Newsgroups: sci.crypt,talk.politics.crypto,alt.security.pgp Path: news.unt.edu!cs.utexas.edu!howland.reston.ans.net!ix.netcom.com!netcom.com!jkennedy From: jkennedy@netcom.com (John Kennedy) Subject: CYLINK Q&A on PKP Arbitration Decision Message-ID: <jkennedyDFK1tA.57D@netcom.com> Keywords: Cylink, PKP, RSA, Public Key Organization: CYLINK Date: Wed, 27 Sep 1995 08:19:58 GMT Lines: 277 Sender: jkennedy@netcom23.netcom.com Xref: news.unt.edu sci.crypt:39749 talk.politics.crypto:12787 alt.security.pgp:43387 ----------------------------------------------------------------- CYLINK Q&A on PKP ARBITRATION The following statement from Cylink Corporation has been posted to sci.crypt, talk.politics.crypto, and alt.security.pgp since we believe it will be of interest to a large and diverse set of readers. Please choose the appropriate newsgroup(s) to direct any follow- ups. A copy of this statement is also being placed on Cylink web page (http://www.cylink.com). Additional related materials and updates will also appear there. Feel free to distribute this statement to other appropriate newsgroups, mailing lists, and individuals. -John C. Kennedy, Cylink Corporation {ph: 408.735.5885 , jkennedy@cylink.com} ---------------------- Cylink Corporation ------------------------- September 26, 1995 IMPACT OF CYLINK VS. RSA ARBITRATION AWARD FREQUENTLY ASKED QUESTIONS Q. Why is the recent arbitration award between Cylink and RSA Data Security significant for RSA's licensees and vendors of public key cryptography in general? A. The arbitration award is important to RSA's licensees for two reasons: First, the award makes it very clear that RSA does not have the right to authorize its customers to copy RSA's software; it doesn't matter whether the RSA customer is merely copying object code versions of RSA's products. The right to copy RSA software requires a patent license. Second, until now RSA has claimed itself to be the de facto standard in public key cryptography. This claim was possible only so long as RSA could prevent its competitors from getting patent licenses from Public Key Partners. Now that the arbitrators have dissolved PKP, Cylink can enable vendors to practice low cost public key technology without the use of RSA. The market will finally enjoy vigorous competition based on technology and price. Q. In a recent statement, RSA's president still makes the claim that the use of RSA software does not require a separate patent license. Is that true? A. That statement is not true for any RSA licensee who needs the right to copy RSA software. The heart of RSA's business is licensing so-called tool kits; the vendor takes one copy, incorporates it into the vendor's own product and then makes all of its own copies. The only RSA customers who don't need a patent license are those who don't copy RSA software. Q. That could be pretty serious for RSA and its customers. Can you back up this statement? A. Absolutely. Read the arbitrators' award at p. 14. If you haven't received a copy from RSA you can find it on Cylink's home page (http://www.cylink.com). Don't take our word for it. When RSA's own attorneys pleaded with the arbitrators to change their decision, they admitted that "... every single RSA licensee will now be required to obtain a Stanford Patent License from Cylink or run the risk of being sued" (ask RSA for a copy its attorneys' letter dated September 7). In a second decision dated September 12, the arbitrators flatly rejected RSA's pleas and confirmed their restrictions on the rights of RSA's customers. (a copy is also available from Cylink's home page). Q. RSA's president promises to indemnify all of its customers. Why should they be concerned? A. If you compare RSA's size against the size and number of its customers copying RSA's software, one should ask whether RSA's pockets are deep enough to reimburse its customers for the damage RSA has caused. Q. Did RSA know it did not have all of the rights it promised its customers in RSA's software licenses? A. Shortly after RSA gave up its patent rights to PKP, Cylink began warning RSA that its did not have all of the rights it was promising some of its customers. Unfortunately, Cylink had to finally bring the arbitration to straighten this out. Q. Why do RSA's customers need a license to the Stanford patents simply to copy RSA's software? A. Two reasons. The Stanford Hellman-Merkle patent is the very first patent to describe Dr. Hellman's brilliant invention of public key cryptography. All subsequent refinements on this pioneer patent which implement Dr. Hellman's concept, such as the RSA algorithm, require a license to Dr. Hellman's patent. Secondly, the Diffie-Hellman key exchange technique is a standard feature in many of RSA's tool kits, which is also covered by Stanford's Diffie-Hellman patent. Finally, if RSA were correct in its statements that you don't need a Stanford license to use RSA's software, why would they embark on yet another expensive lawsuit to attack the patents? Q. Isn't the Hellman-Merkle patent limited to practicing something called the knapsack? A. No. As the pioneer patent in public key, the inventors were required to disclose only one implementation to support their ground breaking invention. Even if no one is using the knapsack itself, this particular patent continues to cover all practice of public key. Only improvements, such as the RSA algorithm described in MIT's patent, are limited to the specific enablement described in the patent. Again, don't just take our word for it. RSA itself admits that RSA software is covered by these patents. Just look at their license for RSAREF, Paragraph 6 (before they have time to change it). Q. But RSA has now brought suit to invalidate the Stanford Patents. Doesn't this protect RSA's customers? A. RSA's attempt to invalidate the very patents it had been licensing as a partner in PKP does nothing for RSA's customers. First of all, the fact that someone else is challenging the validity of a patent doesn't make an infringer immune from suit. RSA's challenge to the Stanford patent would not prevent Cylink from suing and obtaining damages and an injunction against any