plan to outlaw crypto (a very real possibility in my view, regardless of more realpolitik efforts) all that we have to rely on is the underground channels. It's time (IMHO) to find ways to disguise PGP output in other types of data, pict or whatever. At the same time, it is possible to pursue more overt and legit methods, my fear is these will produce less in terms of real crypto than will the underground movements. *** All I've argued is that the "in your face" approach has its limits. Most of the PGP users are, I think we'll all agree, hobbyists and hackers who downloaded it, played with it, learned some crypto from it, exchanged keys, etc. Probably not too many critical uses, YET. But the popularity suggests a hunger for strong crypto. *** So spoke Tim May. Yes... yes... LEARNED SOME CRYPTO FROM IT. This is the KEY point here. How many people out there joined cypherpunks and became interested in crypto because of PGP? (I'm raising my hand) Sure I was interested and even tinkered with my own code before I knew cypherpunks existed, but it was PGP that did it. Education is the key. I said before, and I will say again: Most people could give a squirt about crypto. 99% of people is my guess. You all saw how pro Clipper most of the newspaper reports were, how willing they were to change phrases like "more secure than many of the algorithms on the market" to "the most secure algorithm to date." A real politik method is limited because most people could give a care about the issue. The people who seem most passionate about it, in my experience are the ones who have played with PGP. I, for one cant seem to get anyone else to care. I've talked to about 15 people outside the internet about Clipper, and most forgot all about it when the next beer came. No one will learn jack from the bullshit crypto that Clipper represents. It will become a transparent process that anyone could care less about with regard to security. Back to the days of the Black Chamber. The Clipper/Capstone move indicates the government wants to head this off at the pass. The question is whether the bootleg and infringing PGP (and Phil admits to all this in his docs, obviously) has a better chance of succeeding than a fully legal and already spreading RSA solution? ^^^ So spoke Tim May. I don't think either will make much difference. Clipper has caught us before the danger has become apparent to most. You really think an RSA solution that is really secure is going to catch, especially if it conflicts with Clipper, if the government has anything to say about it? I've got to be real honest. I'm beginning to be afraid to open my mouth on this subject anymore. Maybe I'm paranoid, but I look at how hard the government is trying to sell Clipper and processes like it and I am stunned. Nothing works this fast. A company like AT&T is NOT about to jump on the bandwagon quickly unless they KNOW something. To me its plain that the intent is to regulate crypto. Before then I plan (hope) that PGP finds its way into MANY hands. That's the only real weapon I see. Consider it a safety net to catch us if Tim's REALPOLITIK fails. I hope it doesn't, Tim, I hope not but I'm going to hope for the best and prepare for the worst. I intend to use strong crypto when I like. uni (Dark)

