Tough Choices: PGP vs. RSA Data Security
Cypherpatriots, This is a tough posting to write. I may even be called a quisling, or even a sternlight! This may be the most important posting I make during this current Clipper-Big Brother Chip controversy. I suggest that we as a community seriously reconsider our basic support for PGP. Not because of any flaws in the program, but because of issues related to Clipper and the potential limits on crypto. Continuing use of PGP causes several problems: 1. If RSA fails to take actions against sites and users, it weakens their legal position with respect to their patents. The government does not need licenses in any case, but users of Clipperphones *do* (not the final end-users, but the suppliers of Clipperphones to non-government customers). (A case can be made that repudiation of the patents might be a good thing. I know I have argued this at times. It's hard to know.) 2. The "guerrilla crypto" aspect of the PGP community (and our group) is charming, but may be counterproductive. If we are viewed as outlaws, the target even of RSA, then we have almost no influence, save for underground subversion. (To put this another way, if we are seen as RSA Data's enemy, we lose a potential ally. I am suggesting that a coming war between strong crypto on one side and government snooping on the other will force all participants to choose up sides.) 3. Supporting a legal version of strong crypto, which RSA Data-approved programs are and PGP is *not*, is a much more solid foundation from which to fight possible restrictions on strong crypto. 4. Our time could better be spent by solidifying existing RSA programs, including RIPEM, RSAREF-derived programs, MailSafe, and so forth. This is the approach several major companies have taken (Apple, Lotus, Sun, etc.). I've urged Jim Bidzos to work toward some compromise with the PGP community (and I think everyone recognizes the positive aspects of this growing community). This might include creating translation programs so MailSafe or RIPEM can read PGP files, a reworking of PGP to conform to licensing requirements, etc. I'm hoping that Phil Zimmermann can see what the real battle is. The PGP community is not likely to win their battle in court, and the effect of such a court battle will be divisive and ultimately may help the government in its plans. Phil Z. is most unlikely to ever see any real revenues from PGP. I think the benefits of a strong, legal, supported crypto product are greater than the dubious benefits of having a "free" piece of software. At any reasonable hourly wage, the cost of MailSafe ($125, last time I checked) is dwarfed by the amount of time crypto activists like ourselves spend debating it, downloading it, awaiting patched versions, etc. (All is not rosy on the RSA Data side, either. RSA Data chose to concentrate on getting RSA built in to e-mail products from the major companies and chose not to devote much effort to PGP-like personal encryption products (such as MailSafe, which runs on DOS and UNIX only and which hasn't changed much since 1988). Support for RSA Data should mean more support for these kinds of products. We could essentially ask RSA for a commitment in this area.) I'm arguing that we should look carefully and see what the real issues are, who the real enemy is, and then make plans accordingly. Awaiting your feedback, -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, smashing of governments. Higher Power: 2^756839 | Public Key: MailSafe and PGP available. Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime
I partially agree with Tim, but RSA must be willing to make some compromises on this. Mathematical/Algorithmic patents already face lots of opposition in the user/programmer community, but charging high licensing fees on such patents will inevitably force programmers to develop freeware alternatives. I haven't seen Mailsafe, but from the reviews of it, it sounds like it is vastly inferior to PGP and not worth $125. It is also not "open" (e.g. you don't get source code?) which prevents the cypherpunk community from making modifications that they want. (I've also heard that RSA doesn't even support it well). A better course of action might be to remove the RSA engine from PGP and distribute the source code, and a binary for free, but require users to pay $30-50 to RSA to get the source code and binary for the RSA engine. This maintains our flexibility to modify PGP as we see fit, but preserves RSA's intellectual property. The downside is, platform portability will be impacted slightly. On the other hand, RSA could develop and maintain a PGP alternative which has all the bells and whistles we like, and market it at reasonable cost, say $50. (remember, Clipper chips will be cheaper than $40!) RSA's alternative is to have their patent become useless like most of the compression patents through wide spread unauthorized used of their algorithms. -- Ray Cromwell | Engineering is the implementation of science; -- -- EE/Math Student | politics is the implementation of faith. -- -- rjc@gnu.ai.mit.edu | - Zetetic Commentaries --
[I am CCing this to Jim Bidzos at RSA.] Timothy C. May says:
Cypherpatriots,
This is a tough posting to write. I may even be called a quisling, or even a sternlight!
