From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Sat, 31 Jul 93 21:14:07 PDT
To: cypherpunks@toad.com
Subject: D. Bernstein's Open Letter on NIST-PKP-DSA
Message-ID: <9308010625.AA13452@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


Someone flamed once over including Usenet (esp. sci.crypt) postings
here, so I'll just give a summary of an excellent letter posted by D.
Bernstein (cowriter sci.crypt FAQ, dogged Sternlight flamer, ITAR
consultant, cryptographic agitator, etc.). I'm sure there'll be a lot
of flames over this one in sci.crypt, assuming nobody's brain dead.
There's some real pointy pricks at Bidzos and PKP (the truth hurts).

In short, Bernstein looks at the specific laws and conventions
surrounding granting a patent and exclusively so by the government to a
private company. The laws are fairly restrictive. The most devastating
claim is that NIST has failed to adhere to the law in granting a
license "only if, after public notice and opportunity for filing
written objections, it is determined that the interests of the Federal
Government and the public will best be served by the proposed license
... and the proposed terms and scope of exclusivity are not greater
than reasonably necessary.." 35 USC 209(c)(1)  Mostly he objects to the
*exclusive* arrangement (read: MONOPOLY), and points out that ``NIST
does not need to wait 60 days for public comments in order to grant a
nonexclusive license.'' 

- ``The public obviously has an interest in being able to use DSA
without royalty payments after PKP's patents expire. The grant of an
exclusive license would not serve this interest.'' Hence the `public
will be best served by the proposed license' clause of the law above is
not satisfied. Similar to the S. Walker letter I posted earlier.

- Law states that, for (partially or wholly) exclusive arrangements,
"the desired practical application has not been achieved,  or is not
likely expeditiously to be achieved, under any nonexclusive license
which has been granted, or which may be granted, on the invention."
That is, a monopoly is only acceptable if the products would be brought
to market in no other way. But Bernstein cites Info Security Corp.
selling implementations of DSA *now*.

- Similarly, law requires "exclusive or partially exclusive licensing
is a reasonable and necessary incentive to call forth the investment of
risk capital and expenditures to bring the invention to practical
application or otherwise promote the invention's utilization by the
public." 35 USC 209(c)(1)(C) But DSA is already in practical
application and promoted by ISC. Not only that, but digital signatures
would clearly be embraced by many companies *without* the incentive of
awarded monopoly (assuming the algorithm was robust, but we're going in
circles). He argues that a *nonexclusive* arrangement with PKP could
achieve the `same effects', and therefore the monopolistic arrangement
is not `reasonable or necessary' under this law.

-  NIST's 8 June 1993 notice states that "it was determined that
expeditious granting of such license will best serve the interest of
the Federal Government and the public." As Bernstein writes, ``under 35
USC 209(c)(1), NIST is required to make such determinations
_a_f_t_e_r the public comment period...''

- Points out that NIST has `already promised the public royalty-free
use of DSS'.  Items: The Deputy Directory of NIST testified on 27 June
1991 that DSA "is expected to be available on a royalty-free basis in
the public interest world-wide." In the 30 August 1991 Federal
Register, NIST stated again "NIST expects it to be available on a
royalty-free basis. Broader use of this technique resulting from public
availability should be an economic benefit to the government and the public."

- Attacks the PKP royalty rates as `obscene' and `exploitive'. In the
June 8 announcement there is the slippery phrase, `subject to uniform
minimum fees'. The fees are neither uniform nor minimal. $10K startup
plus $10K per year for businesses under $1M per year, and $25K up front
and $10K per year for businesses over $1M per year.  ``Obviously it
would have been more difficult for PKP to convince NIST to grant PKP a
license if PKP had disclosed its actual exploitative fees---otherwise,
why has NIST been planning to require PKP to charge uniform fees?''
Sorry, that all assumes that NIST (that is, the NSA puppetmaster
driving it) isn't in full knowledge of every aspect of the complete
proposal, a rather unlikely scenario.

- He goes back and looks at early DSS testimony, and shows that
everyone's opinions on the patent infringement are divided and unsure,
whereas of those claiming `PKP and Schnorr have a serious claim upon
DSA rights' many have `a financial interest in PKP which they did not
disclose' (Bidzos, Rivest, Hellman, Fischer) which `you may not be
aware of'. (I can't imagine that M.R. Rubin could be so naive, he seems
rather likely to be an accomplice, but all bureacrats are inscrutable).

>Together these people shout quite loudly. Each one cites accusations of 
>patent infringement from the others, while they all pretend to be
>independent scientists and businessmen. Sometimes they bamboozle 
>outsiders into thinking "all these people say there's a problem, so
>there must be a problem."
>
>
In fact all the accusations come primarily from financial partners of
>one man, Jim Bidzos. Please be aware that all is not as it seems. The 
>interests of Jim Bidzos, no matter how often repeated, are not the 
>interests of the public.

