In article <[EMAIL PROTECTED]>,
Vin McLellan <[EMAIL PROTECTED]> wrote:
> To which (in what seems to me a non-sequitur) Mr. Rescorla retorted:
>
> >This does not mesh with my experience.
> >
> >RSA has historically made it very difficult to get patent licenses,
> >prefererring to encourage the use of BSAFE. When I worked for Terisa,
> >we explicitly told them we wanted a patent license and were told
> >we had to use BSAFE. I have heard similar reports from other people.
>
> Are we talking about two separate things here?
Vin,
Maybe. Why don't I try to summarize, and you tell me where I
went wrong?
My understanding is that we were debating the quality of RSA's code
(i.e., RSAREF and BSAFE). If I understand correctly, your initial
claim was that RSA's code is of the highest quality and technical
excellence. If I understood you correct, as one piece of evidence
you offered the absolutely huge deployed base of BSAFE, apparently
reasoning that this widespread adoption must be attributable to some
substantial technical merit. (Right?)
The above comment from E. Rescorla seems to refute any reasoning
along these lines. Namely, it is possible that BSAFE is widely used
primarily because RSA's lawyers imposed considerable pressure on
developers to choose BSAFE over other alternatives, not because
there is any fundamental technical reason to prefer BSAFE.
(Arguably, the flaw in this reasoning should have already have been
immediately apparent -- after all, just because everyone is using
a product doesn't necessarily mean that it's any good, witness
Microsoft -- but Rescorla's note seems to provide a slam-dunk explanation
for how a cryptographic library of poor technical merit could be so
widely-used.)
Note: I'm not saying that Rescorla's note demonstrates that BSAFE
is poorly coded; I'm just saying that it refutes the reasoning
`if everyone is using it, it must be good'.
If we're talking about two separate things here, or if I was
misunderstanding your original claims regarding RSA's code, I would
appreciate further elaboration on your position.
-- David
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
