Let me remind everyone that Capstone has a yet-unspecified exchange protocol. Denning suggested on RISKS that Diffie-Hellman (covered by PKP patents) `could be used'. There is some serious evasion going on here. If Capstone is already built, with a public-key algorithm installed, it suggests that PKP has been cooperating on the Clipper/Capstone proposals all along. It will be most interesting to hear announcements on Capstone that announce its key exchange mechanism. I'm not sure what your point is here. It requires no conspiracy to opt for Diffie-Hellman as a key exchange mechanism; it's simply the obvious way to do things. (I'm speaking professionally here; cryptographic protocols are one of my research areas.) The STU-III's already use Diffie-Hellman; it's possible that the government's license for that patent grants it broad rights for such things. (The government does have free use of RSA; is there any such clause with respect to Diffie- Hellman?) PKP `had' the ability to murder Clipper/Capstone in its crib if it so desired, more so than any other single nexus, by denying the right to use public key algorithms (on which it now has a strangling, monopolistic lock). Gad, I can't believe it didn't occur to me to lobby them to do so. In retrospect, it wouldn't have done anything more than heighten the inevitable betrayal. No, PKP had no such ability. Clipper was always a potential source of profit to them, precisely because either RSA or Diffie-Hellman was needed for it. Given that they were going to make money from Clipper, the only question was how much. As Deep Throat said ~20 years ago, ``Follow the money''. (Those a bit older still should recall Dow Chemical's position on co-operating with the government.) ``Betrayal'' is a moral term. As I said before, corporations don't care about such things, only about bottom lines. That some settlement about DSA would be reached was inevitable. NIST needed PKP's assent to go ahead with DSA. PKP wanted to make money from the DSA, because it extends their profitable lifetime -- the RSA patent expires in 2001, whereas the Schnorr patent doesn't expire till 2008. PKP only opposed DSA while they didn't own the Schnorr patent; their other handle on DSA, the Diffie-Hellman patent, expires even earlier (1997). The interesting thing is the incentive to use Clipper. That's not something PKP cares about one way or another, compared with any sort of widespread use of cryptography (though perhaps RSADSI does; if private cryptography is restricted, RC2 and RC4 have much less of a market). Obviously, NIST wanted some clause like that. In exchange, they had to give PKP something more. My guess is that the hook was to grant them exclusive world-wide licensing rights to DSA, rather than simply a cut of the royalties. Maybe Mr. Bellovin can clarify how this agreement represents an `encouraging trend in the private sector to compete with the NSA' -- Good lord man, not unless you think that PKP represents the entire private sector in cryptographic applications. Uh, touche' -- you do and it does. I was unclear; I wasn't referring to the agreement at all. Rather, I meant that Schnorr had invented the algorithm that NIST had to have -- a signature scheme that is very efficient for smart cards, but could not be used for secrecy. NSA apparently didn't have anything better; I can't believe they and NIST were unaware of Schnorr's work (though perhaps they were unaware of the patent). (I suppose, of course, that NSA might have had something totally different, which they couldn't discuss because it would open up new areas for civilian research...) P.S. doubt P.R.Z. will be in a docile mood after hearing this one... Especially given the part about reserving the right not to license to infringers....