Interesting People mailing list archives
IP: "RSA Suit Against PGP"
From: David Farber <farber () cis upenn edu>
Date: Sat, 24 May 1997 22:11:04 -0400
Date: Sat, 24 May 1997 18:03:14 -0500 To: farber () cis upenn edu From: Vin McLellan <vin () shore net> Subject: <fyi> "RSA Suit Against PGP" <Dave, This snippet from the frothy newsgroups' debate about the RSA/PGP Suit may be of interest. _Vin> ------------------- Date: Sat, 24 May 1997 03:17:56 -0500 From: vin () shore net (Vin McLellan) Subject: Re: RSA Suit Against PGP Organization: The Privacy Guild Newsgroups: comp.security.pgp.discuss, alt.security.pgp, talk.politics.crypto FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-) RSA Data Security filed a "Complaint for Declaratory and Injunctive Relief" against PGP, Inc., on May 6, 1997 (CASE No. 400585) In the Superior Court of California, County of San Mateo. The text of the RSADSI Complaint may be read at: <http://jya.com/rsavpgp.txt> Two exhibits were attached to the Complaint: (A) the 4/16/97 letter from RSADSI's attorney to PGP Inc., terminating the Lemcom/ViaCrypt/PGP Inc. license agreement for cause, which is now available at: <http://www.parrhesia.com/rsapgp.html> -- and (B) the full 1992 license Agreement between PKP and Lemcom Systems, which is now available at: <http://jya.com/pkplem.htm> (longish, 41k) PGP, Inc. has not yet filed a response to the RSA Complaint. The only real aftermath to the suit, AFAIK, was the apparent revolt in the PGP, Inc., Board of Directors. On May 13th, after the PGP Board had considered the RSA allegations for a week, there was a bloodbath at PGP Hq in San Mateo. Dr. Thomas Steding, who had been PGP's President and CEO, was summarily bounced. He was replaced by Phillip Dunkelberger, a Symantec sales veteran who had been PGP's VP for Sales. Phil Zimmerman, who had been Chairman of the Board, was removed from that position. He was replaced by Jonathan Seybold, of Seybold Seminars and Seybold Publications, who had been a member of the PGP board for a year. Zimmerman, whose personal presence is rather central to PGP's corporate identity, was retained as Chief Technology Officer, but other PGP executives and managers who were said to have been close to Zimmerman were told their jobs had been eliminated, effective immediately. I got a note, the same day, from one PGP exec who was looking for a job. The Seybold Coup and the rain of pink slips had taken him completely by surprise, he said. I'm not without allegiances in all this (the Privacy Guild has done consulting for SDTI, the compsec company which bought RSADSI in '96, for many years) but I've been a privacy activist for 30 years, had PGP since v.20, and -- like almost everyone professionally involved with infosec -- I've followed the long Zimmerman/RSA conflict with obsessive fascination. It's a tale of myth and legend. Everyone involved seems larger than life: Zimmerman, Ron Rivest, Jim Bidzos, Bobby Ray Inman, Adi Shamir, Len Adleman. In fact, even today, everything about public-key crypto still seems vastly out of scale: issues, impact, politics, people, potential -- not to mention the NSA, the spidery but gargantuan Queen of the American Intelligence Communiy. Against that background, Zimmerman's volatile relationship with the three guys who actually invented the RSA public-key cryptosystem; and with Bidzos, RSADSI's vocal and ascerbic President, has perhaps inevitably left a legacy of passion among many PGPers which has very little to do with patents and the petty legalities of intellectual property rights. The RSA/PGP suit is not, however, about free public access to PKC crypto-enabled privacy tools or secure e-mail. Nor is it (any longer) about a bearded Lone Crusader -- all but caped -- thumbing his nose at corporate America. Everyone grew up. Everyone wears a suit. Everyone holds stock options. This is now a dispute between two multi-million dollar corporations over the terms of a contract and the case law that defines the scope and context of that contract's provisions. Contract cases tend to be a lot more straightforward than patent cases. Even on its own terms, it's going to be an interesting legal case to watch unfold. But it's no longer folklore. It's finance and law. -- Vin McLellan + The Privacy Guild + <vin () shore net> 53 Nichols St., Chelsea, MA. O2150 USA Tel.(617) 884-5548 ---------------------------------------------------------------- Date: Sat, 24 May 1997 03:56:45 -0700 From: David Sternlight <david () sternlight com> Organization: DSI/USCRPAC Newsgroups: comp.security.pgp.discuss,alt.security.pgp,talk.politics.crypto Subject: Re: RSA Suit Against PGP (long) Vin McLellan wrote:
FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-) RSA Data Security filed a "Complaint for Declaratory and Injunctive Relief" against PGP, Inc., on May 6, 1997 (CASE No. 400585) In the Superior Court of California, County of San Mateo. The text of the RSADSI Complaint may be read at: <http://jya.com/rsavpgp.txt> Two exhibits were attached to the Complaint: (A) the 4/16/97 letter from RSADSI's attorney to PGP Inc., terminating the Lemcom/ViaCrypt/PGP Inc. license agreement for cause, which is now available at: <http://www.parrhesia.com/rsapgp.html> -- and (B) the full 1992 license Agreement between PKP and Lemcom Systems, which is now available at: <http://jya.com/pkplem.htm> (longish, 41k) PGP, Inc. has not yet filed a response to the RSA Complaint.
