[I encourage you to file objections too. They don't have to be eight pages long! One page will do.] John Gilmore PO Box 170608 San Francisco, California, USA 94117 August 5, 1993 Michael R. Rubin Active Chief Counsel for Technology Room A-1111, Administration Building, National Institute of Standards and Technology Gaithersburg, Maryland 20899 Phone: +1(301) 975-2803. Fax: +1(301) 926-2569. Dear Sir: I am writing to provide written evidence and argument that the grant of your prospective license for the Digital Signature Algorithm (DSA) to Public Key Partners (PKP) would not be consistent with the requirements of 35 U.S.C. 209 and 37 CFR 404.7. I am also applying for a personal, non-exclusive, sublicensable, and transferable license for the DSA. I propose that instead of granting a license to PKP, the Government: Put its DSA technology into the public domain, and Standardize RSA as a digital signature algorithm. In particular, the NIST proposal must meet the following criteria from 35 U.S.C. 209 (c)(1): (A) the interests of the Federal Government and the public will best be served by the proposed license, in view of the applicant's intentions, plans, and ability to bring the invention to practical application or otherwise promote the invention's utilization by the public; I argue that interests of the Federal Government and the public will best be served by my proposed approach to the problem. The RSA cryptosystem was strongly considered as a digital signature standard by NIST, and was reportedly rejected for two reasons: (1) RSA is patented, while NIST wanted a royalty-free algorithm. (2) The National Security Agency objected to the standardization of RSA, for reasons it did not specify. The first objection is interesting; both DSA and RSA are now controlled by patents, and both would require royalty payments by users in the United States. However, the RSA patents only apply in the United States, so that the public (which includes all people on the Earth) will be better served by standardizing on the algorithm that is available for royalty-free use in other countries. Also, the RSA patent is royalty-free to the government, because it was invented with government grants. The patents which control the DSA are in force worldwide, and the government does not have free use of the algorithm. This gives a clear edge to the RSA algorithm. Also, the patents controlling RSA will expire at least ten years earlier than the DSA patent (if issued) and more than seven years before the Schnorr patent which controls use of DSA. In particular, the RSA patent will expire on September 20, 2000, and all other patents which control the use of RSA expire in 1997. The Schnorr patent expires on February 19, 2008, and the DSA patent would expire seventeen years after it is issued, which has not occurred yet. The traditional model of market acceptance of technology begins with a long slow climb, requiring years, and only peaks after this momentum has built up the proper infrastructure to support the technology. At the peak, many millions of people use the technology (in some cases, almost everyone in society). Digital signature technology has followed this model, and is widely expected to reach millions of people within the next five to ten years. This is important for two reasons: (a) RSA's patent will expire before or near the point when this technology enters the "mass market" of millions of users. This will benefit the public by reducing the cost of deploying the technology to these users. The size of the market clearly provides an economic incentive sufficient to cause its deployment even in the absence of exclusive licensing. (b) RSA digital signature technology has already been climbing the curve for many years. Standardizing on it will produce quicker deployment of digital signature technology. PKP is already licensing the RSA technology on terms similar to the proposed DSA terms, and has promised non-discriminatory licensing if RSA is standardized by NIST. As for the second problem with standardizing on RSA, the objection of the National Security Agency, there are two possible reasons: (a) NSA does not want to see a digital signature technology standardized if it would also allow data encryption, because that could make interception of intelligence data harder. This objection is completely specious. NSA does not have a valid role in setting domestic policy. It is a secret agency, not accountable to the public, and explicitly prohibited by statute from operating in the United States or against United States citizens. Its advice to NIST under the Computer Security Act is restricted to be of a technical nature, not straying onto questions of policy. NIST is required to give full weight to the interests of the public when deliberating on standards. Secret agencies whose policies oppose the public interest have no weight in NIST's standardization process. In fact, the standardization of identical technology for digital signatures and for key exchange and other data encryption uses would be a *good* decision. This technology has already been implemented in Lotus Notes and Privacy Enhanced Mail, and is well proven to be acceptable to users, implementable by manufacturers, and without fault as regards domestic encryption policy. Tens of thousands of copies of these products are in daily use without any impact on domestic tranquility. (b) NSA knows of a technical reason why RSA is not suitable. In this scenario, NSA has learned how to "break" RSA, either by factoring large composites, or by some other method. The proper response of the Government, in that case, is to publicize this fact, in order to protect domestic communications. Because if NSA knows it, it's likely that opposing intelligence agencies also know how to break RSA. The United States is the most computerized society, the most networked, the most communicative. We have the most to lose by having unsecured communications that we believe are secure. In addition, it's likely that the revelation of the NSA method of breaking RSA would result in substantial progress in mathematics in other areas besides cryptography, providing further benefit to the public. Further reasons to standardize RSA rather than DSA: The strengths and weaknesses of the RSA algorithm are better understood by the technical community. More than ten years of research has gone into understanding and