-----BEGIN PGP SIGNED MESSAGE----- I want to thank Tim for taking the time to help clarify what he had in mind in proposing that we reconsider our support for PGP in the face of PKP's assertion of patent rights:
I completely agree and nothing I have ever said suggests we place all our faith in his company or any other institution. What I have said--several times, now--is that a frontal attack on the RSA patents, via highly public postings of PGP and a "Fuck you!" approach to talking with patent owners, is not the best strategy at this time.
Speaking in generalizations can only go so far. It's more useful to consider specific actions which might be in keeping with this philosophical approach. I don't have many problems with our being civil to RSADSI. We don't need to spit in Bidzos' face whenever we meet him, refuse to shake his hand, whatever. Tact is OK. And the proposal to make a U.S.-legal version of PGP can't hurt anything, either. Moves in this direction have been going on for some time. Several months ago a patch was inserted to make certain data structures be compatible with RSA's PKCS standards, and therefore with RSAREF. This would allow RSAREF to be used if permission were gained to call it at an entry point not on the allowed list. However, this version of PGP would still be incompatible with pre-2.2 versions. To make a fully compatible version of PGP you not only have to call RSAREF at an undocumented entry point, you also have to modify the code slightly. All this has been going on for a few months. Eric Hughes deserves a lot of credit for encouraging progress in this direction, but I think Phil fundamentally agrees as well. One advantage of a U.S.-legal version of PGP is that its very existence would mean that no one HAD to use it. Sending out a PGP signed message would no longer be incriminating, even if you used the older (and presumably faster) version of PGP. There would be no way to tell from external observation which PGP users were using the legal one and which were using the illegal one. They would be functionally equivalent, but the legal one would be slower. (I find this rather amusing, actually, as it just goes to show the illogic of PKP's position.) What are some other issues that might arise in a move away from PGP, and an adoption of a less confrontational attitude towards RSADSI? One is the existance of PGP on the Cypherpunks server. Presumably this could be replaced by the legal version once that becomes available, but in the mean time it might have to disappear. I would oppose removing it unless a legal replacement were ready. Another suggestion that I have heard rumored is that Bidzos might be invited to join the list. I would strongly oppose this. I am also not comfortable with having him be a participant at Cypherpunks meetings but since I don't attend them I don't really have the right to complain. Tim has suggested, if I understand him, that we in some sense work to improve MailSafe and other RSA products. I don't really like the idea of doing unpaid consulting work for a commercial outfit. If I am going to work for free, on my own time, I'd like to see the software made freely available. So any work with RSA should be on freeware products, in my opinion. Improve RSAREF, not MailSafe. Another issue is whether people would be discouraged from discussing infringing projects on the Cypherpunks list or at the meetings. Suppose somebody wants to talk about a socket-based DC net protocol which uses Diffie-Hellman key exchange to initialize a shared PRNG for random bit generation. Oops, DH is a PKP patent. Again, I feel that this kind of project is entirely appropriate for the list and the group. Does this fall into Tim's confrontational category: "distributing infringing code whenever possible"? I'm not sure. (I have to confess, given the 15 hour delay in my message posting the other day (while a short message I dashed off 12 hours later appeared in a few minutes), that I thought perhaps a filter had been installed to prevent PGP-signed messages from appearing. Of course, my message did eventually appear, the delay being just a technical glitch. I assume that no one would support banning PGP-signed messages from appearing on the list.) A really sticky issue is our public attitude towards Bidzos cracking down on unauthorized crypto. What if some lone wolf out there does decide to go to the mat on PGP or some other infringing software? Whose side do we take? (Refusing to take a position is a de facto support of PKP, IMO.) I guess we'd have to hope that this never happens. Gee, it sure seems strange to HOPE that no one ever stands up to PKP. I have to say on this point that I can't accept the idea of Cypherpunks moving into a Sternlight position of support for PKP's crackdowns. I'd be interested in hearing other specific suggestions for changes which might result from Tim's suggestion. This might help focus the discussion better. === To the extent that Tim is proposing that we encourage efforts to make a U.S. legal version of PGP, and even replace the current version of PGP on the Cypherpunks FTP site with the legal version when that becomes available, I have no problem with it. To the extent that he suggests that we be polite and courteous in our public talk about RSADSI, I can accept that as well. But to the extent that anyone is proposing to go beyond this into some of the other areas I listed above (and I have no idea exactly what anyone has in mind specifically), I think the many problems I and others have listed in earlier messages provide strong arguments against such measures. Hal 74076.1041@compuserve.com -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK+KBE6gTA69YIUw3AQE77QQAnbYSx8cqvvraaJGeUXDKJT0mQVv/HbAj r5IehVCB5/fMeZiaY9ERdBOwllgvJiTRzN3tsHJAkd8QTz9Puv5UgVXLbjPWdQvS 5XPYFkH+A4Kaos+Rlwo1ufLQ1S3eFyV35L6e9CptgYqni/QQoZFhU7Wjqlv5QQmH KcE2xEMLMas= =JL8R -----END PGP SIGNATURE-----