Actually, I do not disagree with your fundamental points. Jim Bidzos is not, fundamentally, an enemy of privacy. He's just in a difficult position because his livelyhood comes from selling patent licenses. If a program existed that was legal and freely distributed like RIPEM but ran as fast as PGP and offered the "web of trust" model of PGP, I'd use it immediately. Perry
Just when I think I'll lie low awhile, tcmay@netcom.com (Timothy C. May) drops a bombshell:
I suggest that we as a community seriously reconsider our basic support for PGP. Not because of any flaws in the program, but because of issues related to Clipper and the potential limits on crypto.
I'm quite aghast at this little gem of a proposal, which might be deemed `treasonous' by some (however, I'll limit my flames). In many ways it is more unpalatable than the Clipper announcement. PGP is *solid* software for cryptography that is available *now*. What other software is available? Sure, there are plenty of vague promises and vaporware, or bits and pieces for little nooks and crannies of platforms. PGP is the closest thing to *widespread* strong cryptography available *across* platforms. Look, support whatever you want. Cypherpunks don't have an official policy sheet. But to recommend they stop promoting something that has formed one of the most stable core commitments of the group is divisive in itself. (Sheesh, this group couldn't reach a consensus if only one person was subscribing!)
1. If RSA fails to take actions against sites and users, it weakens their legal position with respect to their patents. The government does not need licenses in any case, but users of Clipperphones *do* (not the final end-users, but the suppliers of Clipperphones to non-government customers).
are you saying that RSA needs to support Clipperphones? or that they need the legal torque to suppress granting the patent to implementations of it? If RSA sells out, which I see every sign of this happening (lacking explicit reassurances from Bidzos, and in light of his apparent devotion to the company `stockholders'), then the point is mute. What makes you so sure they won't (or haven't)? Also, your reasoning is bizarre. If RSA wants to protect their patents, then they should attempt prosecution or pursue agreement, one or the other. It is the failure to prosecute that weakens their case, not the existence of infringers per se. Actually, that is the only way they have to strengthen their case, to attempt prosecution of perceived infringers. If they fail to do this then they are implicitly acknowledging their own weakness.
2. The "guerrilla crypto" aspect of the PGP community (and our group) is charming, but may be counterproductive. If we are viewed as outlaws, the target even of RSA, then we have almost no influence, save for underground subversion.
I just don't get this strange and insatiable drive to `respectability' by outspoken members of this list. This is the critical period when cryptography itself is in jeopardy, precisely at the point that we must, to a large extent, work outside the ``system'' that has unequivocally demonstrated its hostility to the basic premise of widespread unbreakable cryptography. Currently, we cannot have our unbreakable cryptography and respectability too. You all remind me of Denning, who wants to underhandedly promote Clipper and retain her scientific respectability at the same time. Or the NSA, who wants to regulate commercial cryptography but completely suppress any innovative commercial ideas that threaten their (increasingly threatened and seriously weakened) domination.
(To put this another way, if we are seen as RSA Data's enemy, we lose a potential ally. I am suggesting that a coming war between strong crypto on one side and government snooping on the other will force all participants to choose up sides.)
I'm on the side that commits to widespread availability of strong cryptography at any cost and any sacrifice. As Mr. Hughes has written, ``no compromises''. I think RSA had better make it clear right away whether they will support the Clipper and Capstone projects or not. That is the crucial decision at stake. Every minute that a strong statement is lacking I am further skeptical and suspicious of their true intent.
3. Supporting a legal version of strong crypto, which RSA Data-approved programs are and PGP is *not*, is a much more solid foundation from which to fight possible restrictions on strong crypto.
All this vague legal mumbo jumbo and wonderful rhetoric like `solid foundation' may have some value in the future, and may even be a decisive pivot. But the pace of litigation is glacial, and we need powerful tools *now*. PGP is such a tool. The strongest approach to fighting restrictions on strong cryptography is to USE IT RIGHT NOW. RSA in a MINUTE could guarantee the legality of PGP by offering licenses to users. Many have expressed the sincere desire to become `legitimate'. I consider it a wholly reasonable approach. Their continued silence on this point is deafening. They have not addressed the possibility whatsoever publicly except to hint that they regret their inability or inaction in the area. Why do they refuse to assent? There are overtures & negotiations to get the RSADSI libraries into the code, but this is just (so far) a decoy, distraction, and diversion in my opinion. I think the bottom line is that RSA wants more control over the public key algorithm than P. Zimmerman (a true cypherpatriot) is willing to grant, and he is willing to take a calculated but considerable risk, which so far has payed vast, global, valuable dividends reaped by tens of thousands.
