Interesting People mailing list archives
IP: "RSA Suit Against PGP"
From: David Farber <farber () cis upenn edu>
Date: Sat, 24 May 1997 22:11:04 -0400
Date: Sat, 24 May 1997 18:03:14 -0500 To: farber () cis upenn edu From: Vin McLellan <vin () shore net> Subject: <fyi> "RSA Suit Against PGP" <Dave, This snippet from the frothy newsgroups' debate about the RSA/PGP Suit may be of interest. _Vin> ------------------- Date: Sat, 24 May 1997 03:17:56 -0500 From: vin () shore net (Vin McLellan) Subject: Re: RSA Suit Against PGP Organization: The Privacy Guild Newsgroups: comp.security.pgp.discuss, alt.security.pgp, talk.politics.crypto FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-) RSA Data Security filed a "Complaint for Declaratory and Injunctive Relief" against PGP, Inc., on May 6, 1997 (CASE No. 400585) In the Superior Court of California, County of San Mateo. The text of the RSADSI Complaint may be read at: <http://jya.com/rsavpgp.txt> Two exhibits were attached to the Complaint: (A) the 4/16/97 letter from RSADSI's attorney to PGP Inc., terminating the Lemcom/ViaCrypt/PGP Inc. license agreement for cause, which is now available at: <http://www.parrhesia.com/rsapgp.html> -- and (B) the full 1992 license Agreement between PKP and Lemcom Systems, which is now available at: <http://jya.com/pkplem.htm> (longish, 41k) PGP, Inc. has not yet filed a response to the RSA Complaint. The only real aftermath to the suit, AFAIK, was the apparent revolt in the PGP, Inc., Board of Directors. On May 13th, after the PGP Board had considered the RSA allegations for a week, there was a bloodbath at PGP Hq in San Mateo. Dr. Thomas Steding, who had been PGP's President and CEO, was summarily bounced. He was replaced by Phillip Dunkelberger, a Symantec sales veteran who had been PGP's VP for Sales. Phil Zimmerman, who had been Chairman of the Board, was removed from that position. He was replaced by Jonathan Seybold, of Seybold Seminars and Seybold Publications, who had been a member of the PGP board for a year. Zimmerman, whose personal presence is rather central to PGP's corporate identity, was retained as Chief Technology Officer, but other PGP executives and managers who were said to have been close to Zimmerman were told their jobs had been eliminated, effective immediately. I got a note, the same day, from one PGP exec who was looking for a job. The Seybold Coup and the rain of pink slips had taken him completely by surprise, he said. I'm not without allegiances in all this (the Privacy Guild has done consulting for SDTI, the compsec company which bought RSADSI in '96, for many years) but I've been a privacy activist for 30 years, had PGP since v.20, and -- like almost everyone professionally involved with infosec -- I've followed the long Zimmerman/RSA conflict with obsessive fascination. It's a tale of myth and legend. Everyone involved seems larger than life: Zimmerman, Ron Rivest, Jim Bidzos, Bobby Ray Inman, Adi Shamir, Len Adleman. In fact, even today, everything about public-key crypto still seems vastly out of scale: issues, impact, politics, people, potential -- not to mention the NSA, the spidery but gargantuan Queen of the American Intelligence Communiy. Against that background, Zimmerman's volatile relationship with the three guys who actually invented the RSA public-key cryptosystem; and with Bidzos, RSADSI's vocal and ascerbic President, has perhaps inevitably left a legacy of passion among many PGPers which has very little to do with patents and the petty legalities of intellectual property rights. The RSA/PGP suit is not, however, about free public access to PKC crypto-enabled privacy tools or secure e-mail. Nor is it (any longer) about a bearded Lone Crusader -- all but caped -- thumbing his nose at corporate America. Everyone grew up. Everyone wears a suit. Everyone holds stock options. This is now a dispute between two multi-million dollar corporations over the terms of a contract and the case law that defines the scope and context of that contract's provisions. Contract cases tend to be a lot more straightforward than patent cases. Even on its own terms, it's going to be an interesting legal case to watch unfold. But it's no longer folklore. It's finance and law. -- Vin McLellan + The Privacy Guild + <vin () shore net> 53 Nichols St., Chelsea, MA. O2150 USA Tel.(617) 884-5548 ---------------------------------------------------------------- Date: Sat, 24 May 1997 03:56:45 -0700 From: David Sternlight <david () sternlight com> Organization: DSI/USCRPAC Newsgroups: comp.security.pgp.discuss,alt.security.pgp,talk.politics.crypto Subject: Re: RSA Suit Against PGP (long) Vin McLellan wrote:
FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-) RSA Data Security filed a "Complaint for Declaratory and Injunctive Relief" against PGP, Inc., on May 6, 1997 (CASE No. 400585) In the Superior Court of California, County of San Mateo. The text of the RSADSI Complaint may be read at: <http://jya.com/rsavpgp.txt> Two exhibits were attached to the Complaint: (A) the 4/16/97 letter from RSADSI's attorney to PGP Inc., terminating the Lemcom/ViaCrypt/PGP Inc. license agreement for cause, which is now available at: <http://www.parrhesia.com/rsapgp.html> -- and (B) the full 1992 license Agreement between PKP and Lemcom Systems, which is now available at: <http://jya.com/pkplem.htm> (longish, 41k) PGP, Inc. has not yet filed a response to the RSA Complaint.
