The conflict between RSA and PGP -may- be about to be solved. You all may recall my "announcement" of an effort to create a USA-Legal version of PGP by incorporating RSAREF code. Among several offers to help, I received the following messages: ======================================================================== To: spectrx!edgar (Edgar W. Swank) Subject: Re: PGP: USA-Legal PGP Project In-Reply-To: Your message of "Wed, 28 Apr 93 01:02:23 PDT." <ouiP3B12w165w@spectrx.saigon.com> Date: Wed, 28 Apr 93 12:37:30 -0600 From: "L. Detweiler" <szebra!longs.lance.colostate.edu!ld231782>

I confirmed with Jim Bidzos, President of RSA, who was present at the meeting, that a USA Legal version of PGP could be constructed by just replacing certain sections of code with free code from RSAREF. Since source for both PGP and RSAREF are available, this sounds like an easy job. Since no-one's actually done it yet, perhaps it's not, but I will try. I hope I haven't bitten off more than I can chew. At best, I can compile and test only the MSDOS version of PGP. I will certainly need help if USA-Legal MAC, AMIGA, UNIX, etc. versions are to be available.

I'm sorry Mr. Bidzos didn't tell you, but the PGP development group is already looking very seriously into integrating RSAREF, and one person phr@america.Telebit.COM (Paul Rubin) has already done it. If you would like to join the list send mail to prz@sage.cgd.ucar.EDU (Philip Zimmermann). ========================================================================== Date: Wed, 28 Apr 93 19:32:55 PDT From: szebra!america.Telebit.COM!phr (Paul Rubin) Message-Id: <9304290232.AA10138@america.TELEBIT.COM> To: spectrx!edgar Subject: PGP: USA-Legal PGP Project

I confirmed with Jim Bidzos, President of RSA, who was present at the meeting, that a USA Legal version of PGP could be constructed by just replacing certain sections of code with free code from RSAREF.

Not quite true. RSAREF's license requires that the RSAREF routines be called only in certain ways unless special permission is obtained. Calling the RSAREF routines in the generally permitted manner won't work with PGP because PGP's file format is different than what RSAREF expects. PGP needs to call RSAREF in a non-standard way which is easy technically, but needs special permission from Bidzos. Attempts to get such permission have thus far been inconclusive. ====================================================================== I am msging Phil Z. to ask to be placed on "the list". I'm also trying to get more details from Paul Rubin, offering my assistance, and forwarding to him the other offers of assistance I received. It remains to be seen whether RSA's witholding of permission to use non-standard interfaces to RSAREF is reasonable or designed to be obstructive. When we find out, I think we should choose sides (if we -need- to choose sides) accordingly. It looks like the PGPers have made a good faith effort to at least meet RSA halfway. A "PGP-like" "consumer" crypto product which does not exchange keys and messages with PGP will -not- be acceptable. Any such product produced here will almost certainly be export restricted. I am -not- willing to give up my present ability to exchange keys and encrypted data with PGP users outside the USA. (I'm currently exchanging encrypted e-mail with persons in Poland(!!), Germany, and Taiwan). PGP is currently an -international- standard, and, because of ITAR, it's likely to be the -only- international standard for a long time to come. Note that current PGP is legal outside the USA -only- for non-commercial purposes (Phil Zimmerman's "copyleft"). If a USA version is approved by RSA, it will be legal only for non-commercial use inside the USA (RSA's patents & copyrights on RSAREF). If PGP becomes popular (even more so than at present, it's already the leader) worldwide for individual non-commercial use, businesses are going to want a PGP-compatible product they can use for exchanging encrypted data with their (non-business) -customers-. For example, encryption is a good idea if you're ordering merchandise with your credit-card number. Jim Bidzos has told me that Phil Z. or anyone else can get a license from RSA for $20,000 plus minimum $10,000/yr. royalties. If we say we don't want to spend more than 50% of our revenues on licensing, then if Phil can get $60,000 of firm orders for a -commercial- USA version of PGP, he's in (a very profitable) business. $60,000 might be 600 copies at $100 or six site licenses at $10,000. Also, if a -foreign- software producer wants to license a commercial version of PGP useable only overseas, he only needs to deal with Phil (& maybe the other PGP co-authors). But the effect of this would just be to increase the market for a USA commercial version (for businesses who wanted to exchange encrypted data with other businesses, or their own subsidiaries, overseas). I guess anyone who wants to can get onto Phil's list. I'd prefer if you all didn't bombard Paul Rubin with E-mail. I'll post more details of this project here as I get them (unless I'm asked not to). -- edgar@spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Silicon Valley, Ca