TUCoPS :: Crypto :: ipgp0205.txt

Info-PGP Digest, 2.05

   Info-PGP: PGP Digest   Wednesday 16 December 1992  Volume 2 : Number 5
                Hugh Miller, List Manager / Moderator

    Info-PGP is a digested mailing list dedicated to discussion of Philip
Zimmermann's `Pretty Good Privacy' (PGP) public-key encryption program for
MS-DOS, Unix, VMS, Atari, Amiga, SPARC, Macintosh, and (hopefully) other
operating systems.  It is primarily intended for users on Internet sites
without access to the `alt.security.pgp' newsgroup.  Most submissions to
alt.security.pgp will be saved to Info-PGP, as well as occasional relevant
articles from sci.crypt or other newsgroups.  Info-PGP will also contain
mailings directed to the list address.
    To SUBSCRIBE to Info-PGP, please send a (polite) note to
info-pgp-request@lucpul.it.luc.edu.  This is not a mailserver; there is a
human being on the other end, and bodiless messages with "Subject:" lines
reading "SUBSCRIBE INFO-PGP" will be ignored until the sender develops
manners.  To SUBMIT material for posting to Info-PGP, please mail to
info-pgp@lucpul.it.luc.edu.  In both cases, PLEASE include your name and
Internet "From:" address.  Submissions will be posted pretty well as received,
although the list maintainer / moderator reserves the right to omit redundant
messages, trim bloated headers & .sigs, and other such minor piffle.  I will
not be able to acknowledge submissions, nor, I regret, will I be able to pass
posts on to alt.security.pgp for those whose sites lack access.
    Due to U.S. export restrictions on cryptographic software, I regret that I
cannot include postings containing actual source code (or compiled binaries)
of same.  For the time being at least I am including patches under the same
ukase.  I regret having to do this, but the law, howbeit unjust, is the law.
If a European reader would like to handle that end of things, perhaps run a
"Info-PGP-Code" digest or somesuch, maybe this little problem could be worked
    I have received a promise of some space on an anonymous-ftp'able Internet
site for back issues of Info-PGP Digest.  Full details as soon as they firm

Hugh Miller       | Asst. Prof. of Philosophy |  Loyola University Chicago
FAX: 312-508-2292 |    Voice: 312-508-2727    |  hmiller@lucpul.it.luc.edu
 Signed PGP v.2.1 public key certificate available by e-mail & finger(1)


Newsgroups: sci.crypt,alt.security.pgp
From: strnlght@netcom.com (David Sternlight)
Subject: Re: PKP/RSA comments on PGP legality
Date: Tue, 15 Dec 1992 11:08:14 GMT

Hugh Miller's article is filled with so many inaccuracies it's hard to
know where to start, so I'll treat only a few; the remainder is left
to others as it's pretty late at night. I'm going to digest, since the
message is so long.

The first part consists of a massive imputation of motives to Jim
Bidzos simply because he gave Carl Ellison some information. As it
happens, he gave the same information to me and others. Miller's
analysis reads like a paranoid piece of thinking to me.

He next finds the advocacy of ripem (which is legal) rather than
PGP (which is not, in the U.S.) sinister. More paranoia?

He then decides to interpret Bidzos' comments as "threats" instead
of statements of fact about Bidzos' interpretation of the PKP patents
and the Munitions Act. I must tell Miller, who appears to be winging
it without checking the Act, that Bidzos message to me contained
extensive quotations from the Munitions act which make it absolutely
clear to me that Bidzos is accurate and so is Ellison's summary.

Miller then enlightens us on what lawyers do. Is Miller an attorney,
or is this more imputation of motives for something Miller doesn't like?

Next Miller reports on RSA's income and number of licenses. Is Miller
making this up, too, or has he some hard data. According to what
Bidzos tells me there are a large number of licenses out there,
including Lotus Notes and several other major applications, future
IBM and Apple software, etc.

Then Miller characterizes as "intimidation and innuendo" what I would
characterize as "fair warning." He leaps from Bidzos mentioning that
PKP in the U.S. is an ITAR violation (Bidzos provided detailed
Munitions Act quotes in his message to me which convinces me he's
right), to Bidzos prosecuting developers under the ITAR. That's a
totally false statement. Miller then decides to use this as a way to
vamp to his obvious dislike of the Reagan Administration. Has no one
told Miller that Bush is President, and soon Clinton.

Next we have a superb analysis of why the government won't prosecute
anyway (because they're embarrassed by a few other incidents) which
simply takes the breath away, and is likely to go down in legal
annals. I'd hate to be a D.A. taking instructions from Miller.

