I first wish to apologize for a bit of impreciseness in a previous posting. I had said that a personal use exemption was not legal. I should have stated that personal use is not a defense against a claim of infringement, and that barring any other defense (e.g. research) such use would not be legal. I hope this clarifies. Peter Honeyman references a law review paper arguing for an experimental exemption to patent rights. This is a good document for us. Perhaps one of the many members of the Information Liberation Front (ILF, which also stands for Information Longs to be Free) which are around the country might arrange for an electronic copy to be made available. I have not read the paper, but I do have some comments on its usefulness. I think that an experimental exemption will not work for wider goals, and I state two reasons below. I also think that the existence of the exemption is a huge rhetorical win for distribution. First, an experimental exemption does not touch commerce. PGP is stalled right now in two areas. The first, distribution, is not the major problem given the number of overseas sites carrying PGP. Lack of commercial availability, however, is. There are business that would like to use PGP, but cannot. Phil has mentioned some specifics to me; some of these are large companies. PEM implementations are available commercially right now; they are not yet in widespread use, but given the positive economic feedback in markets where compatibility is key, PEM could easily and quickly overtake PGP completely. As far as I'm concerned, this issue is moot with respect to PGP. The development plans are already in place to put RSAREF into PGP in order to legitimately license it. But the same argument applies whenever one might want widespread deployment of a system which infringes some patent claim. Digital money falls into this category squarely. Second, even with a research exemption, you have to be doing _bona fide_ research. _Bona fide_ is Latin for "in good faith." If you merely claim you're doing research, that is not sufficient. Bona fide research certainly encompasses some academic research, but not all. I suspect that superconductivity researchers who used PGP to exchange valuable technical information would be be consider to be doing cryptographic research. On the other hand, bona fide research need not be confined to the academy. The operators of remailers currently could well be argued to be doing research, but when deployment becomes widespread the defense of research becomes harder and harder to mount. Both these concerns limit the extent to which a research exemption could be used to promote the spread of cryptography. This seems entirely in keeping with the idea of an exemption for the purpose of extending the state of the art, which is always conducted by very few people. The research exemption does not generalize. The research exemption does have one extremely positive effect, and that is on distribution from University sites. Since the University has a mission to research, distributing a research tool from an anonymous ftp site is clearly within the purview or research. The question of bona fide research remains. I would suggest that Peter Honeyman simply start a research project "to study the distribution mechanisms of public keys in a non-authenticated, highly networked environment." Peter, you could do this just by fiat, by creating a document that says you're doing this. This document could be handed to the administrators at the University of Michigan ftp site, who could then reinstate PGP with some measure of certainty that it was legitimately there. Yours in wiliness, but also in good faith, Eric