infringer. (Indemnity for damages, by the way, is cold comfort if an RSA customer is enjoined from selling any public key software.) Second, anyone who waits around for RSA's case to be resolved is taking a big gamble. Patents are presumed valid and RSA will have to prove invalidity under the "clear and convincing" burden of proof (which is higher than the traditional "preponderance of the evidence" standard and just below the criminal "reasonable doubt" standard). If RSA looses the suit, all of its customers will be left hanging. An RSA indemnity won't be worth much if RSA goes into bankruptcy. Q. RSA claims that Cylink "confirmed" to RSA licensees "in writing" "that no separate patent licenses were necessary if they licensed RSA software." Is this true? A. No. During the arbitration, however, one prospective RSA licensee approached Cylink and said that RSA kept assuring them that they didn't need a patent license to make their own copies of RSA public key software, but they had gotten suspicious when their own lawyers looked at the question closely. Cylink told the prospect that a patent license was needed for some of their projects, but in this instance Cylink would not interfere with the pending RSA deal. RSA customers who take the initiative and contact Cylink (as in this special case) can expect cooperation in resolving the patent problem. Q. Why was PKP formed? A. Cylink formed PKP with RSA to pool both parties' rights to the Stanford and MIT patents, promote public key technology, and generate licensing revenue for the partners, the universities which owned the patents, and the inventors. Q. Why was PKP dissolved? A. Obviously great animosity has grown between the parties. The main reason is that RSA frustrated Cylink's efforts to settle the U.S. Government's efforts to license the Digital Signature Standard. Now that Cylink has the Stanford patents back, the DSS as well as other public key techniques can begin competing with RSA in the market. Q. How will these public key implementations compete with RSA? Isn't RSA a "de facto" standard? A. If anything, RSA software (which includes Stanford algorithms such as Diffie-Hellman) has been prevalent by "default" - not by choice. Now the market will have a choice between multiple vendors competing on price as well as technical implementation. Only after RSA's software faces the test of competition can it fairly claim to be a standard. Q. In his recent statement, RSA's president makes numerous accusations about Cylink's use of the RSA algorithm. What are the facts? A. The arbitrators award is very clear that Cylink in fact has certain rights to license the MIT patent. Specifically, Cylink has an option to license the MIT patent provided it uses some software provided by RSA. This places Cylink in a better position than RSA's other customers who have no rights to the Stanford patents. It is important to remember that Cylink built its business for the last ten years on the use of Stanford public key technology - which proves our point that you don't need RSA or its software to practice public key. Q. Doesn't Cylink use the RSA algorithm in one of its products. A. Yes, and only one. What RSA fails to mention is that Cylink's largest customer, SWIFT, already holds its own PKP license which the arbitrators forced RSA to grant. This license allows Cylink to make the product for SWIFT. Q. RSA claims that Cylink was offered a license to the RSA Patent, and that Cylink turned it down. Is that true? A. Like a lot of what RSA says, it's a half-truth. In June, 1994, RSA did offer a patent license, and Cylink did turn it down. Why? Because a condition of the license was that Cylink release RSA for all liability for its licensing practices. In other words, the price for the license was more than just the royalty. Cylink was being asked to forgive RSA for the wrongs it committed over the years, and this Cylink would not do. Q. Why did Cylink decide to use RSA is this one product? A. During PKP's existence, RSA frequently sought Cylink's support for its technology by asking Cylink to use RSA. While RSA now tells a different story, RSA's own newsletter (see, for example RSA's "Ciphertext" Fall 1993 issue) and corporate profile frequently promoted Cylink's use of RSA long before the parties fell into their dispute over licensing DSS. Having cooperated with RSA, and agreed to use their technology in one product, RSA tried to blackmail Cylink to stop PKP's settlement with the Government. In any event, the restrictions imposed by the arbitrators on RSA's licensing business are far more severe than the minor inconvenience Cylink may experience in retro-fitting its product with Stanford technology. Q. What will Cylink do with the Stanford patents now? A. Before the arbitrators' decision many of RSA's customers had no reason to doubt RSA's word. Those RSA customers who now come forward will be offered very favorable agreements. Cylink is more interested in establishing commercial relationships with RSA's licensees and promoting public key technology than in disrupting existing business. Q. Will Cylink attempt to stop the non-commercial use of public key (such as in PGP)? A. No. Although, technically, a Stanford patent license is needed for the public domain software such as PGP, Cylink intends to promote the use of public key on the Internet. Cylink intends to announce a royalty-free license for personal use after meeting with a spokesperson for the PGP community. Watch Cylink's home page for details. (http://www.cylink.com) Q. What advice can you give? A. Get the facts first. Read the arbitrators decision, including their September 12 ruling which denied RSA's request for modification. Then call us. (Call Bob Fougner at 408-735-5893, fax 408-735-6642, e-mail: fougner@cylink.com). ---------------------- Cylink Corporation ------------------------- John Kennedy Cylink Corporation 408-735-5885 jkennedy@cylink.com -- "Freedom is meaningless unless | ic58@jove.acs.unt.edu - James Childers you can give to those with whom| No man's freedom is safe you disagree." - Jefferson | while Congress is in session EA 73 53 12 4E 08 27 6C 21 64 28 51 92 0E 7C F7