Miller then moves to an attempt to argue that one may, with
impunity, post export-prohibited materials to a bulletin
board which foreigners have access to. His arguments at this
point have become pathetic in his eagerness to make himself
right and RSA wrong. He'd better talk to a few software companies
which sell export controlled materials, to see what safeguards
are, in fact required.

Then follows some more bad-mouthing of Bidzos.

This is followed by contradictory statements (and wrong ones)
about RSAREF. First we hear that he's never seen any RSAREF
compiled object code. A few sentences later we read that it's
compiled into the ripem beta. Then we hear that the ripem
beta isn't available on many platforms (false).

Well, there's lots more but I've run out of steam. Apologies for
the length of this, which matches paragraph for paragraph with
Miller's post--to include that post would have made this message
unconscionably longer.

Finally, I'm appalled that someone with the logical and factual
deficiencies represented in Miller's message is the moderator
of the PGP list. I can well imagine what goes on there.



Newsgroups: alt.security.pgp
From: hmiller@lucpul.it.luc.edu (Hugh Miller)
Subject: PAX - Public Access Unix - Anonymous Posting Service
Date: Tue, 15 Dec 1992 08:39:53 GMT

Here's the file you can get by sending an empty message
to anon.info@pax.tpa.com.au.

 PAX - Public Access Unix (Adelaide,South Australia) - Anonymous Posting Host

Last modified: Fri Nov 20 18:55:52 CST 1992

 Information about Anonymous & Privacy-Enhanced Posting.

PAX is conducting research into the viability of anonymous privacy-
enhanced mail as a means of providing practical, secure and confidential
electronic mail and news. An experimental server has been setup and
you are encouraged to use it.

There are many anonymous posting services in existence which provide
anonymous electronic mail and posting to specific newsgroups where
posting is sometimes harmful to one's health or reputation ! Such
services allow you to:

 - post anonymously to those news groups

 - reply anonymously to posts by email

 - converse anonymously with another anonymous user, neither of
   you knowing your real identities

Privacy-enhanced electronic mail refers to the concept of encrypting
one's mail prior to sending it off into the ether, presumably to
someone at the other end capable of decrypting it. If one uses a
so-called "public key" method of encryption, then one can make one's
"public" key widely known so that anyone can encrypt mail to you, but only
you can decrypt it using your "secret" key. There is much development
going on in this area, but one quite popular public-domain implementation
is Philip Zimmermann's "Pretty Good Privacy 2.0" which makes use of a
number of cryptographic methods including the RSA algorithm in places
(See Legal Issues later on). PGP allows you to:

 - exchange public keys with another individual

 - encode messages to them that only they can read

 - receive messages from them that only you can read

These tools are all very well for the specific purposes for which they
were designed, but unfortunately your anonymous message or post is not
actually anonymous until it gets to the machine that host's the service.
Anyone in between, including your own administrators, can in theory
read your post, even though they won't know to whom it is directed. What
is more they can also read replies addressed back to you. This can be
highly embarrassing at best, and result in dismissal or disconnection
at worst if your thoughts, beliefs or activities are disapproved of by
the powers that be, even if they are perfectly legal.

PAX's privacy-enhanced anonymous services were conceived in the belief
that free speech and privacy are fundamental rights and that it is
high time the networks to which we are connected provided such services
on a routine basis. Seeing as they don't we have to make a start somewhere.

This service provides:

 - conventional anonymous mailing and posting services via a "normal"
   alias assigned in the usual fashion

 - the ability to post to ANY newsgroup that is carried out of PAX
   (which includes most non-regional groups)

 - PGP 2.0 based privacy-enhanced mail & posting, including:

   - ability to register your "public" key with PAX, so that PAX
     can send encrypted messages to you

   - local generation of a unique public key which is sent to you,
     so that you can send encrypted messages to PAX

   - any encoded messages from you mailed to a user or newsgroup are
     decrypted at PAX before being passed on in anonymous form

   - any anonymous replies to your "pgp" alias are encrypted before
     being mailed to you

For example, once you have obtained your PGP 2.0 software (as described
later) and got it going, and once you have generated and registered
your public key and received PAX's key in response, you will be able
to post to any newsgroup without anyone beyond your machine having
access to the plaintext of your post.

Furthermore, if another user has registered in the same manner, and
you know their anonymous alias or are responding to one of their
anonymous posts, even though you don't know who they are and haven't
exchanged keys to communicate directly, the PAX service will automatically
decrypt any encrypted messages from you and re-encrypt them before
passing them on to the other person !