1 0

REALPOLITIK = Choosing Battles Carefully
by tcmay＠netcom.com 01 May '93

01 May '93

(Cyphergang, this is going to have to be my last post for a while on this thread. The points have been made. Some agree with me, some call me treasonous. I say what I think. -TCM) Hal Finney writes: .....stuff elided.... >First, I don't see that the interests of RSADSI are fully aligned with >ours regarding Clipper. Despite PKP's success in accumulating patents, >Clipper per se does not appear to infringe, being based on a new symmetric >cryptosystem. So they don't have any direct leverage over the use of >Clipper. That's right, they don't. Clipper/Skipjack/Capstone looks to be well-planned move to reassert government control over crypto, with various government modules replacing existing modules (as with the DSS signature standard, which uses the El Gamal algorithm). Whether RSADSI is upset, I don't know. I suspect so. Bidzos was quoted as saying "Clipper is an arrow aimed at the heart of my company." (source: Eric, who saw it in a newspaper) ... >In fact, Clipper in some ways represents a major market opportunity for PKP. >To the extent that the publicity leads to increased sales of encrypting >phones, PKP may benefit from the success of the Clipper. This could be. I don't think enough is known to answer this. I suspect the "end run" theory mentioned above. If Bidzos thought Clipper was a great thing for his company, he wouldn't be busily lobbying to help kill it, nor would he have shown up at ur emergency meeting to tell us what he knew. >(The follow-on Capstone project does appear to pose a greater threat to >PKP, since it will use DSS (for key exchange???).) Capstone is not really a "follow-on," in the sense that it is due to be announced *this month*, if I recall correctly. It's very far along, I believe. More like a "one-two punch." And, yes, it appears to be a major threat to us all. But we'll have to wait and see, I suppose. > >Furthermore, in any future government prohibition on non-Clipper cryptography, >our greatest nightmare, it is plausible that the government would "take care" >of PKP by making sure that they get a nice piece of the pie. I could easily >imagine a situation in which non-Clipper crypto is banned, Clipper is >widely distributed, and PKP is doing very well financially with a slice >of the profits from every sale. I think I mentioned somewhere that I put Bidzos on the spot with what I called "The 64-bit Question": Are you going to cut a deal and sell us out? Bidzos was very sober when he answered this, and said, roughly: "If you mean will I conspire with the government to deny strong crypto to users, no. But if Clipper and Capstone are destined for deployment and they come to us and offer royalties, what choice will we have? We have a duty to our shareholders." And as he was leaving for the day, he leaned in the door to our meeting and said, as if to reiterate the point, "Tim, I won't sell you out." (Please don't use this recollection of what he said for a dissection of what he really meant, what RSA is really doing, etc. I have already said that Bidzos said he knew nothing about the Clipper program until we all did. And so on.) >Even if Jim Bidzos were personally committed to widespread, strong, public >cryptography, and opposed Clipper for fundamental philosophical reasons >(just like us), he would be faced with a conflict of interest. As several This is not clear. Deploying strong crypto could be more lucrative to RSADSI than having the government deploy its own Capstone "CA" (Cryptographic Algorithm, the new acronym du jour) and paying RSADSI some token amount for some small piece of the package. >people have pointed out here, Bidzos has a fiduciary responsibility to >his shareholders to maximize profits for his twin companies. If it comes >down to a choice between opposing Clipper on principle and accepting it >along with guaranteed profits, he may be forced (in the same sense in which >he is forced to send threats to Stanton McCandlish) to back Clipper. > >So, even if Bidzos is personally a nice guy I think we need to remember >that his company may not be a natural ally of ours. I completely agree and nothing I have ever said suggests we place all our faith in his company or any other institution. What I have said--several times, now--is that a frontal attack on the RSA patents, via highly public postings of PGP and a "Fuck you!" approach to talking with patent owners, is not the best strategy at this time. >I like Tim's .sig and all it represents. But frankly, it is hard for me >to square a commitment to radical change with the proposed alliance with >PKP. Part of the trouble is that I still don't understand exactly what >our relationship