Thanks very much to Vin for posting the pointers. I've read the
materials and they are quite interesting. I'll try to comment concisely,
and there's lots of ground to cover.
1. It is intersting that early in the complaint RSADSI mentions Phil
Zimmermann's publication of PGP as freeware without a license to RSA.
That recitation seems to lead nowhere in terms of the subsequent matter,
so I'm not clear whether that is simply a historical bit of background
or a tacit message about prior infringement. Do judges read between the
lines. Will one be smart enough to pick up on that? I don't know;
perhaps an attorney reader of these musings may.
2. Apologies in advance (and corrections welcomed) for the following
precis, which I hope doesn't do too much damage to the materials:
It appears that Lemcom (we've been referring to them as Viacrypt, since
they licensed RSA and published Viacrypt) had a very restricted license,
limited to selling individual copies to end users. They did not have the
right to assign the license, nor to sell OEM copies. Users could only
make a single further copy for archival purposes.
In order to get around this, when PGP Inc. merged with Lemcom to create
Pretty Good Privacy Inc., they tried to set it up to look as if Lemcom
were the surviving company, which then changed its name to Pretty Good
Privacy Inc. (that may explain the citation by one reader that Phil said
their lawyers were very careful about this)--rather than seeking a new
license from RSADSI.
RSADSI alleges that was a sham. They cite the executive changes, the
geographical locations, and the public statements, in support of that
allegation of sham. What's more, they assert that it's well-established
case law that a triangular merger of this kind (even if it weren't a
sham) is an assignment, and Lemcom is prohibited by the license from
assigning their license rights without RSADSI's permission, which was
neither sought nor granted.
RSADSI then invokes their right to cancel the agreement for this
violation (and others including alleged non-payment of royalties, and
OEM sales which are explicitly excluded in the license). Further, they
assert that according to the agreement itself, if the agreement is
cancelled for such causes, the arbitration provisions don't apply. They
thus ask the court for relief.
(They further claim that Pretty Good Privacy Inc. has refused to open
their books to audit by RSADSI as required in the license.)
What does all this mean?
1. If RSADSI is correct, RIGHT NOW Pretty Good Privacy Inc. is
distributing an unlicensed version of RSA (in any existing products
they're selling and in the 5.0 betas). Anyone accepting or using such
copies (in the US) is also infringing, since they are using unlicensed
copies of RSA. If RSADSI prevails, they could theoretically seek damages
from anyone buying or using copies of such products since the April
cancellation letter they sent, as well as damages from Pretty Good
Privacy Inc. for such post-cancellation infringement. Note that this has
nothing to do with Pretty Good Privacy Inc.'s 30 days to respond to the
court filing. If Prety Good Privacy Inc. loses they will have been
infringing since April.
2. Unless Pretty Good Privacy Inc. can come to some new agreement with
RSADSI (and RSADSI is willing to enter into such an agreement--I think
they can cite the license violations as valid grounds to refuse such a
new license), they can no longer sell "classical PGP" and their products
will no longer be compatible with "free PGP". They will have to convert
everyone to D-H only. Whether all those users of free PGP all over the
world (and FileCrypt) would be willing to drop RSA is an interesting
question. Since it would be in aid of a commercial firm (Pretty Good
Privacy Inc.) and caused by that firm's violation (if it proves so) of
the license, there is some doubt people will join such a move in enough
numbers to make for a viable business model.