 How to use it.

All transactions are handled by email, and commands are selected by
the name of the alias to which you mail, not by the subject or body
of the message (which are ignored unless sending or posting a message).
The separator between the "anon" and the command is a dot (period,'.')
and nothing else will work ! Not '-', not '_', not ":", only a dot.

The site to address mail is "pax.tpa.com.au". If this fails for some
reason, you may need to address it to the specific host (at present)
ie. "flash.pax.tpa.com.au".

"Normal" (unencrypted) commands:

 - To get information (this message):

    mail anon.info@pax.tpa.com.au

 - To see what your "normal" alias is, or get one:

    mail anon.ping@pax.tpa.com.au

 - To send a reply to another anonymous user:

    mail anon.###@pax.tpa.com.au

      - eg. mail anon.36@pax.tpa.com.au

      - don't be creative ... anon.036 won't work

      - an attempt is made to strip off signature lines by discarding
        everything after a line starting with "--" or "__"

 - To send a post to a newsgroup:

    mail anon.post.groupname@pax.tpa.com.au

      - eg. "mail anon.post.talk.abortion" will send a
        post to "talk.abortion"

      - only the Subject field from your post is used, the rest of
        the header is discarded

      - the newsgroup is selected by the alias; Newsgroup header
        fields are discarded; hence cross-posting isn't feasible

      - signatures are stripped as above

"PGP" (encryption) commands:

 - To register your public key with PAX: (ABSOLUTELY NECESSARY)

    mail anon.key@pax.tpa.com.au

      - first you have to make install pgp and make a key then send it
        in a "anon.key" command

      - the body of the message MUST contain an ascii encoded public key
        generated by PGP V2.0. You may use your regular public key that
        you give to other people if you wish. The user ID name must be
        unlikely to conflict with one PAX already has, so use your full
        name, or include your email address or something. If you want
        you can use a unique key just for PAX - it makes no difference.
        If PAX already has a key of the same user-id it will reject yours.
        Note that this means that you need different key user-id's on
        different machines (or mail addresses anyway).

        # makes new keys & adds to your "keyring"
        pgp -kg
        Enter a user ID for your public key: First M. Last of somefirm

        # extract key in ascii form suitable for a message body
        pgp -kxa "First M. Last of somefirm" savedfile pubring

        # send it to PAX
        mail anon.key@pax.tpa.com.au <savedfile.asc

      - PAX will respond by sending you a new alias number and a
        public key to add to your keyring to use to encrypt messages
        to PAX. It will have a user ID name of "paxanon.publickey"
        and you should add it to your public key ring by saving the
        message in a file and presenting it as follows:

        pgp -ka savedfile

        Your life will be easier in future if you reply yes to the
        certify question.

      - Note that now you may have two aliases, that sent in response to
        the anon.key command and that sent in response to the anon.ping
        command or previous unencrypted replies or posts. Any sunsequent
        replies or posts that you encrypt before sending will be seen
        to others as having come from the new alias, and replies will be
        encrypted before being passed on to you. Any plaintext messages
        you send will appear to have come from the original alias and
        responses will also come back in plaintext.

 - Sending encrypted posts and replies.

     There are no other commands. If you encrypt a message and send it
     using the "anon.reply" and "anon.post" groups, the software will
     detect that they are encrypted, select the appropriate alias as
     a return address, decrypt the message, and mail or post it.

     You should use PGP 2.0 to encrypt messages sent to PAX, using
     the public key that PAX sent to you. DON'T FORGET TO SIGN your
     message using the secret key corresponding to the public key
     that you sent to PAX !!! Unsigned messages will be rejected
     to ensure that the message is really from you and not someone
     pretending to be you using your account or mailpath.


        # sign and encrypt message for mailing to pax.
        pgp -east message "paxanon.publickey" -u "First M. Last of somefirm"
        mail -s "A test post" anon.post.alt.test <message.asc

     Note the -a (armor) and -t (text) options. Note also the subject
     flag to mail - PAX will whinge if you post something without a

     Similarly, all messages to you will be signed using PAX's secret
     key corresponding to the public key PAX sent to you, hence you
     will know if the message really came from PAX and not someone
     else using your public key.

     ***** NB. The ENTIRE encrypted segment will be passed on after
     it has been decrypted. There is no processing of any contained
     header (though it won't work as a header), nor any removal of
     signature information within the encrypted text. Take great care
     to ensure that there is no identifying information within the
     encrypted text. *****

     Any plain text accompanying the encrypted text will be discarded.
     The Subject header field is still passed on during postings as
     with "normal" unencrypted posts.

