home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software Vault: The Gold Collection
/
Software Vault - The Gold Collection (American Databankers) (1993).ISO
/
cdr11
/
lnn0105.zip
/
LNN1.005
Wrap
Text File
|
1993-06-01
|
33KB
|
736 lines
▒▒▄ ▒▒▒▒▒▒▄ ▒▒▒▒▒▒▄ ▒▒▒▒▒▒▄ ▒▒▄ ▒▒▒▄▄ ▒▒▄ ▒▒▒▒▒▒▄ ▒▒▒▒▒▒▄
▒▒█ ▒▒█▀▀▀▀ ▒▒█▀▀▀▀ ▒▒█▀▒▒█ ▒▒█ ▒▒█▒▒█▒▒█ ▒▒█▀▀▀▀ ▀▒▒█▀▀
▒▒█ ▒▒▒▒▒▄ ▒▒█▒▒▒▄ ▒▒▒▒▒▒█ ▒▒█ ▒▒█ ▀▒▒▒█ ▒▒▒▒▒▄ ▒▒█
▒▒█ ▒▒█▀▀▀ ▒▒█ ▒▒█ ▒▒█ ▒▒█ ▒▒█ ▒▒█ ▒▒█ ▒▒█▀▀▀ ▒▒█
▒▒▒▒▒▒▄ ▒▒▒▒▒▒▄ ▒▒▒▒▒▒█ ▒▒█ ▒▒█ ▒▒▒▒▒▒▄ ▒▒█ ▒▒█ ▒▒▒▒▒▒▄ ▒▒█
▀▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀ ▀▀ ▀▀▀▀▀▀ ▀▀ ▀▀ ▀▀▀▀▀▀ ▀▀
▒▒▒▄▄ ▒▒▄ ▒▒▒▒▒▒▄ ▒▒▄ ▒▒▄ ▒▒▒▒▒▒▄
▒▒█▒▒█▒▒█ ▒▒█▀▀▀▀ ▒▒█ ▒▒█ ▒▒█▀▀▀▀
▒▒█ ▀▒▒▒█ ▒▒▒▒▒▄ ▒▒█ ▒▒█ ▒▒▒▒▒▒▄
▒▒█ ▒▒█ ▒▒█▀▀▀ ▒▒█▒▒▄▒▒█ ▀▀▀▒▒█
▒▒█ ▒▒█ ▒▒▒▒▒▒▄ ▀▒▒▒▒█▀▀ ▒▒▒▒▒▒█
▀▀ ▀▀ ▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀
Legal Net Newsletter
Volume 1, Issue 5 -- May 10, 1993
Legal Net Newsletter is dedicated to providing information
on the legal issues of computing and networking in the 1990's
and into the future.
The information contained in this newsletter is not to be
misconstrued as a bona fide legal document, nor is it to be taken
as an advocacy forum for topics discussed and presented herein.
The information contained within this newsletter has been
collected from several governmental institutions, computer
professionals and third party sources. Opinion and ideological
excerpts have been collected from many sources with prior approval.
Legal Net News and the Legal Net News logo are
Copyright (c) 1993 Paul Ferguson -- All rights reserved.
This newsletter may be freely copied and distributed in its entirety.
Singular items contained within this newsletter may also be
freely copied and distributed, with the exception of
individual copyrighted items which appear with
the prior approval of the originating author.
Legal Net News can be found at the following locations:
Publicly Accessible BBS's
-------------------------
The SENTRY Net BBS Arlington Software Exchange
Centreville, Virginia USA Arlington, Virginia USA
+1-703-815-3244 +1-703-532-7143
To 9,600 bps To 9,600 bps
The Internet
------------
tstc.edu (161.109.128.2) Directory: /pub/legal-net-news
Login as ANONYMOUS and use your net ID (for example: fergp@sytex.com)
as the password.
E-mail submissions, comments and editorials to: fergp@sytex.com
- --
In this issue -
o "What good is security if it makes us insecure?", editorial
comments from Communications Week
o "Big Brother and the Computer Age," by New York Times writer
John Markoff
o New NIST/NSA Revelations
o TAP Crown Jewels Campaign
o Possible PGP/RSA peace overture on the horizon?