3. Even if Pretty Good Privacy Inc. can get people converted, they will
have to solve the export problem all over again. That is--there are no
copies of the new software overseas (at least not legally) and it is
currently forbidden to export it. In contrast, classical PGP is
available worldwide (except in countries with crypto prohibitions such
as France and Russia), and all versions interoperate with each other.
4. Pretty Good Privacy Inc. should be praying someone "cracks" RSA, so
that a case can be made to shift. Rumors of such impending weakness have
started to show up. Given all the expert assurances in the past of RSA's
robustness, some might think they are false rumors being planted for
selfish commercial purposes, particularly since there has been no
serious discussion of any such "impending breakthroughs" in sci.crypt or
the professional literature.
5. For the moment, users of FileCrypt (commercial users), and
(non-commercial) users of Free PGP need do nothing. Their existing
programs are properly licensed either via MIT or directly from RSADSI
(or exempt from the US RSA patent outside the US). Those who have bought
"pay" PGP from Viacrypt or Pretty Good Privacy Inc. prior to the April
cancellation date are perhaps also ok (but see below).
6. I confess ignorance as to whether any liability could accrue to such
prior-to-April Pretty Good Privacy Inc. purchasers if it were shown (as
RSADSI claims) that Pretty Good Privacy Inc. didn't remit license fees
to RSADSI. It's a delicate legal point--for instance if you hire a
contractor and he doesn't pay his employees (even if you pay him), YOU
are liable in most juridictions. Just so if you pay Pretty Good Privacy
Inc. and they didn't pay RSADSI, are you liable? Have you been
infringing? I don't know. Perhaps an attorney skilled in this practice
can comment, but let's not guess--I won't if you won't, dear reader.
7. New commercial users who wish to use PGP-type encryption and who
don't want to risk infringing ought to consider FileCrypt if they have
Macs, which is directly licensed by RSADSI. If they have PCs, they ought
to light votive candles either to the speedy completion of the
PC/Windows version of FileCrypt, or to Pretty Good Privacy Inc.
prevailing in the legal matter. Note that current versions of PGP 5.0
(beta) using D-H won't avoid this problem, since they still also use
("practice the patent" for) RSA.
The only real aftermath to the suit, AFAIK, was the apparent revolt in the PGP, Inc., Board of Directors. On May 13th, after the PGP Board had considered the RSA allegations for a week, there was a bloodbath at PGP Hq in San Mateo. Dr. Thomas Steding, who had been PGP's President and CEO, was summarily bounced. He was replaced by Phillip Dunkelberger, a Symantec sales veteran who had been PGP's VP for Sales. Phil Zimmerman, who had been Chairman of the Board, was removed from that position. He was replaced by Jonathan Seybold, of Seybold Seminar and Seybold Publications, who had been a member of the PGP board for a year. Zimmerman, whose personal presence is rather central to PGP's corporate identity, was retained as Chief Technology Officer, but other PGP executives and managers who were said to have been close to Zimmerman were told their jobs had been eliminated, effective immediately.
Presumably there is some cause and effect here.
I got a note, the same day, from one PGP exec who was looking for a job. The Seybold Coup and the rain of pink slips had taken him completely by surprise, he said.
More likely a board-organized or major stockholder-organized attempt to save the company, rather than any sort of "coup".
I'm not without allegiances in all this (the Privacy Guild has done consulting for SDTI, the compsec company which bought RSADSI in '96, for many years) but I've been a privacy activist for 30 years, had PGP since v.20, and -- like almost everyone professionally involved with infosec -- I've followed the long Zimmerman/RSA conflict with obsessive fascination. It's a tale of myth and legend.
If we're stating allegiances, I quite like (and use) PGP (as well as FileCrypt, PKCS systems, and even RIPEM). I hold valid licenses to all four and to RSADSI's RSAREF and RSAREF2 toolkits. My preferences as between them are based strictly on convenience of user interface for the Mac, use, and number of users of each with whom I communicate. In addition it should be said that as a sometime producer of intellectual property myself, I have no use for those who infringe another's intellectual property. For those who have been endlessly speculating here on my motives with respect to my comments on Phil Zimmermann's acts and acknowledgements--there it is. I take such things personally, whether they are done by individuals of the left, large right-wing corporations, or anything in between.