Thanks very much to Vin for posting the pointers. I've read the materials and they are quite interesting. I'll try to comment concisely, and there's lots of ground to cover. 1. It is intersting that early in the complaint RSADSI mentions Phil Zimmermann's publication of PGP as freeware without a license to RSA. That recitation seems to lead nowhere in terms of the subsequent matter, so I'm not clear whether that is simply a historical bit of background or a tacit message about prior infringement. Do judges read between the lines. Will one be smart enough to pick up on that? I don't know; perhaps an attorney reader of these musings may. 2. Apologies in advance (and corrections welcomed) for the following precis, which I hope doesn't do too much damage to the materials: It appears that Lemcom (we've been referring to them as Viacrypt, since they licensed RSA and published Viacrypt) had a very restricted license, limited to selling individual copies to end users. They did not have the right to assign the license, nor to sell OEM copies. Users could only make a single further copy for archival purposes. In order to get around this, when PGP Inc. merged with Lemcom to create Pretty Good Privacy Inc., they tried to set it up to look as if Lemcom were the surviving company, which then changed its name to Pretty Good Privacy Inc. (that may explain the citation by one reader that Phil said their lawyers were very careful about this)--rather than seeking a new license from RSADSI. RSADSI alleges that was a sham. They cite the executive changes, the geographical locations, and the public statements, in support of that allegation of sham. What's more, they assert that it's well-established case law that a triangular merger of this kind (even if it weren't a sham) is an assignment, and Lemcom is prohibited by the license from assigning their license rights without RSADSI's permission, which was neither sought nor granted. RSADSI then invokes their right to cancel the agreement for this violation (and others including alleged non-payment of royalties, and OEM sales which are explicitly excluded in the license). Further, they assert that according to the agreement itself, if the agreement is cancelled for such causes, the arbitration provisions don't apply. They thus ask the court for relief. (They further claim that Pretty Good Privacy Inc. has refused to open their books to audit by RSADSI as required in the license.) What does all this mean? 1. If RSADSI is correct, RIGHT NOW Pretty Good Privacy Inc. is distributing an unlicensed version of RSA (in any existing products they're selling and in the 5.0 betas). Anyone accepting or using such copies (in the US) is also infringing, since they are using unlicensed copies of RSA. If RSADSI prevails, they could theoretically seek damages from anyone buying or using copies of such products since the April cancellation letter they sent, as well as damages from Pretty Good Privacy Inc. for such post-cancellation infringement. Note that this has nothing to do with Pretty Good Privacy Inc.'s 30 days to respond to the court filing. If Prety Good Privacy Inc. loses they will have been infringing since April. 2. Unless Pretty Good Privacy Inc. can come to some new agreement with RSADSI (and RSADSI is willing to enter into such an agreement--I think they can cite the license violations as valid grounds to refuse such a new license), they can no longer sell "classical PGP" and their products will no longer be compatible with "free PGP". They will have to convert everyone to D-H only. Whether all those users of free PGP all over the world (and FileCrypt) would be willing to drop RSA is an interesting question. Since it would be in aid of a commercial firm (Pretty Good Privacy Inc.) and caused by that firm's violation (if it proves so) of the license, there is some doubt people will join such a move in enough numbers to make for a viable business model. 3. Even if Pretty Good Privacy Inc. can get people converted, they will have to solve the export problem all over again. That is--there are no copies of the new software overseas (at least not legally) and it is currently forbidden to export it. In contrast, classical PGP is available worldwide (except in countries with crypto prohibitions such as France and Russia), and all versions interoperate with each other. 