Steve Reid <steve@edmweb.com> exclaimed:

...

It's true: FOR IMMEDIATE RELEASE Security Dynamics to Acquire RSA in Transaction Valued at Approximately $200 Million

Okay, so what do we know about Security Dynamics? What are they expected to do about licensing etc?

I know a lot about SDI's technology and history. (Under contract to SDI, I just finished writing a draft FAQ on their ACE/SecurID user authenication system. It's unofficial and in-process, but I'm willing to e-mail the SecurID FAQ to anyone willing to read it and give me comments, criticism, and suggestions on how to improve it. Fair warning: it is 20,000+ words and written to educate a lay audience.) I haven't heard anything yet about SDI's position on RSA licences; but I doubt if there will be any surprises in that area soon. Among people associated with either company, it has been common knowledge that SDI and RSA folk have been very close for years, on both personal and professional levels. RSA's technical expertise has been apparent in SDI's user authentication system at several levels (albiet undocumented) and SDI's marketing expertise has doubtless informed RSA's policies in recent years. SDI, with over 150 salesmen on the street, fields the largest and most successful sales force selling Computer Security. SDI's SecurIDs tokens dominate the large-site (<1,500 tokens) corporate market for user authentication tokens with an estimated 70-80 percent of the market -- largely on the basis of the relative ease-of-use of the SecurID over its challenge/response competitors; SDI's early committment to client/server environments; and SDI's corporate promise to evolve to meet the changing CompSec threat. A SecurID generates the token's 4-8 digit token-code from an SDI-proprietary hash that puts Current Time and a token-specific key through a one-way function to create a PRN that changes every 30 or 60 seconds. All SecurID authentication calls also require two-factor validation; both the token-code and a user-memorized PIN must be submitted to the ACE/Sever for validation. There has never been any doubt -- given the evolving risks and the needs of on-line business community -- that SDI would eventually sell both authentication and encryption services. (It has also been obvious for years that SDI had, in its SecurID token-code, a neat symmetrical encryption key-generator already in widespread use in many networked environments. SDI had a mocked-up system that effectively used a SecurID token to generate DES keys seven or eight years ago, as I recall -- but apparently SDI never felt the market opportunities were sufficient to lure them into the political malestrom around crypto... until now.) I have no secrets to share, but it would surprise me if many SDI customers don't read a major opportunity for themselves in SDI's purchase of RSA. Last fall, SDI upgraded its ACE/Server to a new version (2.X) which manages user records on a fully-integrated Progress relational database. This integration of a SQL and 4GL-accessible RDBS brought a whole new level of functionality, complexity, and opportunity into ACE system administration -- but it also offers the security, scalability, and RDBS-to-RDBS communication options necessary to manage enterprise-wide IS security systems. Managing a large key-management system through a flat text database would be a nightmare. With the flexibility of an indexed RDBS, it becomes feasible to look to SDI's ACE/Server as a vehicle to hold and manage crypto keys, either PKC pairs or symmetrical keys, for an enterprise-wide system with multiple and distributed sysadmin sites. Some ACE/Server systems now support over 20,000 SecurID users, and the ESQL comm options will finally open the door to integrated multiple-server environments.

The question of the day is... HOW WILL THIS AFFECT CRYPTO?

I have no answer on that one, but the marrage of RSA's technology and SDI's marketing muscle -- given RSA's credibility and SDI's installed base in commercial MIS sites -- unveils a world of interesting opportunities. One interesting thought: since SDI has a shoe-leather sales force on the street in 20-odd nations, SDI (with RSA) might be able to leverage an integrated crypto/authentication technology and sell in markets where RSA's algorithms doesn't even enjoy patent protection. In the best of commercial traditions, SDI would be selling a solution rather than a technology. Suerte, _Vin Vin McLellan +The Privacy Guild+ <vin@shore.net> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*>