Everyone involved seems larger than life: Zimmerman, Ron Rivest, Jim Bidzos, Bobby Ray Inman, Adi Shamir, Len Adleman. In fact, even today, everything about public-key crypto still seems vastly out of scale: issues, impact, politics, people, potential -- not to mention the NSA, the spidery but gargantuan Queen of the American Intelligence Communiy.
Hardly the Queen, any more than the Signal Corps is the Queen of the Army. They're a technical service organization staffed with boring mathematicians, engineers, linguists, etc., which has been over-romanticized due to needed secrecy, and over-attacked due to the natural tendency of more vigorous civil libertarians, iconoclasts, and some of the left to see bogey men under every bed. Yes, there are the occasional real bogeymen under the odd bed, and eternal vigilance, etc. But it has been carried much too far.
Against that background, Zimmerman's volatile relationship
That's quite a circumlocution. Do you mean to say "infringements of the patents of?"
with the three guys who actually invented the RSA public-key cryptosystem; and with Bidzos, RSADSI's vocal and ascerbic President,
I have not found him at all acerbic, and his vocalizations are quite focussed, highly circumscribed, and usually by invitation (though he does have a nice touch with the odd wall poster). I think Phil has taken much more public air time than Jim.
has perhaps inevitably left a legacy of passion among many PGPers which has very little to do with patents and the petty legalities of intellectual property rights.
If you were a creative producer of intellectual property, you'd hardly think the legalities were "petty". They're how many of us make our living, and trace directly to the Founding Fathers and the US Constitution. They are, in fact, high international policy and the subject of much hard thought between nations as well.
The RSA/PGP suit is not, however, about free public access to PKC crypto-enabled privacy tools or secure e-mail. Nor is it (any longer) about a bearded Lone Crusader -- all but caped -- thumbing his nose at corporate America.
Correct. By the way, Phil never made a case for, nor stood up as thumbing his nose at corporate America as far as I'm aware. His big advocacy and policy posturing has to do with export control law, not patent law. The intellectual property of others has (had) been held hostage to this ideological crusade of Phil's.
Everyone grew up. Everyone wears a suit. Everyone holds stock options. This is now a dispute between two multi-million dollar corporations over the terms of a contract and the case law that defines the scope and context of that contract's provisions. Contract cases tends to be a lot more straightforward than patent cases.
Yup.
Even on its own terms, it's going to be an interesting legal case to watch unfold. But it's no longer folklore. It's finance and law.
Most who read the source documents you posted and take the facial meaning of the English language will come away convinced that RSADSI is on solid ground, and Pretty Good Privacy Inc. will have to pull an O.J. (o.k., a Cochran) to get off. It will be interesting to see whether they try to obfuscate the basic issues. Given the sensible nature of their new management, and the lack of any ideological allegiance to Phil's burned bridges, my own guess is that they will sue for peace. David ----------------------------------------------------------- From: estone@synernet-d-o-t-com (Ed Stone) Organization: Synernet Newsgroups: comp.security.pgp.discuss, alt.security.pgp, talk.politics.crypto Date: Sat May 24, 1997 8:35 AM In article <vin-2405970317450001 () vin shore net>, vin () shore net says...
FYI: The RSA/PGP case file is now online. Reading it may leven this discussion with more fact and winnow out some of the passion and vitriol. (Then again, maybe not...;-)
Very interesting reading, and... more fun than a soap opera. The "reverse triangular merger", the claim that arbitration of disputes does not survive unilateral termination of the agreement, the marking requirements... This is going to be a very interesting case. Reading here only the agreement and the request for injunction, RSA apparently has a very well laid out case, with only a few obvious weak points, which may not, at worst, be fatal to its position. PGP must be scrambling to see that it goes to arbitration. The filing in a non-federal court (infringement suits must be filed in federal court) is interesting. I am ready to predict the outcome, unequivocally: Some lawyers are going to make a lot of money! -- ------------------------------- Ed Stone estone@synernet d o t com ------------------------------- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." _ A thinking man's Creed for Crypto/ vbm. * Vin McLellan + The Privacy Guild + <vin () shore net> * 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
Current thread:
- IP: "RSA Suit Against PGP" David Farber (May 24)