From: tcmay@netcom.com (Timothy C. May)
Date: Thu, 29 Apr 93 01:36:29 PDT
To: Cypherpunks@toad.com
Subject: Tough Choices: PGP vs. RSA Data Security
Message-ID: <9304290836.AA17180@netcom.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Cypherpatriots,

This is a tough posting to write. I may even be called a quisling, or even
a sternlight!

This may be the most important posting I make during this current
Clipper-Big Brother Chip controversy. 

I suggest that we as a community seriously reconsider our basic support for
PGP. Not because of any flaws in the program, but because of issues related
to Clipper and the potential limits on crypto.

Continuing use of PGP causes several problems:

1. If RSA fails to take actions against sites and users, it weakens their
legal position with respect to their patents. The government does not need
licenses in any case, but users of Clipperphones *do* (not the final
end-users, but the suppliers of Clipperphones to non-government customers).


(A case can be made that repudiation of the patents might be a good thing.
I know I have argued this at times. It's hard to know.)

2. The "guerrilla crypto" aspect of the PGP community (and our group) is
charming, but may be counterproductive. If we are viewed as outlaws, the
target even of RSA, then we have almost no influence, save for underground
subversion.

(To put this another way, if we are seen as RSA Data's enemy, we lose a
potential ally. I am suggesting that a coming war between strong crypto on
one side and government snooping on the other will force all participants
to choose up sides.)

3. Supporting a legal version of strong crypto, which RSA Data-approved
programs are and PGP is *not*, is a much more solid foundation from which
to fight possible restrictions on strong crypto.

4. Our time could better be spent by solidifying existing RSA programs,
including RIPEM, RSAREF-derived programs, MailSafe, and so forth. This is
the approach several major companies have taken (Apple, Lotus, Sun, etc.). 

I've urged Jim Bidzos to work toward some compromise with the PGP community
(and I think everyone recognizes the positive aspects of this growing
community). This might include creating translation programs so MailSafe or
RIPEM can read PGP files, a reworking of PGP to conform to licensing
requirements, etc.

I'm hoping that Phil Zimmermann can see what the real battle is. The PGP
community is not likely to win their battle in court, and the effect of
such a court battle will be divisive and ultimately may help the government
in its plans. Phil Z. is most unlikely to ever see any real revenues from
PGP. 

I think the benefits of a strong, legal, supported crypto product are
greater than the dubious benefits of having a "free" piece of software. At
any reasonable hourly wage, the cost of MailSafe ($125, last time I
checked) is dwarfed by the amount of time crypto activists like ourselves
spend debating it, downloading it, awaiting patched versions, etc.

(All is not rosy on the RSA Data side, either. RSA Data chose to
concentrate on getting RSA built in to e-mail products from the major
companies and chose not to devote much effort to PGP-like personal
encryption products (such as MailSafe, which runs on DOS and UNIX only and
which hasn't changed much since 1988). Support for RSA Data should mean
more support for these kinds of products. We could essentially ask RSA for
a commitment in this area.)

I'm arguing that we should look carefully and see what the real issues are,
who the real enemy is, and then make plans accordingly. 

Awaiting your feedback,

-Tim May
--
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, smashing of governments.
Higher Power: 2^756839 | Public Key: MailSafe and PGP available.
Waco Massacre + Big Brother Wiretap Chip = A Nazi Regime