Cypherpholks-- Neither abandoning PGP nor antagonizing RSADSI seem necessary to me. This letter makes a 3/4 page summary of that belief after which I mention some interesting side issues. Eric Hughes' understanding of the situation confirms my intuitions-- RSADSI pretty much has to either act the way it's acting or else just roll over. and They seem agreeable to a technically good PGP/RSAREF connection. but That's work. On the middle point, in particular I don't think they'll insist we use DES or a slow engine. For people who don't get why those restriction seem to be there but aren't, I suggest rereading Eric's article. Although I have strong feelings about the patent issue, and although it affects the privacy issue, I definitely put the privacy issue first. Given that it seems we can separate the two issues, I don't see why we shouldn't. Although I agree with Tim that being non-confrontative with RSADSI is smart, I don't see PGP and RSADSI as quite so hard to reconcile as he seems to:

If the government ever outlaws strong crypto, you can be sure I'll be using outlaw crypto. The difference with the current situation is that crypto per se has not yet come under regulation.)

And PGP per se is not outlaw. Only the current version and lack of license. Let's conceptually separate PGP, Phil's RSA/MD5 engine (PGRE?), and using/ distributing PGRE in the USA. Only the third is a problem with RSADSI.

...bootleg crypto (which is what PGP will remain in this country unless and until the courts overturn the patents or RSA suddenly decides to cave in)...

Pshaw. Until it's worked out. No "sudden caving in" is needed. Tim, you were the one who reported that Jim Bidzos was sounding agreeable.

Furthermore, neither Phil nor any other members of the development team are likely to ever make any money with this ^^^^ PGRE Phil could finally solicit shareware fees.

Now the side issues: There could conceivably be an issue in the future for people working with RSAREF--who have SEEN THE CODE--and then wanting to develop other crypto stuff later. People have attempted to avoid this legal hassle in the past by setting up a "clean room" where only specs and interfaces are known... RSAREF is copyrighted stuff, right?, which puts you in a slightly different legal position when you have it/distribute it. Assuming PGP gets a license to be shareware, I see this being less of a problem than the current situation. But even if PGP gets some kind of license, would individuals still have to sign agreements with RSADSI? I feel more serious about personal agreements than copyrights or patents. Will it be the standard RSAREF individual license? Does it require you to *act as if* they had rights some of us care about them not having? (Rights to the specific code don't bother me too much.)

(isn't e-mail great?...Stanton posts it, and Jim Bidzos, the Pres. of RSA responds...no lawyers were needed, no lengthy delays.).

At the CFP conference that Tim missed ~{;o), Cliff Stoll was remarking that eventually all sorts of nasty things happen related to the net--except lawsuits. We guessed that the availability of the quick, public response might have a lot to do with that. Here we have a threat; can anyone think of an example of an email-related suit that was carried through? -phnerd, er, fnerd quote me --fnerd@smds.com (FutureNerd Steve Witham)