- The NIST June 8 announcement does not actually describe the exact
licensing arrangement, only generalities. He asks that NIST give the
*specific* license arrangement and restart the 60 day public hearing
period, which is already ticking.

- Objects that NIST give in to PKP patents when it has not been
demonstrated (e.g. by a court) that the DSA algorithm infringes on the
PKP patents. I think he's on thin ice here, esp. regarding the Schnorr situation.

In general Bernstein doesn't subscribe to any conspiracy theories, and
takes the view that the wool has been pulled over NIST's eyes by PKP in
withholding information (such as the `uniform minimum fees'), and is
overly optimistic about the influence of his comments and others during
the review period (``even a short letter can be devastatingly
effective'' he writes).

I think this is a bit naive. In particular, the public-key Capstone
licensing term of the arrangement (which he completely ignores)
suggests that both sides were shrewdly engaged in a mutually beneficial
arrangement (that is, between NSA and PKP, NIST dutifully cloaking the
machinations of the former). The 60 days comments period on the
licensing is probably just a smokescreen--it serves nothing other than
determining how much outrage such an action would cause, how much
collusion can be slithered through.  Writing to Rubin, he states:

>You told me that the Federal Government has certain national security
>interests in the PKP license. As the documents explaining these
>interests are supposedly classified I am unable to address this point.

I'd be glad to explain it.  `national security interests': euphemism
for widespread Clipper & Capstone penetration and a wiretapping
free-for-all. Remember, without PKP's consent, Capstone public key
exchange infringes on PKP patents.  This is an *immensely* valuable PKP
trump card and critical necessity for the NSA if they want to have a
widespread commercial standard. Stop wondering why the NIST-PKP-DSS
arrangement is so one-sided! It makes no sense unless one considers it
in the full lewd exposure of the Clipper-Capstone clampdown.

* * *

On the other hand, lots of Anti PKP-Bidzos Propaganda!

>PKP is not an engineering company trying to protect a risky 
>investment; it is a litigation company using its patent portfolio.
>
>PKP is a litigation company. Its sole contact with the public, to my 
>knowledge, has been a series of threatening letters. It does not bring
>inventions to practical application, or promote use of anything by the
>public, nor has it ever demonstrated any ability to do so.


>Bidzos has habitually squashed the use of cryptography.
>
>It is well known that Bidzos, via PKP, has attempted to squash several
>public-key cryptography implementations, such as RPEM and PGP. For
>several years personal computers have been fast enough to make
>public-key cryptography convenient for the masses. Do you make daily use 
>of encryption? I suggest that, if it were not for Bidzos, we would all 
>be using cryptography now.
>
>If Bidzos's goal were to make money he would offer personal licenses to
>let individuals use PGP for a reasonable fee. Instead he simply refuses
>to provide any licenses for PGP.
>
>Given his history, do we want Bidzos in control of DSA? Especially now, 
>when he is just a few years away from losing his monopolies, does it 
>make any sense to give him a fresh new 17-year monopoly over a U.S. 
>government standard technology?

* * *

Included: why it's not `no big deal', and another call for YOU to write
letters (ah, if only all the faceless bureacrats had email addresses).

===cut=here===

From: djb@silverton.berkeley.edu (D. J. Bernstein)
Newsgroups: sci.crypt
Subject: An open letter of opposition to the NIST-PKP giveaway
Date: 31 Jul 93 00:23:03 GMT

NIST plans to give PKP exclusive rights to NIST's DSA patent. Attached
is a copy of a letter I just sent NIST in opposition to this plan.

Some people have told me that they've read the NIST-PKP announcement and 
don't see any big problem. After all, they say, PKP asks for a mere 5%
royalty rate! Isn't it worth this much to settle the issue?

These people have missed a crucial phrase in the announcement. ``PKP's 
royalty rates for the right to make or sell products, _subject to
uniform minimum fees_, will be no more than 2 1/2% for hardware products 
and 5% for software...'' [italics added].

Those ``uniform fees,'' it turns out, are a minimum of $5 per program
per user, subject to a minimum of $10,000 per program per year, plus a
non-uniform startup fee of $10,000 for small companies and $25,000 for
large companies.

If you'd like to object to the NIST-PKP giveaway, you still have time. 
Your letter must be received by Michael R. Rubin, Acting Chief Counsel 
for Technology, Room A-1111, Administration Building, National Institute 
of Standards and Technology, Gaithersburg, MD 20899, 301-975-2803, by 
Friday, 6 August. (Rubin actually says that the next Monday is okay; but 
I wouldn't risk it.)

Even a short letter (``Dear Mr. Rubin: For NIST to grant an exclusive
DSA license to PKP would be illegal and against the public interest.
Please do not do this.'') can be devastatingly effective.

(You may also want to send a copy of your letter to the League for 
Programming Freedom, 1 Kendall Square #143, P.O. Box 9171, Cambridge, MA 
02139.)

---Dan