with RSADSI is proposed to become. But at a minimum it >sounds like we would avoid supporting activities which would infringe >on their patents. There's no proposed alliance being talked about. See previous paragraph. I don't expect anyone to necessarily agree with my politics. > >That means that when we want to start working on some of those things in >Tim's .sig, we are in many cases going to have to get Jim Bidzos's >permission. Can you imagine asking something like this: > >"Dear Jim: We request permission to use the RSA algorithm for an >implementation of digital cash which we will distribute in an underground >way among BBS's all over the world, with the goal being the support of >"information markets, black markets, [and] smashing of governments" >(to quote Tim's excellent .sig). "Please sign on the dotted line >below. Yours truly, an anonymous Cypherpunk." Of course not! Nobody has suggested this. This is a straw man. Being nonconfrontational in some areas (aka "living to fight another day," aka "choosing your battles carefully") doesn't mean any kind of mutual approval pact has been signed. I want strong crypto first and foremost. Then the other stuff can perhaps follow. If crypto privacy is outlawed now, if the War on Drugs and "What have you got to hide?" approaches win out, then all is lost. >How, exactly, are we supposed to progress towards Crypto Anarchy if we >have to be sure not to step on PKP's toes? Do we just not ask him for >permission (in which case we are in PGP's boat)? Do we ask for permission >without revealing the full scope of the project (in which case it may be >rescinded later)? I am not being facetious here. I honestly don't see >how you can carry out Cypherpunk activities with a corporate sponsor. Asked and answered. Let me phrase the issue in slightly different terms. Which of the following strategies do you folks think will best improve the chances that strong crypto remains legal? 1. CONFRONTATION: We fight RSADSI at every step. We engage them in legal battles, we distribute infringing code whenever possible. We get PGP spread to thousands of users, perhaps tens of thousands of users at bootleg, underground sites. (Remember that businesses cannot use PGP without fear of prosecution, fines, whatever...unless the Cypherpunks win their lawsuit against RSADSI, sometime around 1997 or so, at the rate these cases move through the courts.) 2. REALPOLITIK: We concentrate instead on spreading strong crypto into as many ecological niches as possible: individuals, corporations, e-mail packages, attorney-client transactions, and so on. We emphasize the legal, constitutional right to communicate messages in the language of our choice (that is, we have no obligation to speak in languages eavesdroppers can more easily understand). To head off government moves to act against PGP and similar systems, the parts of PGP that conflict with RSA's patents are modified, thus becoming legal to use (and Phil even has a chance to make some money, which he sure as hell can't do now). I'll take #2 and worry about digital money and anonymous systems later. Strong crypto is logically prior to everything else. All I've argued is that the "in your face" approach has its limits. Most of the PGP users are, I think we'll all agree, hobbyists and hackers who downloaded it, played with it, learned some crypto from it, exchanged keys, etc. Probably not too many critical uses, YET. But the popularity suggests a hunger for strong crypto. The Clipper/Capstone move indicates the government wants to head this off at the pass. The question is whether the bootleg and infringing PGP (and Phil admits to all this in his docs, obviously) has a better chance of succeeding than a fully legal and already spreading RSA solution? (The issue of PGP's feature set versus that of MailSafe's is secondary to the main issues...between RSAREF, RIPEM, OCE, and other RSA-based systems, the features can be found. I expect a compromise along these lines, mixing parts of PGP with parts of RSAREF, is going to happen.) As for Stanton McLandish's removal of PGP from his site, Eric Hughes and others have explained the legal issues in great detail. Of course, anyone who really wishes to take on the RSA patents in a big way is perfectly free to place PGP on his U.S. site, advertise it heavily in sci.crypt so that RSADSI cannot possibly claim to have missed it, tell Bidzos to get lost when the inevitable "cease and desist" warning arrives, and then follow through with the several-year legal battle that will result. Strong crypto is far more important that this petty issue of patents. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay(a)netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement

1 0

Patent Bullshit and Crypto Restrictions.
by uni＠acs.bu.edu 01 May '93

01 May '93

Eli, in his infinate wisdom, says: However, I don't see RSA doing a hell of a lot to promote crypto use -- the opposite, in fact. Their software output is hardly impressive for a corporation of a decade's standing. They won't sell me a license -- they'll sell it to Lotus, but I can't see their source code. The government hasn't banned public-key encryption, but it's banned patent-infringing public-key encryption. And for practical purposes, that's the only kind there is. The combined effect of present patent law and RSA's "sue first, write code later" approach has been to stifle the development of cryptography in this country and in the world. Perhaps if encryption algorithms were not encumbered, they would already be in common use, rendering Clipper untenable. If RSA Inc. wishes to sell me a license I shouldn't have to buy, that would be nice. If they wish to show their change of heart in some other way, that would be nice too, as long as it doesn't come with a licensing agreement like RSAREF's. But if they're going to continue to sit on their patents, I'll do without their blessing. Incidentally, I don't think the issue of algorithm patents is as minor as some have portrayed it. It has blocked the use of RSA, after all, giving Clipper a window. Furthermore, there are patents on approximately every other cryptographic technique: PK in general, exponential key exchange, LUC, IDEA, DigiCash, .... Patents may gut cryptology the way they have data compression, to pick one example. This would be a shame. Eli ebrandt(a)jarthur.claremont.edu I have to agree with much of what Eli says. I have been reluctant to speak out against Tim's words until now because I respected Tim's opinions, and value his judgement. I felt I should "reflect" on the issue a little longer, before coming to any hard and fast conclusions. I thought perhaps time would soften the anger in my heart. I thought wrong. I still respect Tim's approach, but I cannot agree with it. Patents were designed to protect the financial interests of inventors. I respect this. RSA Inc. owns the patent on the engine, fine. They deserve to be rewarded for their work, their interest in developing the method, and their investment. I don't mind paying for the right to use PGP, not in the least. I'd happily compensate both Phil and RSA Inc. and PKP or whoever. IMHO PGP is worth a good $200. I think many share my view, in concept if not in degree. When patents become bullshit is when they serve special interests before they serve economic interests, or the interests of progress. Fine, life isn't fair. If the oil companies own a patent on 200 mile per gallon fuel injectors or whatever, fine. They figure they'll make more dough if they bury the "secret plans" in the darkest corners of their sphincters, fine. That's the law. That's cool. But when those plans get out, and someone starts giving away the injectors for no fee, that's progress. Sure, illegal, but progress none the less. At what point do the interests of the oil companies conflict with the environment as a whole? This is the problem I have with the patents on RSA. No one is even interested in money, like the oil companies were. The goal seems to be to RESTRICT ACCESS TO CRYPTOGRAPHY> DES all over again. Cripple it. Weaken it, can't let the real thing out. That's bullshit. Just as the NSA sought to control NSF and restrict funding, it's backstabbing regulation. Thanks be for Dr. Weingarten, an enlightened enough soul to see through the NSA bullshit and keep cryptography out in the open when they tried to shut it away. I see PKP and RSA Inc. as partners in the whole mess. They sit nice and quiet on their patent, making some vague threats everwhy once in awhile until Clipper comes out, and then they start to threaten people with action. Should I be surprised? After all if RSA gets out in any REAL implementation, Clipper is useless, AT&T (those backstabbing two faced snakes with good PR) gets fucked and Clinton looks like an asshole (ok, more like an asshole) for proposing a plan that would never work because private industry had beat him to it. Sound familiar? Like IBM, lucifer and DES perhaps? Bow down to RSA Inc? Gimme a break. Why should they fight the government, they know their patent will get them some dough. I don't even want to begin with Denning. She's got feet in both worlds. The problem is no one is going to see it until shes buried the knife in the libertarians to the hilt. What sickens me the most is the rhetoric that flys around this dung pile like buzzing flies. Crap like "citizens right to privacy" when used in the same paragraph with "law enforcement requirements" Crap like "stronger than most algorithms now on the market." Crap like "to protect us from drug dealers and terrorists." Crap like "we don't plan to outlaw cryptography" Crap like... well anything AT&T says. It all smells the same to me. The bottom line seems to be if you lay with the whore you have to wake up with the whore. Play RSA Inc., AT&T and Dorthy's game today and... what? The'll pay you back tommorow when you need it? Bullshit. Fine, we may lose the battle because business interests are stronger than an internet mailing list and the american people have an average I.Q. of 80, but at lease >I< will wake up and be able to look in the mirror. Don't sell out cypherpunks, RSA Inc. will stab you in the back as quickly as anyone else. uni (Dark)