     More work may be done on these "features" if there is sufficient
     demand for it :).

Miscellaneous administrative commands:

 - To see the current status of the system (message of the day):

    mail anon.status@pax.tpa.com.au

 - To send mail to a human administrator:

    mail anon.admin@pax.tpa.com.au

 Mailing List

To send mail to/join/unjoin a mailing list about this service, and
anonymous services in general:

    mail anon.list@pax.tpa.com.au
    mail anon.subscribe@pax.tpa.com.au
    mail anon.unsubscribe@pax.tpa.com.au

 How secure is it ?

Not bad. Clearly it depends on the security of the underlying PGP 2.0
software which is discussed at length in its documentation.

The keys are stored, and the messages encrypted and decrypted on
a server which also hosts a Public Access Unix system. These files
are protected by the usual Unix security mechanisms, but in the
event of a security breach could conceivably become visible. The
keys would hence be compromised and any messages passing through
could be decrypted. The PAX administration could theoretically
access the keys and files at will of course.

It is hard to conceive of an alternative implementation which links
anonymity with privacy enhancement however. This is no substitute for
a direct person to person link with certified keys and this service
should not be used as a substitute for such if security is a primary

 Legal Issues.

PGP 2.0's use of the RSA algorithm is a problem in the US where a patent
is now held on the algorithm, despite its widespread promulgation before
the patent was obtained. The PGP documentation discusses this issue at

Sufficeth to say, this service is provided by a site in Australia and
hence should not be subject to the constraints imposed by the US patent.
The service is offered to anyone who can reach this site by mail, in
addition to PAX's own users, and there is no intention of obtaining any
commercial gain by providing the privacy-enhanced anonymous service.

Whether individuals in the US can legally use the PGP software to use the
service provided by PAX for their own personal use, without first obtaining
a license to use the RSA algorithm is an untested issue. Certainly the
software is widely available even though it is now maintained outside the

No such concerns should apply anywhere other than the US.

This project is an experiment to see if the concept is feasible and if
there is any demand for it. The software is crude, but functional,
but it is quite possible that it will fail in unforeseen circumstances.
It is designed to loose or fail to pass on a message rather than post or
return plaintext (which would be very undesirable) but there can be no
guarantees. It is conceivable that plaintext might get sent where it
was not intended, and PAX assumes no responsibility for the consequences.
At least this would be no worse than the situation that prevails with
current anonymous services.



- --
** Anonymity & Privacy by PAX - Public Access Unix (Adelaide,South Australia) **
anon.admin@pax.tpa.com.au (a human)    anon.info@pax.tpa.com.au   (for help)
anon.ping@pax.tpa.com.au  (get alias)  anon.key@pax.tpa.com.au    (register key)
anon.###@pax.tpa.com.au   (reply)      anon.post.g@pax.tpa.com.au (post to g)
anon.list@pax.tpa.com.au  (to mailing list)
anon.subscribe@pax.tpa.com.au          anon.unsubscribe@pax.tpa.com.au

For dialup Unix access phone +61-8-235-9010 - online registration.


From: Harry Bush <harry@castle.riga.lv>
Subject: pgp21 available in Baltics
Date: Mon, 14 Dec 1992 10:09:08 +0300

         Now both pgp21.zip (executables, docs) and
pgp21src.zip (sources) are available for FIDO file
requests (FREQ) from PGP Supporting Sites in Latvia
Info-Shelter 2:495/28 and Castle 2:495/21.

PGP21.ZIP     187758 Pretty Good Privacy 2.1 Execs and Docs
PGP21SRC.ZIP  436302 Pretty Good Privacy 2.1 Sources

Since there is great interest in new PGP 2.1, please
use fast modems if possible (16800 baud preferable :-)
But, seriously speaking, nobody will be rejected.
According to our experience, calls from non-xUSSR
countries are much easier in night time.

I would like to ask people who make PGP 2.1 varieties
for different hardware platforms (McIntosh, Amiga,...)
and different languages (Language Kits) to upload them
directly to  2:495/28 or send as signed PGP-ed ASCII
messages to Harry@castle.riga.lv. Please don't forget
to sign the kit.

