From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
Date: Fri, 18 Mar 94 20:34:14 PST
To: cypherpunks@toad.com
Subject: Re:  EFF gun-shy of legally employing PGP
Message-ID: <9403190433.AA12017@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text/plain


Anonymous is alleged to have said:
> : > Yes, but the point of the reply, is that PGP signatures SHOULD
> : > be used by sysops.
> : Hmmm... why PGP, as opposed to the FIPS Digital Signature Standard?
> Yes, you can use the DSS (unless it is given away to PK partners, that is).

No, you can't use the DSS.  The reason NIST was getting into confusion
about whether they have to give it to PKP is that PKP says that it
infringes on Schnorr's patent, which they recently bought up;
assuming that's true technically (I haven't looked in a while),
this means you need a license from PKP to use DSS.

Unlike RSA, which the government has some rights to use because
it partially funded their work, even the government doesn't
have rights over Schnorr's work, since they didn't fund it,
so the NIST is in deeper yogurt with DSS than with RSa signatures.

You can still use DSS for research and the usual things you can use
patents for without a license, but you can do the same with PGP.
RIPEM can be used free non-commercially in the US+Canada under the
RSAREF license terms, and RIPEM-SIG can even be exported.

(Now all we need to do is find a way to get RIPEM-SIG to do
key exchange and message encryption as well as signatures 
and patch it into PGP :-)  (presumed not possible...)
			Bill