4. Our time could better be spent by solidifying existing RSA programs, including RIPEM, RSAREF-derived programs, MailSafe, and so forth. This is the approach several major companies have taken (Apple, Lotus, Sun, etc.).
again, not enough platform-independent availability or fanatical commitment on the part of the companies. Is there a *universal*, *freely available* package in there? How many of those vendors would take out the strong cryptography if a law were passed to do it? How many have already demonstrated their spinelessness by weakly assenting to disembowel their embedded strong cryptographic techniques? How many are subject to the whims of RSA or the NSA?
I've urged Jim Bidzos to work toward some compromise with the PGP community (and I think everyone recognizes the positive aspects of this growing community). This might include creating translation programs so MailSafe or RIPEM can read PGP files, a reworking of PGP to conform to licensing requirements, etc.
Oh, so we abandon PGP until Mr. Bidzos works out a compromise on his own terms and own time schedule, is that the idea? He has had *years* to demonstrate his willingness to `compromise'. Some parts of the PGP community would gladly submit to even a one-sided `compromise' of expensive individual licensing. So far, in my view, he has done nothing but string along the PGP team, when he (or somebody) has the power to end the bickering and tension *immediately*. Many PGP users don't object to RSA getting rich off the algorithm licenses. It is not an issue of money, apparently, though, it is an issue of *control* (something that any true cypherpatriot should recognize as critical and not to be given away). Do you want your strong cryptographic techniques to be controlled by yourself or someone else?
I'm hoping that Phil Zimmermann can see what the real battle is. The PGP community is not likely to win their battle in court, and the effect of such a court battle will be divisive and ultimately may help the government in its plans. Phil Z. is most unlikely to ever see any real revenues from PGP.
Mr. Zimmerman has never seen `any real revenues' from his work and to attribute his basic past motive to that purpose is mercenary and tasteless. He has a true and passionate commitment to strong cryptography, enough that he risked his personal comfort and sacrificed years of his life to promoting it, and the documentation accurately represents that drive. Yes, a court battle would be divisive. It would probably bankrupt Mr. Zimmerman and distract RSA if pursued vigorously. But RSA can wholly avoid it. On the other hand, a court battle could bring public favor to the cryptographic cause. It could set a clear precedent for the dubious legality of software patents. There are many wildcards. Would many people send Zimmerman money if he was prosecuted? Would EFF get involved? Would he be perceived as the David vs. the Goliath? Does RSA have a strong, legal, legitimate case? Only a Sternlight would think the issue is clear cut.
I think the benefits of a strong, legal, supported crypto product are greater than the dubious benefits of having a "free" piece of software. At any reasonable hourly wage, the cost of MailSafe ($125, last time I checked) is dwarfed by the amount of time crypto activists like ourselves spend debating it, downloading it, awaiting patched versions, etc.
PGP is essential now because it is supported on many platforms, has a common format, is not limited to mail, has attained a sophisticated degree of reliability, is continuing to be supported extremely responsively, is not limited by wishywashy and halfhearted commitment by its developers, was born of the true motive that *everyone* deserves and requires strong cryptography *today* and that there's something just a little upsetting about big conglomerates getting rich off of selling algorithms for a freedom like privacy. Do you want to trade something solid for something vapid?
(All is not rosy on the RSA Data side, either. RSA Data chose to concentrate on getting RSA built in to e-mail products from the major companies and chose not to devote much effort to PGP-like personal encryption products (such as MailSafe, which runs on DOS and UNIX only and which hasn't changed much since 1988). Support for RSA Data should mean more support for these kinds of products. We could essentially ask RSA for a commitment in this area.)