1 0

validity of the RSA patent
by Eric Hughes 01 May '93

01 May '93

Plenty of people gripe about PKP patents. Assume for the sake of argument that the patents will be upheld, that they are valid. What, exactly, is claimed? The RSA patent claims the RSA cryptosystem. So we don't use that. The Diffie-Hellman-Merkle patent claims all of public key cryptography; in particular it claims knapsack algorithms. So we don't use knapsacks. But does this patent really prevent us from using public key cryptosystems? I think not. Mind you, I'm only an amateur legal hacker, but this seems like a straightforward situtation. Consider use of another public key encryption scheme, say LUC encryption. Does use of this infringe the "public key" patent? Not directly, since we're not using knapsacks (presumably). We then look the equivalents doctine. From Blacks: Equivalents doctrine. In patent infringement law, doctrine of "equivalents" means that if two devices do the same work in substantially the same way and accomplish substantially the same result, they are the same, even though they differ in name, form, or shape. [...] A doctrine which declares that a device infringes a patented invention if it does the same work as the invention in substantially the same way, even if it is outside the literal terms of the claims of the patent. The doctrine prevents parties from infringing patents with impunity by making merely trivial changes in an invention. The more significant the patented invetion the greater the scope of this doctrine. So we have three criteria. "Same work" refers to function, "same way" refers to internal structure, "same result" refers to end product. Now public key cryptosystems all have the same function, to provide encryption and decryption with different keys. The result is the same at the end of each public key communication: a message has been passed securely from one end of the channel to the other. The structure, however, is completely different for the different systems. All three criteria must be satisfied in order for the equivalents doctrine to hold. The requirement of same structure is not satisfied. (Matt Miszewski has today offered to do legal research in anticipation of a patent fight. I'd like to ask him here to check out this theory with some references to case law.) RIPEM, as I understand it, came out originally with a different public key algorithm and later changed it. Perhaps Mark Henderson (who seems to have done some work on it) could comment. The equivalents doctrine seems to my mind to be a dual of the criteria required for patentability. There are four such criteria: statutory class (is it the right kind of thing), utility (is is good for anything), novelty (does it have new features), and unobviousness (does it have new results). The equivalence of function means that the utility of the two objects is the same. The equivalence of structure meanse that the new invention does not exhibit novelty. The equivalence of end result means that someone already thought of that before, i.e. it's obvious. Statutory class is the same for both, since if they're that close, they both are the kind of thing which might be patented. It is interesting as well to examine which can be patented: processes, machines, manufactures, compositions (of matter), and new uses of any of the above. Note that a bundle of properties and purposes, e.g. public key cryptography, is not patentable; it fails to specify structure, so any structure would be novel. The new use clause, though, is exceedingly scary. Under this class, existing equations could be used for different purposes and be separately patentable. For example, if you were to use the RSA equations for some purpose other that public key crypto and digital signature, that would be separately patentable. It behooves us all to think widely of possible applications and talk about them in order to make them part of the prior art. I'd like to see a document containing a good argument against the claim that all public key crypto is covered. It should have the full scholarly apparatus with it and an appendix explaining the apparatus to non-lawyers. This document could then be circulated widely, starting on sci.crypt. After that, developing a test case is easy. We would need for someone to write some public key crypto code (it need not be very complicated) and market it, claiming explicitly that the "public key" patent does not apply. We'd want them to be extremely loud in their claims, for example, writing the legal departments of all of the big RSADSI licensees and offering their wares for sale. If you could collect money, so much the better. This would almost invariably draw a lawsuit, since it so directly threatens RSADSI's business. Witness the speed with which the recent PGP board was asked to shut down. Assuming that we've already arranged for the up-front cost of legal defense, we'd be ready to go. Comments? Eric

2 1

electronic democracy: approaching at megabit speed!
by ld231782＠longs.lance.colostate.edu 01 May '93