implementing it. The DSA has had much less research and thought brought to bear on it. A prominent cryptographer, Gustavus Simmons, alleges that the DSA contains flaws which permit small amounts of secret information to be conveyed in its digital signatures. These flaws, which appear to have been deliberately designed in, would permit the signing party to send information to recipients of the signature, without the affected party having any way to determine this. For example, if a Government agency provided a digital signature on a passport, it could secretly communicate messages such as "this person should be searched at every border crossing" or "this person is suspected of anti-American leanings". Such unproved `information' would not be tolerated by the public if communicated on the face of the passport, but using the DSA, an unscrupulous agency could use such suspicions to harass citizens in the free exercise of their rights. All of the above information should convince NIST that standardizing the RSA technology and freeing the DSA technology would best serve the interest of the Federal Government and the public, rather than granting an exclusive license for the DSA technology to PKP. The NIST proposal must also meet the following criterion from 35 U.S.C. 209 (c)(1): (B) the desired practical application has not been achieved, or is not likely expeditiously to be achieved, under any non-exclusive license which has been granted, or which may be granted, on the invention; NIST's own experience with the Data Encryption Standard (DES) makes it clear that releasing an encryption system for public use, without assignment of exclusive rights to any organization, produces widespread use within a short period of time. The DES is clearly the premier private-key encryption system in the country and in the world today. It is used in every Automatic Teller Machine, in every bank, as well as on the Fedwire interbank network. A derivative algorithm is used in the Unix password security system, which runs on more than a million computers in daily use. It is used in electronic mail privacy systems, including Lotus Notes and the Privacy Enhanced Mail system for the Internet. It was used in secure telephones built by AT&T -- and in fact the deployment there was too rapid for government comfort (the FBI, NIST and NSA ended up rushing the Clipper/Skipjack program into the public eye to prevent further deployment of telephones using this algorithm.) Whenever private-key encryption is used, DES is likely to be there. DES products are available worldwide from a large number of chip, board, peripheral, system, and software vendors, providing data rates ranging from very slow to a gigabit per second. It is clear that the non-exclusive licensing of DES, as well as its technical capability, was directly responsible for its widespread adoption and use. Had it been exclusively licensed, say to IBM, its originator, it would not have enjoyed the wide use it has received. IBM has built DES into products, but they did not sell well and capture the market. It was the innovative uses pioneered by others, who were free to build on IBM's and NIST's standard without negotiations or royalties, who produced the machines and software which has since served large numbers of government users and the public. The United States has a collection of programmers and cryptographers, numbering in the hundreds, who have made significant contributions to the development and deployment of cryptographic algorithms throughout society. I have seen at least ten different software implementations of DES, freely available to everyone who wants them, including full source code and commentary. Each of these implementers was able to study and build upon the work of the others, resulting in gradual improvement of the speed and robustness of the implementations. The algorithm has been embedded into freely available software for electronic mail (TIS-PEM and early PGP versions), computer network security (Kerberos), clock synchronization (NTP), and networked voice communications (VAT), just to name a few. (Most of the work involved in building these products was the software and infrastructure that was built up AROUND the DES, by the way.) If and when the DSA technology is released for free use by the public, the same community will produce widely available programs that employ it. PKP may argue that the same development would occur, under its grant of free noncommercial DSA licenses, but the point is that this developement would occur WITHOUT granting an exclusive license to PKP. And if this is true, then by statute, NIST cannot grant an exclusive license. PKP may also argue that its ownership of the Schnorr patent would prevent the development of noncommercial DSA products, unless it was granted an exclusive license in return for allowing noncommercial use of the Schnorr and DSA patents. However, the record clearly shows that even when a technology is patented (RSA, or Lempel-Ziv compression) and when the patent owner does not have a policy of permitting noncommercial use, the free software community will still produce widely used programs (PGP and Compress) which produce great benefit for the public and for the government. These programs can be used immediately by those willing to challenge the patent, or to whom the patent does not apply, and can be used by everyone after the patent expires, or if the patent owner's policy changes. Furthermore, Public Key Partners is in the position of having paid a lot of money for the Schnorr patent. If the government doesn't standardize DSA, and doesn't give PKP an exclusive DSA patent, then PKP will have to CONVINCE people to use their expensive patent. The traditional way to do so is by licensing it cheaply and widely. If people end up wanting to use DSA even though it has not been standardized, it's likely that a license for the Schnorr patent that controls it will be available at a similar price to what PKP proposed under the exclusive licensing scheme. PKP has already granted no-cost noncommercial licenses to other patents that it holds, including the RSA patent, so it is certainly conceivable that it would come to grant similar licenses for the Schnorr patent, for the same reasons. 