I will support RSA when they show an unequivocal commitment to the proliferation of strong cryptography by allowing individual users to obtain licenses. So far, they have only worked with companies. They stand to make *more* if they had the unorthodox whim to allow users to receive licenses. People have been asking for ``a commitment from RSA in this area'' for *many months* if not *years*. There are ulterior motives present that are not apparent in talking exclusively to Bidzos, I'm sure. Here is my position on PGP: yes, it has dubious legal ground. But so did many other revolutionary technologies at the time of their inception. RSA has had plenty of opportunities to send a clear signal by either prosecuting or promoting PGP (the former in potentially devastating ways, the latter in potentially lucrative ways). That they have not done either suggests to me that they don't understand the fundamental importance of the issue in some way. It seems to me somebody directing RSA (Bidzos perhaps) wants to straddle the fence, and is continuing to do so, and that PGP and Clipper (so far) are just two aspects of a pattern. But I think somebody at RSA had better pick a side soon or they will be speared by both sides of the fence. I think it would be overly optimistic and idealistic to think that PGP will be here, say, 10 years from now. It is a stepping stone to grander things, but a *crucial* one at this point, and not to be abandoned but remembered, revered, and *used*. Do you know how many man-hours have gone, and continue to go, into its development and maintenance? Many new wrinkles will be occuring in time, but right now PGP is the well-deserving cyphersoftware of choice. Until RSA makes some clear statements of their intent on critical issues like Clipper/Capstone/PGP, I don't consider them an ally. At this point their silence can be taken as an affront to *all* sides. Right now I think the clock is ticking on a blatant sellout, but I'd just love to be pleasantly surprised. So far the only thing surprising about RSA is their conspicuous inconspicuousness. And there are ominous rumors that they will be or are starting to target prominent PGP users in a mailwriting campaign. The issue is not ``will RSA be our ally if we sacrifice PGP?'' but ``why has RSA not responded despite reasonable overtures?'' In my opinion, J. Bidzos needs to answer the following explicitly and satisfactorily before cypherpunks consider RSA their Salvation: 1. Will RSA sell licenses to companies seeking to use the public key algorithm in Capstone and Clipper implementations? What was the exact RSA involvement in those areas prior to the announcement? 2. Why has RSA refused to sell individual licenses to PGP users despite the continued expressions of willingness and desire to cooperate on the part of many of those users? 3. What is the real RSA position/plan/policy on patent infringers, if there is one? 4. Who is fundamentally in control of RSA, anyway? Bidzos? R. S. & A.? Shareholders? the NSA? Accountants and lawyers? What is the underlying agenda?
I'm arguing that we should look carefully and see what the real issues are, who the real enemy is, and then make plans accordingly.
``Friends come and go, but enemies accumulate.''
Copyright (c) 1993 Eric Hughes. Unlike most everything else I write, I do not grant right to use this without my express permission. If you want it sent somewhere else, ask me. I'll probably just send it there myself. I'm going to try to give an overview of the RSADSI and PGP situation. This is long. I've put it in the form of premises, assertions, facts, lemmas, theorems. I know that below I am mostly trying to justify RSADSI's actions. I offer the following so that you may understand how they view themselves. I also wish to offer my personal view on RSADSI. I do not consider them the enemy; I consider the enemy to be NSA/COMINT and those who would destroy privacy to create Big Brother. The RSA patent expires in seven years; the NSA will be around long after that. I have a clear priority here. This long term battle is worth winning to the exclusion of some other desiderata. "Patents don't kill people. Tyrants kill people." I do not think we should pick fights with our allies. The patent battle will not be won by mere defiance, but by careful planning. PGP is not the right vehicle for this fight. Every argument below is predicated on the first premise. I know lots of people are stronly opposed to the patents; I myself am of two minds on the subject. I do wish to point out that the validity of the patents is not what I argue from, but their pragmatic effect in the legal world. Premise: The RSADSI patents are _de facto_ effective. This is a completely separate issue from whether the ought to exist, whether the public really should have them, etc. The fact is, the PTO granted them, the courts will find them valid unless a lot of money is spent in a legal challenge whose outcome is by no means guaranteed. A large organization with lots of money to spend (not the LPF) might have a chance of a successful overturning, but that course of action is not in sight. Premise: Jim Bidzos is not in a unconstrained position; he has repsonsibilities and restrictions and can't do whatever he might want. The effectiveness of the patents gave rise to a commercial opportunity. That commercial opportunity is embodied in PKP and RSADSI. That opportunity was successful by any reasonable measure. The success directly created a fiscal responsibility for the agents of the