4. Pretty Good Privacy Inc. should be praying someone "cracks" RSA, so that a case can be made to shift. Rumors of such impending weakness have started to show up. Given all the expert assurances in the past of RSA's robustness, some might think they are false rumors being planted for selfish commercial purposes, particularly since there has been no serious discussion of any such "impending breakthroughs" in sci.crypt or the professional literature. 5. For the moment, users of FileCrypt (commercial users), and (non-commercial) users of Free PGP need do nothing. Their existing programs are properly licensed either via MIT or directly from RSADSI (or exempt from the US RSA patent outside the US). Those who have bought "pay" PGP from Viacrypt or Pretty Good Privacy Inc. prior to the April cancellation date are perhaps also ok (but see below). 6. I confess ignorance as to whether any liability could accrue to such prior-to-April Pretty Good Privacy Inc. purchasers if it were shown (as RSADSI claims) that Pretty Good Privacy Inc. didn't remit license fees to RSADSI. It's a delicate legal point--for instance if you hire a contractor and he doesn't pay his employees (even if you pay him), YOU are liable in most juridictions. Just so if you pay Pretty Good Privacy Inc. and they didn't pay RSADSI, are you liable? Have you been infringing? I don't know. Perhaps an attorney skilled in this practice can comment, but let's not guess--I won't if you won't, dear reader. 7. New commercial users who wish to use PGP-type encryption and who don't want to risk infringing ought to consider FileCrypt if they have Macs, which is directly licensed by RSADSI. If they have PCs, they ought to light votive candles either to the speedy completion of the PC/Windows version of FileCrypt, or to Pretty Good Privacy Inc. prevailing in the legal matter. Note that current versions of PGP 5.0 (beta) using D-H won't avoid this problem, since they still also use ("practice the patent" for) RSA.
The only real aftermath to the suit, AFAIK, was the apparent revolt in the PGP, Inc., Board of Directors. On May 13th, after the PGP Board had considered the RSA allegations for a week, there was a bloodbath at PGP Hq in San Mateo. Dr. Thomas Steding, who had been PGP's President and CEO, was summarily bounced. He was replaced by Phillip Dunkelberger, a Symantec sales veteran who had been PGP's VP for Sales. Phil Zimmerman, who had been Chairman of the Board, was removed from that position. He was replaced by Jonathan Seybold, of Seybold Seminar and Seybold Publications, who had been a member of the PGP board for a year. Zimmerman, whose personal presence is rather central to PGP's corporate identity, was retained as Chief Technology Officer, but other PGP executives and managers who were said to have been close to Zimmerman were told their jobs had been eliminated, effective immediately.
Presumably there is some cause and effect here.
I got a note, the same day, from one PGP exec who was looking for a job. The Seybold Coup and the rain of pink slips had taken him completely by surprise, he said.
More likely a board-organized or major stockholder-organized attempt to save the company, rather than any sort of "coup".
I'm not without allegiances in all this (the Privacy Guild has done consulting for SDTI, the compsec company which bought RSADSI in '96, for many years) but I've been a privacy activist for 30 years, had PGP since v.20, and -- like almost everyone professionally involved with infosec -- I've followed the long Zimmerman/RSA conflict with obsessive fascination. It's a tale of myth and legend.
If we're stating allegiances, I quite like (and use) PGP (as well as FileCrypt, PKCS systems, and even RIPEM). I hold valid licenses to all four and to RSADSI's RSAREF and RSAREF2 toolkits. My preferences as between them are based strictly on convenience of user interface for the Mac, use, and number of users of each with whom I communicate. In addition it should be said that as a sometime producer of intellectual property myself, I have no use for those who infringe another's intellectual property. For those who have been endlessly speculating here on my motives with respect to my comments on Phil Zimmermann's acts and acknowledgements--there it is. I take such things personally, whether they are done by individuals of the left, large right-wing corporations, or anything in between.
