Um. I found the tone of your reply to my contribution uncalled for
and very offensive, and it's made the business of composing a reply
that bit less pleasant. I hope you don't feel the need to address
other contributors here that way too often.
I don't think I want to name the company, the product, or the standard
implemented, so you'll simply have to either take what I here assert
on trust or subject it to further derision.
First, you seem to be having difficulty believing that the product was
not primarily a crypto product. On this point there is no doubt
whatsoever - you can accuse me of lying if you like, but not of
credulousness. After the license was published, the RSA logo appeared
on the splash screen of the product, along with the logos of other
companies whose licenses were sought for it. However no great
song-and-dance was made about the crypto used or its strength since
it's not something the buyers would have given a damn about - it was
just necessary for a complete implementation of the standard. If you
can't think of products that contain strong crypto as an incidental
part of their functioning you are certainly not qualified to make
guesses about the legal status of the many such products out there.
Secondly, it seems most likely to you that the BSAFE code would have
been used for the implementation of RC4. Now I didn't implement it
myself, so I can't claim absolute certainty on this point. However,
I did see the implementation before the license was purchased, and
since RC4 is the simplest strong stream cipher in the world it would
seem strange to imagine that it would be easier to take the code from
BSAFE than to implement it from scratch from the description in
Applied Cryptography (Second Edition), which is what the implementor
told me he did. I've implemented RC4 several times myself for
different projects so this seems plausible to me.
I know that the license was purchased before the crypto-enabled
version was shipped. So even if they had stolen the initial
implementation from BSAFE, they could have replaced the implementation
if they thought that would satisfy RSA. They didn't because it was
clear to them that RSA were prepared to call *any* RC4 implementation
a violation of their copyright. I don't think anyone would peg the
cost of re-implementing RC4 at over $100,000.
Thirdly, the person who told me how much they'd paid RSA was
deliberately vague to me about the exact sum, but they were certainly
in a position to know how much it was, and it was six figures in US
dollars. Again, he could have been lying to me but it would have been
out of character.
I find it surprising that this little story of law-as-bludgeon seems
so implausible to you: the practice of threatening lawsuits against
people so that they reason it's cheaper to pay you than to allow
themselves to be sued seems to be very common, especially in the USA,
especially over intellectual property issues. However, even if you're
unconvinced, I hope that any reply you compose does without hooting
and other sound effects, since I'm not paid to discuss this and you're
not making it any more fun.
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