patent owners to make money for the owners. Bidzos can't take actions which can reasonably be seen as threatening to his business; the point of view here is that of the owners, no one else's. Premise: PGP threatens the business of PKP and RSADSI. This is fairly explicit in the documentation; PGP intends to threaten their business. The patent claims are denounced, variously, as unethical, immoral, and stolen. The docs says "Hey! we tried to get a license, and they wouldn't give it to us, but here's the software anyway." The point is that the truth or falsity of these claims is not the issue. These statements on their face can be taken as harmful; that is sufficient. Premise: RSADSI and PKP will defend themselves. Seems obvious, eh? The way to counter rhetoric is with more rhetoric, and the rhetoric of business is the law and threats of legal action. To my knowledge, no actual legal actions have been made by RSADSI, but lots of threats have been. I also believe that RSADSI is ready to take legal action, however. Premise: RSADSI's main business is licensing, and licensing individuals is not very profitable. RSADSI has had enormous commercial success in getting large corporations to sign up. The only reason to license individuals is to allow them to use non-commerical software of one form or another. The brute fact of the matter is that most people just don't use non-commercial software, as a percentage of market. (If you disagree, consider the size of the PC deployed base vis a vis Unix, and then consider that most of those PC's are owned by companies, who purchase their software.) Lemma: Licensing patents is different than licensing software. With software, most of your revenue stream in the long run is upgrades, not initial purchases. The incremental cost to produce an upgrade over its sale price is far less than for the initial version. With a patent license, you get one sale and that's it. Premise: RSADSI created RSAREF in order to license individuals. The purpose of RSADSI is not to suppress cryptography--it is to promote it. They lose very little by making a free version and they gain a lot in terms of goodwill and preparing and educating people to use commercial versions. Since they don't make any money from it, there's no reason for them to spend much money paying lawyers to draft license agreements for products which bring in no income. Therefore they want all non-income uses of the patents to be filtered through a single license. Fact: Commercial licenses to RSAREF are available. They have not been advertised widely as yet, though. Assertion: The reason that RSADSI requires that individual licenses be mediated through RSAREF is that non-commercial software is inevitably used in commercial contexts. Remember, their main business is licensing. All software used in a commercial context must be licensed, otherwise their main business is imperiled. Were they to make separate licenses for every low end product, they would be in the same situation as if they licensed individuals--high overhead, small return. Therefore, they license RSAREF to companies; this allows RSADSI to economically offer licensed use for all such low end software packages. Theorem: PGP does not need to threaten RSADSI's business. By using RSAREF, PGP can satisfy RSADSI's business requirement to control licensing and satisfy PGP's requirement to have a free license. Fact: RSAREF has a restricted interface which does not allow for direct RSA cryptosystem operations. Assertion: RSADSI is protecting their good name by restricting the default RSAREF interface. Jim Bidzos has told me that the reason they use a restricted interface is to prevent people from making stupid cryptographic mistakes and then claiming that the lack of security was the fault of RSADSI. Given the number of cryptographic numbskulls out there, this concern is not unrealistic. Fact: PGP cannot use the default RSAREF interface. For one, DES is embedded into that interface. Fact: RSADSI has allowed products to go behind the RSAREF interface before. Their concern is that your not doing anything stupid. PGP isn't, so that concern is satisfied. Fact: RSAREF requires a written request to go around the standard interface. Licensing is a legal issue; written words are pretty much required in order to be responsible. Fact: No one has ever made such a written request for PGP. Part of the reason has been that moving to RSAREF entails some architectural changes, and these are still being debated. The recent clipper announcement delayed things as well. Fact: RSAREF is slow. It's only C code. The 386 assembly code in PGP runs about 15 times faster than the C code in RSAREF. RSAREF explicitly allows modifications for improved performance. The plan is to make the PGP assembly speedup modules available as RSAREF speed improvements; this is another delay in getting a port done. Fact: RSAREF can't be legally exported from the US because of the ITAR. Bidzos is seeking a Commerce Jurisdiction ruling for RSAREF, which would mean that it would be permitted for export. But until then, PGP would have to support two versions: an RSAREF one for US use, and a non-RSAREF one for non-US use. This requires more wrappers, and thus more work. Fact: PGP development is already moving in the direction of RSAREF. As I've stated, however, there are a number of practical problems that have to be straightened out before software ships. Eric
participants (5)
-
Eric Hughes
-
L. Detweiler
-
Perry E. Metzger
-
rjc@gnu.ai.mit.edu
-
tcmay@netcom.com