Best wishes,                                   Harry
                              Monday December 14 1992 04:17

--- Golded 2.40.P0720+ via D'Bridge 1.50
 * Origin:  Harry Bush, Harry@castle.riga.lv (2:495/28)


Newsgroups: sci.crypt,alt.security.pgp
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: PKP/RSA comments on PGP legality
Date: Tue, 15 Dec 1992 05:31:35 GMT

In article <1992Dec14.014118.11612@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>Bill Stewart corrects my understanding of PGP and IDEA (thanks), which
>suggests that troubles for possession and/or use of PGP2.x in the U.S.
>can also come from the Munitions Act since PGP is based on an import
>of the IDEA implementation, rather than domestic coding of the IDEA
>If my understanding is now accurate that PGP2.x violates both the
>Munitions Act and PKP's patents, and that this violation is occasioned
>not just by use but also by possession in the U.S., then it would seem
>prudent to get it off one's U.S. computers and any U.S. net
>sites--Internet, Usenet, Fidonet, anynet. Presence on a bulletin board
>system may be just what someone needs to close down that system.

I am still not convinced, from what I have read in this forum, that the
mere possession of PGP is prima facia evidence that one has personally
violated the Muntions Act.  The code has been readily available on a number
of local (internal to US) machines.  There are many things that may not
be individually imported (at least very easily), but which are legal to
possess in this country.  I do agree with you that by making the program
available indiscriminately, you may potentially become liable for violation
of the (in my mind neanderthal) export provisions of the Munitions Act.

>For completeness and to acknowledge a particular position (with which
>I disagree), some feel that it's absurd to prevent use of something
>here that's widespread in Europe, and are willing to take a chance in
>order to press that.

I do not understand what you disagree with.  Do you disagree with those
who feel that crypto software that is available to the rest of the world
should be available to Americans, or do you disagree with the taking of
chances to potentially arrive at those ends?

>My own position is
>that if one thinks a law or situation is incorrect, one moves to get
>it changed, if possible. One does not take the law into one's own

Actually, as I understand the legal system in the US, there are two avenues
by which law may be changed.  You can petition for legislative action, or
you can take your case into the courts.  Now, courts generally don't rule on
speculative issues -- they usually demand a bona fide case on which to judge.
Hence, you very much have to take the law into your own hands -- someone has
to become the proverbial guinea pig.  This is exactly what happened with the
RU-whatever case involving the French abortion pill.  A woman shows up at
customs with the pills, after informing them of the fact before hand, customs
arrests her for possession, and the case is in the courts.

In this case, if someone is of a mind, they could preselect to get into the
courts in a civil or criminal capacity.  If you want a civil suit, petition
the government to let you import the code, and if they refuse, you have the
grounds for civil litigation.  You could even raise money and make it a class
action suit.  If you desire a criminal suit, inform the government that you
intend to import the code -- tell them how and when, and mention that you
are interested in making this a test case -- and let them decide to either
ignore it or charge you with a criminal violation.

Now, I am not financially independent, nor do I possess the time and
inclination to pursue either of these approaches.  I do consider them to be
rational and ethical methods of seeking redress from an unpopular law.
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.


From: woody@cs.utexas.edu (James Woodgate)
Newsgroups: sci.crypt,alt.security.pgp
Subject: Re: PKP/RSA comments on PGP legality
Date: 15 Dec 1992 15:52:31 -0600

In article <1galtnINNhn5@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:
[stuff deleted]
>NOTE: The pgp documentation states that PKP acquired the patent rights
>to RSA "... which was developed with your tax dollars..." This is very
>misleading.  U.S. tax dollars only partially funded researchers at MIT
>who developed RSA. The U.S. government itself received royalty-free
>use in return.  This is standard practice whenever the government
>provides financial assistance.  The patents on public-key are no
>different and were handled no differently than any others developed at
>universities with partial government funding. In fact, almost every
>patent granted to a major university includes government support,
>returns royalty-free rights to the government, and is then licensed
>commercially by the universities to private parties.

So taxpayers pay for research, if it doesn't amount to anything, they
just lose the money.  If it does amount to anything, they get to pay
twice, once for the research, and then again when someone gets an 
exclusive patent by the University and charges licensing fees.  

If the government gets royalty-free use, then so should the people
who put up the money in the first place, US taxpayers...