35 USC 209 (c)(1)(C) requires that exclusive or partially exclusive licensing is "reasonable and necessary" to call forth capital to deploy the invention. The above discussion, particularly the DES evidence, has shown that this condition does not hold. 35 USC 209 (c)(1)(D) requires that the proposed terms and scope of exclusivity are not greater than reasonably necessary to bring the invention to practical application. The scope proposed by NIST is exclusive to a single company for seventeen years. My proposal is partially exclusive to the same company for seven years, then would eliminate the exclusivity completely. The company has promised similar terms for the licensing of the RSA patent, for that seven year period, so the terms of the NIST proposal and my proposal are similar, though the scope of exclusivity in mine is shorter. My proposal continues to provide the incentive for bringing the invention to practical application, so condition (D) does not hold either. The conditions in 35 USC 209 (c)(1) are joined with "and" and prefaced with "only if"; failure to meet any one of the conditions denies the agency the ability to issue an exclusive or partially exclusive license. All four conditions have failed to be met in this case, so for NIST to grant an exclusive license to PKP would be unlawful. The public interest in this technology is substantial, and it is unlikely that NIST would escape without being sued if it attempted to grant the exclusive license anyway. I myself contract for the full time of a lawyer, who is currently engaged in suing the Federal Government for its unlawful acts. I believe that two such suits are currently in process, against NSA and the Department of Justice. I would not be averse to adding NIST to the list. In the event that NIST fails to follow my recommendation that the DSA technology be made freely available to the public, I hereby request a personal, non-exclusive license to practice it. The information required under 37 CFR 404.8 for such an applicant is: Invention: Digital Signature Algorithm Patent application number: 07/738.431 Type of license: Personal, non-exclusive, sublicensable, and transferable. My name, address, email address, and phone number: John Gilmore PO Box 170608 San Francisco, California, USA 94117 gnu@toad.com +1 415 903 1418 My citizenship: USA My representative to correspond with: myself. Nature and type of my business: I am a privacy advocate, a programmer, an entrepreneur. Personally, I have no employees at this time, though I am co-founder and part owner of a business which employs 40 people. I am also co-founder and on the Board of Directors of a foundation which employs about ten people. I contract with a lawyer for his full-time services, though he is not an employee. Products and services which I have successfully commercialized: I was employee #5 at Sun Microsystems, and contributed significantly to the success of the company, which is now one of the world's largest computer companies. I have co-founded several businesses. I have written several substantial pieces of software which enjoy wide use, including PD Tar, a tape archive program, GNUUCP, which provides low-cost data communications, and GDB, which is a very widely used debugger. All of these programs were developed under an intellectual property technology that involves giving away the program itself, and selling services related to the program. The 40-person business mentioned above supports itself solely by this method, and provides commercial support for GDB among many other products. I am also a co-founder of the Electronic Frontier Foundation, which, as a non-profit educational foundation, has commercialized the services of advocating privacy and the public interest in electronic media, and the service of defending the public against unconstitutional or unlawful searches, seizures, and restrictions on rights in electronic media. I have successfully organized several volunteer teams of programmers and writers to produce products which were made available to the public, without requiring significant investment, by leveraging the goodwill of the people involved, and the availability of low cost computers and communications media. Source of information concerning the availability of the license: Internet electronic mail, including copies of the Federal Register. Statement indicating whether I am a small business: As an individual, I am probably not considered a small business. I do not seek use of the patent for business purposes, but for my activities in advocating privacy and anonymity in electronic media. Detailed description of plans for developing or marketing the invention: If granted this license, I would immediately sublicense all persons who wished to use the patent, at no charge. I challenge any other proposed licensee to provide a greater benefit at a lower cost. I would market the invention via online and printed communications, making the public and the software development community aware of their ability to freely use the invention without restraint from me or from the Government. I would negotiate with Public Key Partners to come to an agreement on terms by which noncommercial use of the Schnorr patent could proceed. Such availability would lead the way to commercial applications, as has happened with the RSA algorithm. I believe that minimal time and investment capital would be required in this endeavour: less than a month of my personal time, spread across several months of elapsed time, and less than $20,000 in investment, which I have available from personal funds. My capability and intention to fulfill the plan is shown by my record of achievements listed above. I and my sublicensees intend to practice the invention in all fields of use. I and my sublicensees intend to practice the invention in all geographical areas, limited only by Government- imposed export restrictions. I have not applied for nor been granted previous licenses for federally owned inventions. I believe that the DSA is being practiced by a small number of companies in private industry, and is being practiced by the Government and its contractors in conjunction with the Capstone program of the NSA. Further information which I believe will support a determination to grant me the license: If NIST truly wishes that the public be granted the maximum capability to use this invention, then granting me this license, or in the alternative, granting a royalty-free license to everyone, would best achieve that goal. Sincerely, John Gilmore