01 May '93

This came from the `privacy digest' mailing list. Of particular interest is the opening & `onlining' of government databases. Also note that the noted Sen. Leahy has expressed serious concern over the Clipper and is chairing hearings on it. `mood of declassification'? `require more openess throughout the bureacracy'? `electronic mail to improve citizen participation'? WOW! Some words that have been coined to describe this kind of thing for future sound-bite reference: `modemocracy' (saw this in a Compuserve magazine) or `netocracy' (my own coining) ===cut=here=== [ Original posting source: nigel.allen(a)canrem.com in igc:alt.news-media -- MODERATOR ] White House Official Outlines Freedom of Information Strategy at 'Information Summit' To: National Desk, Media Writer Contact: Ellen Nelson of The Freedom Forum First Amendment Center, 615-321-9588 NASHVILLE, Tenn., April 13 -- A White House official today outlined a broad open government strategy for the Clinton administration, throwing support behind legislation to apply the Freedom of Information Act to electronic records. "At the Clinton White House, most of the debate over the E-mail system is about how we can interconnect it to public services rather than how we can destroy the records or tear out the hard drives before the subpoenas come to reach us," said John Podesta, assistant to the president and staff secretary. Podesta made his comments in front of 70 participants in the nation's first Freedom of Information Summit, sponsored by The Freedom Forum First Amendment Center at Vanderbilt University. Though the economy dominates the headlines, Podesta said the new administration was quietly working across a broad front to open government. His "predictions for the first year," included: -- Working with Sen. Patrick Leahy (D-Vermont) to win approval this session for a bill allowing access to dozens of electronic databases in the federal government. -- Developing an electronic mail system within the federal government to improve citizen participation in government. -- Making the government's archives available on the nation's "information highway," and appointing a national archivist "who cares more about preserving history than about preserving his job." --Creating a "mood of declassification" with new executive orders from the president outlining what government may keep secret. -- "Reinventing government" under initiatives developed by the fall by Vice President Gore to require more openness on the part of civil servants throughout the bureaucracy. Podesta also pledged lobbying reform and political reform to "get rid of the soft money in campaigns." The Freedom of Information Act may need strengthening in addition to electronic access, he said. Pinched by a dozen years of tight information policy, news organizations have sent President Clinton a freedom of information policy paper calling for wholesale personnel changes in FOIA-related jobs, junking the secrecy classifications of President Reagan's Executive Order 12356, overhauling the Freedom of Information Act and ending military censorship of war reporting. "People working on behalf of the public on more openness in government at all levels are heartened by the prospect of the White House taking the lead in this area," said Paul McMasters, executive director of The Freedom Forum First Amendment Center at Vanderbilt University. The conference, sponsored by The Freedom Forum First Amendment Center at Vanderbilt University, is focusing on issues ranging from the Clinton administration's policies on open government to restrictions on public access to crime, accident and disaster scenes. The conference, open to the public, is at the Stouffer Hotel in downtown Nashville. Speakers on the Clinton FOI Agenda included Richard Schmidt Jr., general counsel to the American Society of Newspaper Editors and partner in the law firm of Cohn & Marks in Washington, D.C.; Theresa Amato, the director of the FOI Clearinghouse in Washington, D.C. and staff counsel for Public Citizens Litigation Group in Washington, D.C.; and Quinlan Shea, former Carter administration official who discussed problems of access to government. Former American hostage Terry Anderson will give the keynote address at the dinner tonight. The Freedom Forum First Amendment Center at Vanderbilt University is an independent operating program of The Freedom Forum. The Center's mission is to foster a better public understanding of and appreciation for First Amendment rights and values, including freedom of religion, free speech and press, the right to petition government and peaceful assembly. The Freedom Forum is a nonpartisan, international organization dedicated to free press, free speech and free spirit for all people. It is supported entirely by an endowment established by Frank E. Gannett in 1935 that has grown to more than $700 million in diversified managed assets. Its headquarters is The Freedom Forum World Center in Arlington, Va. -30- -- Canada Remote Systems - Toronto, Ontario 416-629-7000/629-7044

1 0