BTW-The January issue of Popular Science has an article on encryption
    It states: "The computer industry would like NIST to
    adopt the RSA technology, but that isn't likely to happen.  One
    reason:  If the privately developed technology becomes a standard,
    the government will have to pay royalties for its use."
  Linux Rules!                              woody@cs.utexas.edu
                           pgp key available -> finger woody@cs


Newsgroups: sci.crypt,alt.security.pgp
From: stevens@vms.macc.wisc.edu (PAul STevens - MACC - 2-9618)
Subject: Re: PKP/RSA comments on PGP legality
Date: 15 DEC 92 14:01:19    

In article <1992Dec14.204408.6485@news.cs.indiana.edu>, Marc VanHeyningen <mvanheyn@whale.cs.indiana writes...

>Whoever goes to court to test the patent claim had better darn well have
>the resources and circumstances to mount a strong defense or else he'll
>just get creamed and a precedent will be set in favor of PKP.  It's not
>something for some random doofus to challenge without significant
>backing and knowledge.  Making a frivolous violation and losing in court
>does not help your cause; quite the contrary.

~From: stevens@vms.macc.wisc.edu (PAul STevens - MACC - 2-9618)
~Newsgroups: sci.crypt,alt.security.pgp
~Subject: Re: PKP/RSA comments on PGP legality
~Date: 15 DEC 92 12:17:07    
Organization:  University of Wisconsin Academic Computing Center

In article <1992Dec14.204408.6485@news.cs.indiana.edu>, Marc VanHeyningen <mvanheyn@whale.cs.indiana writes...

>Whoever goes to court to test the patent claim had better darn well have
>the resources and circumstances to mount a strong defense or else he'll
>just get creamed and a precedent will be set in favor of PKP.  It's not
>something for some random doofus to challenge without significant
>backing and knowledge.  Making a frivolous violation and losing in court
>does not help your cause; quite the contrary.

  I can tell I got your dander up.  I wish we could get everyone's
  dander up.  And by implying that I am a random doofus, you have
  come close to getting my dander up.  So that is two of us...lots
  better than zero.

  My feeling is that PKP does not have a valid patent.  If it turns out
  that they do, then more power to them.  But by standing around and
  doing nothing we make it valid!  Have they ever actually filed a 
  complaint or tried this in a court?  My gut feeling is that they
  are afraid to.  They rely on our fear that they might.

  Where can we find a non-random doofus with resources?  Does it help
  an eventual court case if PKP takes no action when violations
  are waved in their face?  Violations are being waved every day as
  people discuss their use of PGP and publish their public keys.  If
  I can be put away for computing 5**3 (mod 91) then something is amiss
  which I will have to learn to accept.  Yet it does appear to be
  a violation of the patent.  Maybe we should all sign our postings
  with PGP (to ensure that we are not being infiltrated by NSA ;-) ).

  What can we **DO** except stand around like sheep and bleat?  I am
  willing to do my part, including taking risks, in almost any agreed
  upon plan.  I never cease to be amazed by the collective cleverness
  of the NET.  If everyone thinks the best stategy is to wait for the
  patent to expire and for our elected representatives to outlaw private
  cryptography then we should all quit using public keys and SHUT UP.

              PAul   stevens@macc.wisc.edu

Version: 2.1



From: cme@ellisun.sw.stratus.com (Carl Ellison)
Newsgroups: sci.crypt,alt.security.pgp
Subject: Re: PKP/RSA comments on PGP legality
Date: 15 Dec 1992 20:34:57 GMT

In article <hmiller.724397340@lucpul.it.luc.edu> hmiller@lucpul.it.luc.edu (Hugh Miller) writes:
>    Mr. Bidzos gives the appearance of being a very effective lawyer,
>representing the interests of his company, RSADSI/PKP, well.
>    Consider the post via Carl Ellison.  By not making it under his own
>name, but under Carl's headers, he achieves a double purpose.  First, he
>veils his threat.  A veiled threat, of course, works better than a naked
>one, since it leaves a greater measure of uncertainty in the mind of
>potential end-users.  And, after all, that is one of the principal aims
>of the posting: to scare off potential end-users of PGP, currently the
>world's most popular public-key encryption program.  Second, he presents
>the spectacle to the Net of an intimidated potential end-user, to wit,
>Carl.  This is also psychologically quite effective, as we in the
>Internet community have the tendency to identify with Carl, being like
>him.  There has been a rush of postings on alt.security.pgp lately
>urging the dropping of PGP for RIPEM.  How very convenient.  Success, so

My posting was instigated by me.  It was written by a group at PKP and RSA,
including the corporate lawyer(s), I believe.  [I tell lawyer jokes like
anyone else, but do happen to have a number of lawyer friends (and one
relative) so I don't write off lawyers totally.  I'll listen and make up my
own mind.]