Everyone involved seems larger than life: Zimmerman, Ron Rivest, Jim Bidzos, Bobby Ray Inman, Adi Shamir, Len Adleman. In fact, even today, everything about public-key crypto still seems vastly out of scale: issues, impact, politics, people, potential -- not to mention the NSA, the spidery but gargantuan Queen of the American Intelligence Communiy.
Hardly the Queen, any more than the Signal Corps is the Queen of the Army. They're a technical service organization staffed with boring mathematicians, engineers, linguists, etc., which has been over-romanticized due to needed secrecy, and over-attacked due to the natural tendency of more vigorous civil libertarians, iconoclasts, and some of the left to see bogey men under every bed. Yes, there are the occasional real bogeymen under the odd bed, and eternal vigilance, etc. But it has been carried much too far.
Against that background, Zimmerman's volatile relationship
That's quite a circumlocution. Do you mean to say "infringements of the patents of?"
with the three guys who actually invented the RSA public-key cryptosystem; and with Bidzos, RSADSI's vocal and ascerbic President,
I have not found him at all acerbic, and his vocalizations are quite focussed, highly circumscribed, and usually by invitation (though he does have a nice touch with the odd wall poster). I think Phil has taken much more public air time than Jim.
has perhaps inevitably left a legacy of passion among many PGPers which has very little to do with patents and the petty legalities of intellectual property rights.
If you were a creative producer of intellectual property, you'd hardly think the legalities were "petty". They're how many of us make our living, and trace directly to the Founding Fathers and the US Constitution. They are, in fact, high international policy and the subject of much hard thought between nations as well.
The RSA/PGP suit is not, however, about free public access to PKC crypto-enabled privacy tools or secure e-mail. Nor is it (any longer) about a bearded Lone Crusader -- all but caped -- thumbing his nose at corporate America.
Correct. By the way, Phil never made a case for, nor stood up as thumbing his nose at corporate America as far as I'm aware. His big advocacy and policy posturing has to do with export control law, not patent law. The intellectual property of others has (had) been held hostage to this ideological crusade of Phil's.
Everyone grew up. Everyone wears a suit. Everyone holds stock options. This is now a dispute between two multi-million dollar corporations over the terms of a contract and the case law that defines the scope and context of that contract's provisions. Contract cases tends to be a lot more straightforward than patent cases.
Yup.
Even on its own terms, it's going to be an interesting legal case to watch unfold. But it's no longer folklore. It's finance and law.
Most who read the source documents you posted and take the facial meaning of the English language will come away convinced that RSADSI is on solid ground, and Pretty Good Privacy Inc. will have to pull an O.J. (o.k., a Cochran) to get off. It will be interesting to see whether they try to obfuscate the basic issues. Given the sensible nature of their new management, and the lack of any ideological allegiance to Phil's burned bridges, my own guess is that they will sue for peace. David ----------------------------------------------------------- From: estone@synernet-d-o-t-com (Ed Stone) Organization: Synernet Newsgroups: comp.security.pgp.discuss, alt.security.pgp, talk.politics.crypto Date: Sat May 24, 1997 8:35 AM In article <vin-2405970317450001 () vin shore net>, vin () shore net says...
FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-)
Very interesting reading, and... more fun than a soap opera. The "reverse triangular merger", the claim that arbitration of disputes does not survive unilateral termination of the agreement, the marking requirements... This is going to be a very interesting case. Reading here only the agreement and the request for injunction, RSA apparently has a very well laid out case, with only a few obvious weak points, which may not, at worst, be fatal to its position. PGP must be scrambling to see that it goes to arbitration. The filing in a non-federal court (infringement suits must be filed in federal court) is interesting. I am ready to predict the outcome, unequivocally: Some lawyers are going to make a lot of money! -- ------------------------------- Ed Stone estone@synernet d o t com ------------------------------- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + <vin () shore net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
Current thread:
- IP: "RSA Suit Against PGP" David Farber (May 24)