- --
Communications Week
April 26, 1993
Editor's View;
WHAT GOOD IS SECURITY IF IT MAKES US INSECURE?
The federal government, under the guise of President Clinton's new
Public Encryption Management directive, promises to improve the security
and privacy of communications systems. The directive is likely, however,
to result in the eventual disappearance of private encryption and the
erosion of personal freedom.
The directive was announced two weeks ago by the White House and the
National Institute of Standards and Technology. It requests suppliers of
communications equipment to base encryption on the " Clipper Chip, " a
microcircuit developed by the National Security Agency.
The Clipper Chip will be manufactured by Mykotronx Inc., a military
contractor in Torrance, Calif. An 80-bit, split-key escrowed encryption
scheme used to lock and unlock data transmissions will be built into each
chip. The encryption scheme will also be kept in a "key-escrow" database
monitored by two independent government agencies.
Unlike effective public encryption techniques, such as RSA Data
Security's triple-Data Encryption Standard (DES), which are available for
analysis and testing, the Clipper Chip's key algorithm will not be
released to the public.
Based on explanations provided in official documents, it seems that
the government doesn't care about improving secure communications.
Reliable encryption already exists. Indeed, in the view of agencies like
the NSA, standards such as DES are too good because they are hard to
crack.
Clinton's directive has only one real agenda-to make it easier for
government agencies to snoop on private communications. Keys will be
made available to government agencies who request access in the same
manner that Federal judges grant telephone taps.
The initiative hides behind the excuse of creating means to monitor
"terrorists, drug dealers, and other criminals." This isn't the first
time that the government has proposed an authoritarian scheme that goes
after a few peoples' crimes while stomping on the majority's civil
liberties.
Public scrutiny helps to pinpoint weaknesses and allow technical
refinement. In this case, we're being asked to trust the government,
a notion that rubs most rational people the wrong way.
Congress passed the Computer Security Act in 1987 to open the
development of non-military computer security standards to public
scrutiny to limit-not expand-the NSA's role in their development.
The directive makes no mention of a particular communication
session's key-escrow. Once your keys have been released, all past and
future traffic is open to examination.
The administration said it would not prohibit private encryption,
"nor is the U.S. saying that every American, as a matter of right, is
entitled to an unbreakable commercial encryption product."
If the program succeeds, it probably will drive private encryption
vendors out of the marketplace.
Commercial encryption products already provide excellent network
security. Contact the White House and let policy-makers know that we
appreciate their concern about crime control, but prefer that the
government stay out of the security-control business.
Send your reactions to DBUERGER on MCI Mail, DBUERGERCUP.PORTAL.COM
on the Internet or by fax, 516-562-5055.
- --
New York Times
Thursday, May 6, 1993
Page D1, Business Day
Big Brother and the Computer Age
By John Markoff
Can the nation trust its secrets to its spies?
That question underpins a fierce debate over a recently
disclosed plan by the Clinton Administration to secure the
privacy of the nation's phone calls and computer data with a
standard set of computer codes.
The system was designed by scientists from the United States'
most secretive intelligence organization, the National Security
Agency. And newly disclosed memorandums, obtained under a legally
enforceable request under the Freedom of Information Act, show
that the agency waged a long and ultimately successful campaign
within the Government to insure that the technical details of
such a system would remain secret.
The inner workings of the system would be in tamper-proof
computer chips that could not be opened without being destroyed.
That means that citizens and businesses could use the encoding
technique to protect the privacy of their wireless phone calls or
the transmissions of corporate computer files, but that
independent computer experts would have no way to assure that the
system was secure enough to keep savvy computer hackers from
unscrambling messages. Nor, some computer experts say, can
anyone be certain that the National Security Agency has not built
in a "trap door" that could allow unauthorized Government
eavesdropping.
"This plan creates the ears of Big Brother, just as Orwell
warned," said Eric Hughes, an independent software designer in
Berkeley, Calif.
Over the years, the N.S.A. has been the Government's
communications policeman, with the job of protecting the
sensitive telephone and computer networks used by the military,
the State Department and other Federal agencies. It also operates
a world-wide electronic-surveillance system, monitoring foreign
communications in the name of national security.
But the recently announced encoding plan would give the agency an
unprecedented role in domestic civilian corporate communications.
"The N.S.A. is split between the need to provide security and the
fear that if information about cryptography gets out, it won't be
able to perform its other job, which is intercepting and
resolving codes." said David Kahn, author of "The Codebreakers,"
a history of the science of encryption. "It's an unresolvable
problem."
The Clinton Administration inherited the new project from the
Bush Administration, and has embraced it. The goal is a national
voice- and data-security standard intended to provide privacy for
Government, civilian and corporate users of telephone and
computer communications, while also assuring that law enforcement
agencies can continue to eavesdrop on or wiretap voice and data
conversations after obtaining warrants.
For authorized wiretapping, the law enforcement agency must
obtain special code keys held in escrow by two independent
organizations. What computer experts fear is a secret trap door
that would not require use of these legally obtained keys.
Custodian of Security
The agency has a long history of resisting industry efforts to
develop such technology on the ground that any codes not
breakable by the N.S.A. might compromise national security.
But people like John Gage, director of the science office at Sun
Microsystems in Mountain View, Calif., the maker of high-powered
computer work stations, are uncomfortable with that line of
reasoning. "These decisions can't be left solely to the gods of
encryption, the N.S.A.," Mr. Gage said. "We need privacy for the
world of business."
He testified last week at a hearing by the House Commerce
subcommittee on telecommunications and finance, which is studying
computer encryption and the National Security Agency's role in
it.
Concerns about the agency's influence on civilian communications
have been raised before. Last year, for instance, a number of
cellular-telephone executives said that an industry standards
committee had been pressed by N.S.A. officials to weaken the
security of a coding scheme that cellular phone makers are
planning to build into the next generation of phones.
Although the agency denied the assertion, computer researchers
who analyzed the industry committee's cellular coding scheme say
that it would be simple to subvert by anyone with computer-
programming skills.
Written Response
With the new plan, N.S.A. officials insist that they have no
motive to undermine the security of the coding plan, which was
originally developed to protect Government information.
The agency routinely refuses requests for on-the-record
interviews, but the agency's director of policy, Michael A.
Smith, responded in writing to a reporter's questions.
"N.S.A. states unequivocally there is no trap door built into the
algorithm." he wrote, referring to the mathematical instructions
on which the encoding system is based. "A trap door would be a
vulnerability in the system, and would defeat the purpose of
assuring the system provides U.S. citizens with excellent
security."
In resisting the N.S.A.'s effort to impose a secret standard,
communications and computer-industry executives point out that
various unofficial coding systems are already in use in this
country and abroad, whether for legitimate purposes or to conceal
criminal conspiracies.
Among those criticizing the agency's effort to keep a lid on
encryption is Representative Edward J. Markey, Democrat of
Massachusetts, chairman of the House telecommunications
subcommittee.
What Power Do opponents Have?
"There are many ways the N.S.A. is trying to put the
cryptography genie back in the bottle, but it's already available
for everyone openly," said Mr. Markey, who plans to conduct
further hearings on the agency's role in the new system. The
Clinton Administration plans to hold its own private review in
coming months to study the nation's cryptography policies and
consider public comment.
It is not yet clear whether mounting controversy over the
National Security Agency's role could derail the plan.
The new technology is the result of the Computer Security Act of
1987. It called for creation of a national standard for computer
encryption and assigned the task to the main Federal
standards-setting body, now known as the National Institute for
Standards and Technology.
A 1989 memo by a technical working group from the institute
detailed the goal for an encryption standard that would be open
to public use and scrutiny. "The algorithms that we use must be
public, unclassified implementable in both hardware or software,
usable by Federal agencies and U.S.-based multinational
corporations," the memo reads in part.
The institute turned to the N.S.A. for technical assistance.
"The act says we can draw on N.S.A.," said Raymond Kammer, who
was at the institute at the time and is now deputy director.
"They're the pre-eminent scientists in cryptography in the world.
We asked the agency to design a technology to fit the needs of
the civilian community."
Memos Detail Opposition
But previously classified Government memos, obtained last week
through a Freedom of information filing by Computer Professional
for Social Responsibility, a public-interest group, indicate that
the agency used the process of technical working groups to wear
down opposition by institute scientists who wanted to keep the
standard open to scrutiny.
A January 1990 memo by a National Institute scientist to a
colleague expressed frustration. Referring to his own group by
its acronym, he wrote, "It is increasingly evident that it is
difficult, if not impossible, to reconcile the concerns of
N.S.A., N.I.S.T. and the general public using this approach."
The N.S.A. also largely ignored the public advisory group that
Congress mandated in the 1987 law. That group, composed of
industry and Government computer experts, plans a public hearing
meeting next month to put forth its concerns.
"This all happened within the N.S.A.," said a member of the
advisory group, Stephen Walker, president of Trusted Information
Systems, a computer security company in Glenwood, Md. "Then it
was brought forward as an accomplished fact. This doesn't solve
any of our problems relative to getting good cryptography for the
American people."
The new coding system, if adopted, would first be used for
Government electronic communications. It is then expected to
quickly spread to business and even to household use, as
hardware and software makers incorporate the technology into
their products.
Export Process Is Slow
Various types of encryption systems are in use today, but the
standard approach in the United States is a 15-year-old system
known as the Data Encryption Standard. Based on outdated
technology, this system is not the best available for modern
electronic commerce. And the Government has refused to authorize
export of hardware and software containing it, except on a
time-consuming case-by-case basis.
The Clinton Administration is studying whether to allow the
general export of products based on the new N.S.A.-designed
coding system, although industry executives say they doubt that
foreign buyers, especially foreign Governments, would want to use
codes designed by American spy masters.
When Congress passed the Computer Security Act, it recognized the
need to update privacy laws and wiretapping regulations to modern
digital communication, which, particularly in the case of
cellular phone calls and other emerging forms of over-the-air
technology, can be easily monitored either by those authorized
to do so, or those who are not.
To demonstrate just how easy unauthorized use might be, Mr. Gage,
the Sun Microsystems executive, brought a computer hacker with
him to the recent House hearing.
Punching a special code into a standard cellular phone, the
hacker quickly converted the phone into a scanner capable of
eavesdropping on all the cellular channels being used on or near
Capitol Hill. The intercepted snatches of innocuous conversation
were amplified to the amusement and discomfort of those in the
subcommittee hearing room -- including a woman in the audience
who had her own cellular phone at her side.
"This demonstration," Mr. Gage said, "shows it's not really safe
to talk on the phone."
- --
Date: Thu, 6 May 1993 19:21:58 -0500
From: Dave Banisar <uunet!washofc.cpsr.org!banisar>
Subject: New NIST/NSA Revelations (by CPSR)
New NIST/NSA Revelations
Less than three weeks after the White House announced a
controversial initiative to secure the nation's electronic
communications with government-approved cryptography, newly
released documents raise serious questions about the process that
gave rise to the administration's proposal. The documents,
released by the National Institute of Standards and Technology
(NIST) in response to a Freedom of Information Act lawsuit,
suggest that the super-secret National Security Agency (NSA)
dominates the process of establishing security standards for
civilian computer systems in contravention of the intent of
legislation Congress enacted in 1987.
The released material concerns the development of the
Digital Signature Standard (DSS), a cryptographic method for
authenticating the identity of the sender of an electronic
communication and for authenticating the integrity of the data in
that communication. NIST publicly proposed the DSS in August 1991
and initially made no mention of any NSA role in developing the
standard, which was intended for use in unclassified, civilian
communications systems. NIST finally conceded that NSA had, in
fact, developed the technology after Computer Professionals for
Social Responsibility (CPSR) filed suit against the agency for
withholding relevant documents. The proposed DSS was widely
criticized within the computer industry for its perceived weak
security and inferiority to an existing authentication technology
known as the RSA algorithm. Many observers have speculated that
the RSA technique was disfavored by NSA because it was, in fact,
more secure than the NSA-proposed algorithm and because the RSA
technique could also be used to encrypt data very securely.
The newly-disclosed documents -- released in heavily censored
form at the insistence of NSA -- suggest that NSA was not merely
involved in the development process, but dominated it. NIST and
NSA worked together on the DSS through an intra-agency Technical
Working Group (TWG). The documents suggest that the NIST-NSA
relationship was contentious, with NSA insisting upon secrecy
throughout the deliberations. A NIST report dated January 31,
1990, states that
The members of the TWG acknowledged that the efforts
expended to date in the determination of a public key
algorithm which would be publicly known have not been
successful. It's increasingly evident that it is
difficult, if not impossible, to reconcile the concerns
and requirements of NSA, NIST and the general public
through using this approach.
The civilian agency's frustration is also apparent in a July
21, 1990, memo from the NIST members of the TWG to NIST director
John W. Lyons. The memo suggests that "national security"
concerns hampered efforts to develop a standard:
THE NIST/NSA Technical Working Group (TWG) has held 18
meetings over the past 13 months. A part of every
meeting has focused on the NIST intent to develop a
Public Key Standard Algorithm Standard. We are
convinced that the TWG process has reached a point where
continuing discussions of the public key issue will
yield only marginal results. Simply stated, we believe
that over the past 13 months we have explored the
technical and national security equity issues to the
point where a decision is required on the future
direction of digital signature standards.
An October 19, 1990, NIST memo discussing possible patent issues
surrounding DSS noted that those questions would need to be
addressed "if we ever get our NSA problem settled."
Although much of the material remains classified and withheld
from disclosure, the "NSA problem" was apparently the intelligence
agency's demand that perceived "national security" considerations
take precedence in the development of the DSS. From the outset,
NSA cloaked the deliberations in secrecy. For instance, at the
March 22, 1990, meeting of the TWG, NSA representatives presented
NIST with NSA's classified proposal for a DSS algorithm. NIST's
report of the meeting notes that
The second document, classified TOP SECRET CODEWORD, was
a position paper which discussed reasons for the
selection of the algorithms identified in the first
document. This document is available at NSA for review
by properly cleared senior NIST officials.
In other words, NSA presented highly classified material to NIST
justifying NSA's selection of the proposed algorithm -- an
algorithm intended to protect and authenticate unclassified
information in civilian computer systems. The material was so
highly classified that "properly cleared senior NIST officials"
were required to view the material at NSA's facilities.
These disclosures are disturbing for two reasons. First, the
process as revealed in the documents contravenes the intent of
Congress embodied in the Computer Security Act of 1987. Through
that legislation, Congress intended to remove NSA from the process
of developing civilian computer security standards and to place
that responsibility with NIST, a civilian agency. Congress
expressed a particular concern that NSA, a military intelligence
agency, would improperly limit public access to information in a
manner incompatible with civilian standard setting. The House
Report on the legislation noted that NSA's
natural tendency to restrict and even deny access to
information that it deems important would disqualify
that agency from being put in charge of the protection
of non-national security information in the view of many
officials in the civilian agencies and the private
sector.
While the Computer Security Act contemplated that NSA would
provide NIST with "technical assistance" in the development of
civilian standards, the newly released documents demonstrate that
NSA has crossed that line and dominates the development process.
The second reason why this material is significant is because
of what it reveals about the process that gave rise to the so-
called "Clipper" chip proposed by the administration earlier this
month. Once again, NIST was identified as the agency actually
proposing the new encryption technology, with "technical
assistance" from NSA. Once again, the underlying information
concerning the development process is classified. DSS was the
first test of the Computer Security Act's division of labor
between NIST and NSA. Clipper comes out of the same
"collaborative" process. The newly released documents suggest
that NSA continues to dominate the government's work on computer
security and to cloak the process in secrecy, contrary to the
clear intent of Congress.
On the day the Clipper initiative was announced, CPSR
submitted FOIA requests to key agencies -- including NIST and NSA
-- for information concerning the proposal. CPSR will pursue
those requests, as well as the pending litigation concerning NSA
involvement in the development of the Digital Signature Standard.
Before any meaningful debate can occur on the direction of
cryptography policy, essential government information must be made
public -- as Congress intended when it passed the Computer
Security Act. CPSR is committed to that goal.
David L. Sobel
CPSR Legal Counsel
(202) 544-9240
dsobel@washofc.cpsr.org
- --
Date: Sat, 8 May 1993 23:08:25 EST
From: Dave Banisar <uunet!washofc.cpsr.org!banisar>
Organization: CPSR Civil Liberties and Computing Project
Taxpayer Assets Project
Information Policy Note
May 6, 1993
RE: TAP Crown Jewels Campaign
THE U.S. CONGRESSIONAL LEGIS SYSTEMS
THE PRODUCTS
The U.S. House and Senate own two taxpayer funded online information
systems, called Senate LEGIS and the House LEGIS. The House LEGIS system
provides online access to the full text of bills before congress, the
Congressional Record and other items, while the Senate LEGIS system
provides online access to the full text of bills, plus information on
foreign treaties and nominations waiting Senate confirmation, as well as
other information.
THE SCOOP
Access to both systems is currently restricted to Members of Congress
and their staff, except for limited public access in a reading room on
Capital Hill in Washington, DC.
In August more than 150 citizens wrote to Senator Ford and
Representative Charlie Rose asking for online access to these systems.
Representative Rose asked the Congressional Office of Technology
Assessment (OTA) to study the issue of public access to LEGIS and other
Congressional information, but no action has been taken.
Congress sells the data from these systems on magnetic tape to several
online data vendors, such the Mead Data Central LEXIS and the Washington
Post LEGI-SLATE services, who then resell the data to the public.
The barriers to public access are not technical. The House system can
reportedly support up to 30,000 users. The barrier to access is
opposition from commercial data vendors.
THE PLAYERS
In the Senate, policy decisions about public access to LEGIS are made by
the Senate Committee on Rules and Administration, chaired by Senator
Wendell Ford. (202/224-6352). The committee staff director for
Information Systems and Technology is Bob Harris. Mailing Address: U.S.
Senate, Committee on Rules and Administration, SR-318, Washington, DC
20510.
Access to the House LEGIS system is controlled by the House
Administration Committee, chaired by Representative Charlie Rose
(202/225-2061). House LEGIS is run by House Information Systems (HIS).
The Director of House Information Systems is Hamish Murray
(202/225-9276). Mailing address: HIS, FHOB Annex 2, 3rd & D St, S.W.,
6th Floor, Washington, DC 20515.
WHAT YOU CAN DO
Citizens who want access to these important taxpayer funded information
systems are encouraged to write or call officials who can change things.
>From our experience we know that even one letter can make all the
difference in the world. Potential targets for letters include the
officials named above, plus your own member of Congress (constituents
get the best attention).
a) Describe why you would benefit from public access, and why broad
public access benefits the public interest.
b) Ask the public officials to tell you the specific steps they will
take to make public access available.
It would be helpful if you would provide us with copies of any written
inquiries and the responses that you receive. This will allow us to
build a record of the public interest in these information systems.
Taxpayer Assets Project/Crown Jewels Campaign
P.O. Box 19367; Washington, DC 20036
voice: 202/387-8030; fax 202/234-5176
internet: tap@essential.org
You can reach any member of Congress as follows:
Senator Susan Smith Representative Bob Smith
U.S. Senate U.S. House of Representatives
Washington, DC 20510 Washington, DC 20515
v. 202/224-3121 v. 202/225-3121
THE CROWN JEWELS CAMPAIGN
The Crown Jewels campaign is a grass roots effort to open up access to
several of the federal government's most important information systems.
Future editions will provide updates on LEGIS, as well as information
abut the Department of Justice JURIS system, the SEC EDGAR system, the
Library of Congress SCORPIO system, the CIA Foreign Broadcast
Information System (FBIS), the Patent and Trademark Automated Patent
System (APS), and others. Suggestions for Crown Jewels targets are
welcome.
The Taxpayer Assets Project (TAP) was started by Ralph Nader to monitory
the management and sale of government property, including government
information and information systems.
To receive TAP information policy notes, including all Crown Jewels
Campaign memorandums, send an email note to:
tap-info-request@essential.org
===============================================================
Taxpayer Assets Project, P.O. Box 19367; Washington, DC 20036;
v. 202/837-8030; f. 202/234-5176; internet: tap@essential.org
- --
From: uunet!sage.cgd.ucar.EDU!prz (Philip Zimmermann)
Subject: A proposal to use RSAREF in PGP (fwd)
To: toad.com!cypherpunks (Cypherpunks)
Date: Wed, 5 May 93 11:52:57 MDT
Forwarded message:
>From prz Wed May 5 11:42:15 1993
From: prz (Philip Zimmermann)
Message-Id: <9305051742.AA15809@sage.cgd.ucar.EDU>
Subject: A proposal to use RSAREF in PGP
To: jim@rsa.com (Jim Bidzos)
Date: Wed, 5 May 93 11:42:11 MDT
Cc: prz (Philip Zimmermann), rivest@theory.lcs.mit.edu (Ronald Rivest)
X-Mailer: ELM [version 2.3 PL11]
To: Jim Bidzos
RSA Data Security, Inc.
5 May 93
Dear Jim:
I am writing to you to get your approval to install RSAREF into PGP
in order to make PGP legal and hopefully end the conflicts regarding
patent infringement. You said publicly a number of times that PGP
may become legal in the US if it incorporated RSAREF. I assume from
these remarks that you would prefer that to happen. So let's do it.
PGP now has, in testbed form, RSAREF integrated into it. With your
approval, the next release could be an RSAREF version. I say your
approval, because it is necessary to use the two static entry points
RSAPublicBlock and RSAPrivateBlock in rsa.c in RSAREF to allow
backward compatibility with older versions of PGP. Unfortunately,
the old versions of PGP have an error that makes the contents of a
DEK and MD packet inside of an RSA multiprecision integer not comply
with PKCS standards of padding. New versions of PGP will correct
this problem, but backward compatibility is needed, so the
RSAPublicBlock and RSAPrivateBlock entry points must be called to
parse the old packets. The global entry points RSAPublicEncrypt and
RSAPrivateEncrypt will also be used to generate the new
PKCS-formatted packets. As I understand it, the standard RSAREF
license requires your approval to use these entry points. I
discussed these ideas with Ron Rivest and Burt Kaliski, and both
seemed to not raise any objections. I hope you will agree.
At some time in the future, when all the old certifying signatures
are eventually replaced with new ones, these static entry points will
not have to be called, allowing the the regular entry points in rsa.h
to be called in their place. We will be encouraging people to get
their certifying signatures renewed on their keys with the new
version of PGP.
PGP users outside the US will be using a version of PGP without
RSAREF, but it will be compatible in every way with the RSAREF
version.
The PGP developers will also be contributing some speedups to RSAREF
in future releases. This will help all of your installed base of
RSAREF applications.
I am also modifying the PGP User's Guide to remove the remarks in the
legal issues section that I suspect you regard as inflammatory. I
hope this will pave the way for us to close ranks and work together
on fighting the Clipper chip initiative. If there are other measures
you'd like me to take to improve relations between us, let me know.
I hope our common political objectives will outweigh your personal
feelings, so the community of PGP users may work better with you to
face these pressing policy issues.
The new release can be ready in a few days, if you approve.
Regards,
Philip Zimmermann
- --
End of Legal Net News v1, i5