I don't see what RSA and PKP wrote as a veiled threat.  I believe their
intentions are well known.  They want to continue making money off their
patent.  They, like us, would probably like to see the export laws become
more rational (although I don't speak for them).  They have even more
reason to fear those export laws than we do since their very existence
depends on not being shut down.  I really believe that they need to keep
their noses especially clean -- so I accept the argument that possible ITAR
violations by PGP are enough for them to keep their hands off.

No one at RSA used me in this posting.  I had originally asked (months ago)
if I could buy an individual RSA use license from them in order to make it
legal for me to use PGP.  I was turned down.  From there, I continued the
discussion and heard over several mail messages substantially what was in
the posting.

As I kept reading sci.crypt, I felt it was time to say something and was
about to post from what I had learned in those exchanges but instead I
wrote to RSA asking them if they'd like to post something.  I would rather
let them word it than do it all myself.

They didn't want to post directly but were willing to write something
which I could post.  I agreed so that's what happened.

I do not speak for RSA.  I am not their employee.  I do choose to honor
their patent and obey the ITAR (I think/hope).  [I use company computers
and have been strongly advised to behave this way by my company's lawyers.]

If I were to buy a PC for myself (which I've never bothered doing because
the ones I get at work are so good, and I have free use of them in my own
time :-), I don't know what I would use for security.  I have RSAREF.  I'd
probably roll my own or use RIPEM (once it's finally released).  Or, I might
even buy a commercial package like MailSafe -- although I believe that PGP
will set the worldwide standard for mail interchange just like UNIX set
standards -- and for the same reason:  it's free and therefore ubiquitous.

What I use today is my own secret-key algorithm together with scripts which
let me conveniently interface with Sun's Mail (or the VMS MAIL command).
[I have versions for Sun, VAX VMS, Stratus VOS and soon to be MIPS.
I'll probably port it to HP-UX soon.  But this is just historical accident.
If I were starting over today, I'd use


and transmit the keys with RSA, using RSAREF.  This would take a special
modification to RSAREF, but I believe it wouldn't be hard to get.]

-- <<Disclaimer: All opinions expressed are my own, of course.>>
-- Carl Ellison                                         cme@sw.stratus.com
-- Stratus Computer Inc.        M3-2-BKW                TEL: (508)460-2783
-- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298   FAX: (508)624-7488


Newsgroups: sci.crypt,alt.security.pgp
From: jgd@dixie.com (John De Armond)
Subject: Re: PKP/RSA comments on PGP legality
Date: Wed, 16 Dec 92 10:15:34 GMT

strnlght@netcom.com (David Sternlight) writes:

>Hugh Miller's article is filled with so many inaccuracies it's hard to
>know where to start, so I'll treat only a few; the remainder is left
>to others as it's pretty late at night. I'm going to digest, since the
>message is so long.

>He then decides to interpret Bidzos' comments as "threats" instead
>of statements of fact about Bidzos' interpretation of the PKP patents
>and the Munitions Act. 

I thought Miller's arguments well thought out and pragmatic.  Fact is
Bidzos IS saber rattling.  If he thought he had a case, he'd prosecute
it and forget about the munitions act angle.  Patent law gives overwhelming
bias toward the holder  including early injuctive relief.  Bidzos and
PKP know that they are likely to lose the whole shebang if they 
press the case.  Statistics alone play against them if my patent
attorney is accurate in stating that about 75% of all patent validity 
challenges succeed.  RSA is neither particularly novel nor unobvious
to one engaged in the trade.  That alone should do the trick without even
delving into the legal issues involved with algorithm patents.  Lastly,
they stand a great chance of losing by virtue of lack of due dilligence
in protecting their patent.  PGP has been out, what, 2-3 years?
No suits yet.  Appears they don't care too much.

Bidzos is trying a package deal.  One part to scare those who fear a patent
suit and to get the rest, he throws in a specious Munitions Act 
threat.  Saber rattling at its finest.

John De Armond, WD4OQC               |Interested in high performance mobility?  
Performance Engineering Magazine(TM) | Interested in high tech and computers? 
Marietta, Ga                         | Send ur snail-mail address to 
jgd@dixie.com                        | perform@dixie.com for a free sample mag
Need Usenet public Access in Atlanta?  Write Me for info on Dixie.com.


Newsgroups: sci.crypt,alt.security.pgp
From: tcmay@netcom.com (Timothy C. May)
Subject: RSA Data Security Not All Bad
Date: Tue, 15 Dec 1992 20:09:24 GMT

I thought I'd mention a few things that show RSA Data Security and Jim
Bidzos (their President) to not be all bad, vis-a-vis the recent
discussion of PGP and licensing of the RSA patents.

First, I'm an occasional user of both MacPGP and MailSafe (for DOS
only). Second, I posted the "Trial Balloon to Ban Encryption?" piece
on Prof. Denning's ideas about key registration, so I'm not exactly a
shill for the national security state.

Having said this, I don't believe RSA Data Security is acting to limit
the availability of their encryption products, as some have suggested.
I agree that MailSafe, one of their standalone end-user products (and
the closest thing they have to PGP), is not well-marketed...I had to
contact them directly to buy a copy. But Jim Bidzos was so eager to
get "hackers" to use MailSafe that he made a special offer.

Mr. Bidzos authorized me to announce at the Hackers Conference in
1991, a year ago, that anyone attending the conference could get
MailSafe for $50, a substantial reduction from the $125 price at that
time (I have no idea what the current price is). The idea was that
this would nearly eliminate the complaints of those who wanted their
RSA encryption for free.

(Personally, I'm opposed to software patents in general, and the
patenting of the general math techniques used in RSA in particular.
Patenting the kind of math used in RSA is akin to letting Trimble
Navigation, for example, patent the Pythagorean Theorem just because
they use it in their product. Rivest, Shamir, Adleman, Diffie,
Hellman, and Merkle all deserve the fame they've gotten, but allowing
a patent on a fairly simple number theory algorithm is wrong.)

Several folks at that Hackers Conference took advantage of the offer.
But not enough to make it "interesting" to use (meaning, too small a
critical mass of users). I used MailSafe to secure some files, but
never found anyone I wanted to communicate with who also had it. I
even put "RSA MailSafe public key available" in my .signature for a
while, but had no takers. This is in contrast to PGP, where about half
the folks I correspond with use it, or at least have the capability to
use it.

This is why PGP has become the de facto standard for "hackers" and
other amateurs (meaning, non-corporate users...and maybe a few folks
in corporations).

It seems to many of us that RSA Data Security is _helped_ by this
situation with PGP. Yes, _helped_. Tens of thousands of users of PGP
are grappling with the issues, learning the methods of RSA digital
signatures and encryption, and are generally getting used to the idea
of protecting their own mail and files.

These PGP users are potential customers of future RSA Data Security
products, either at their companies or, if priced reasonably and
supported by RSA, for their own use.

Furthermore, the existence of PGP and the rapid rate at which it is
evolving (the latest release, 2.1, adds significant new features) is
in stark contrast to the moribund MailSafe, which apparently has not
changed since 1988. RSA Data Security may not like this "competition,"
but it may serve to light a fire under them to upgrade their end-user

(I suppose RSA feels compelled to do something to protect their patent
position, lest it be jeopardized by their inaction.)

I haven't said anything about the various licensing deals with Lotus
Notes, Apple, DEC, IBM, etc. These deals suggest RSA's technology is
about to become widespread amongst corporate users, which is all to
the good. (Provided there is no crippling of the security...I did hear
a report that Apple's "Open Collaboration..." product may be forced to
use a reduced-security version of RSA. If true, this is bad news.)

Finally, another positive word about RSA Data Security. A year ago
they sponsored a wonderful one-day free conference, in Redwood Shores,
CA.  That conference thoroughly trashed the government's proposed
"Digital Signature Standard" (DSS), and helped mobilize the backlash
against it. RSA stood to gain from this repudiation of DSS, but the
conference was still very useful in illuminating the main problems
with DSS.

This year the conference is 2 days, January 14th and 15th. Call
415-595-8782 for details (but hurry, as I hear it is filling up fast).

Granted, they are pushing their products. But this is also a service
to the overall crypto community, and for that we should be

Just thought I'd find something nice to say about RSA Data Security.

---Tim May
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | PGP Public Key: by arrangement.


From: steppler@kaa.informatik.rwth-aachen.de (Martin Steppler)
Newsgroups: alt.security.pgp
Subject: PGP 2.1 available for Amiga
Date: 16 Dec 92 16:08:56 GMT

PGP 2.1 is available for the Amiga from:

   amiga.physik.unizh.ch []


Martin Steppler  Phone:    +49-241-158579
                 Internet: steppler@pool.informatik.rwth-aachen.de
                 ADSP:     steppler@cookies.egosoft.adsp.sub.org
                 Fido:     2:242/7.12  Martin_Steppler@mowgli.fido.de

***** End Info-PGP Digest *****

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH