Vin McLellan <me> wrote:
>> Mr. T also made what I called several "obscenely ill-informed"
>> comments about the quality of RSA's staff and crypto engineering.
Bennett Todd <[EMAIL PROTECTED]> replied:
>By repeatedly conflating all companies in any way associated
>with RSA we get to draw in various competant people into the big
>umbrella. I took some care to try and confine my remarks to RSADSI;
>perhaps that was a waste of effort.
You just have the scale of everything all wrong. There have never
been any "companies [...] associated with RSA" the way your big Wall Street
employers have clouds of subsidiaries.
AFAIK, there was only RSADSI until it was purchased by SDTI a couple
of years ago. RSA Labs and RSA Engineering and RSA Sales were all internal
groups. From '82 to '92, RSADSI had like eight to twelve guys and gals in
San Mateo. (I was never sure RSA was going to be there when I called;-)
RSADSI never had a staff of more than 20 until the Internet boom hit
in 93-94, and they did it all: the BSAFE programming; the basic PKCS
development; the advanced crypto research; the strategic marketing and the
OEM sales. Looming the background, cross-continent of course, was the
infinitely creative MIT Prof, Ron Rivest, who produced MD4 (the basis for
SHA), MD5, RC2, RC4, and now RC5 and (AES candidate) RC6.]
RSA subsequently doubled and tripled in the '90s, but we're still
talking about less than a busload of people. RSADSI's companies? Sheeesh!
>It's possible that good programmers actually did work on BSAFE for
>all I know; people have done the strangest things.
In your dreams, you'll be surrounded by such talent, someplace;-)
I suspect there aren't many crypto engineers or cryptographers on
the planet who haven't sometime dreamed of working at RSA. Ask one. The
lure of Excellence is strong.
>But it's for sure
>that BSAFE doesn't compete on its merits, it competes under threat
>from lawyers. Which threat gets defanged on September 29 of this
>year.
How timely! It's so rare that people can still smell the BS when
the proof hits the wall!
The new US export regs on crypto, published Wednesday, will for
the first time allow RSA to freely sell the classic BSAFE toolkits to
international OEMs, challenging the the major crypto vendors from Ireland,
Germany, and Japan.
Outside the US, of course, there is no RSApkc patent. Only merit,
as it were;-) I suspect RSA's BSAFE suite will do quite well without fangs.
(Big OEM deals are generally announced. I'll send you some of the
announcements, Mr. T!)
>> Mr. T hates RSA because he believes RSADSI was to blame for the US
>> Patent Office's decision to permit cryptosystems like RSApkc to be
>> patented.
>
>Nope. I've not said that, and don't believe it. Sure, granting
>patents algorithms is insane, and using the ability to do so to
>blackmail people into using your inferior product is amoral and
>evil. But they didn't start the practice, they've just attempted to
>profit from it.
Ouch! (Playing with those poisoned darts again, Mr. T?)
(Blackmail? Amoral? Evil? Ah well, so much for simple Q&A;-)
IP for crypto, and patents for cryptosystems, is a wee bit more
complex than patents for algorithms, per se. <sigh> The politics and legal
context for US patents in software -- and for patents on algorithmic
processes, including cryptographic processes -- are probably beyond the
scope of these Lists. (Although we could work on it elsewhere;-)
Sane or "insane" -- and neither label is particularly useful --
patents and intellectual property (IP) rights are as central to your
profession as the interest rate is to the bankers' trade. (Think of those
Wall Street institutions whose surely universally-benovolent enterprises
have benefited from your pious labor, sanctimonious judgement, and towering
moral leadership for lo these many years, hey?;-)
It's almost more of an honor than I can handle to engage a grown man
so crystal pure and self-righteous that he can use such vicious slurs to
describe the wholly-legal, totally upfront, overt behaviour of a little
company like RSA.
(Especially when _I_ credit RSA as a important, if not crucial,
player in the commercial and political struggle to safeguard both the
potential for unGAKed personal privacy, and a model of 21st Century
e-Commerce without a spook or a spook's computer listening in on every
negotiation, deal, transaction.)
Truth is, Oh Blessed One, I think your moral altimeter is sorely in
need of adjustment. (Although I greatly envy your obvious unfamiliarity
with evil.)
RSADSI used its patent monopoly to marshal OEM capital and
third-party venture cash in a wildly successful campaign to project its
patented technology broadly into the marketplace. This, I think, is just
what the authors of the Patent Clause in the US Constitution (RTFM!) hoped
would be the result of the modern patent monopoly!
Mr. T condemns RSA as "amoral and evil" because it refuses to
sanction knock-offs of its inventions and proprietary designs. (And he's
blind to the wonder of what RSA created with *its* market-development
strategy: this gargantuan, half *billion* user community -- serviced by
nearly 700 OEMs which field *thousands* of products -- within which full
crypto interoperability and compatability are largely *assumed!*)
So, evil RSA chose an OEM strategy.
Piracy is a fact of life with IP. RSADSI, as I interpret its
history, chose to address this problem (and generally simplify its business)
with a pricing and marketing strategy which told a generation of local
programmers like Mr. T to go play with themselves.
To the managers and bean-counters in all those companies, RSA said:
"Check the economics! Buy RSApkc installed in a commercial product for a
better ROI."
Irritating (particularly to those who want to use rogue or
unlicensed RSApkc implementations in the US.) Frustrating (particularly for
those who wanted the personal freedom to code their own crypto primitives
for production systems in the US.) Evil. Right.
(Let me put it to the Listocracy: Reading Bennett's words, would
_you_ trust our Mr. T *not* to steal or assist in the theft of RSA's
proprietary IP if he had the chance?
(We all presume Mr. T cheered and capered with delight when
anonymous parties pirated Ron Rivest's RC4 and RC4 algorithms -- which RSA
had not patented -- and posted them to the Net, right?
(And there wasn't much weeping in the bowels of Wall Street in the
years since the applied crypto marketplace was first flooded with clones of
a cryptosystem Whose Name They Dare Not Speak: e.g., ARC4, "apparently RC4.")
Rogues, rebels, and reprobates of all sorts got involved in pirating
crypto over the past 15 years. Me too, with PGP. (Hey, there are no Acts
of Contrition sought here!;-) US export controls tied the morality up in
knots for some. (Selling "security technology" designed to be insecure went
against the grain for some of us.) The allure of PGP's WoT, the unbeatable
price, and scale of PGP's interop community were well nigh irresistable --
legalities <blush> be damned.
More recently, the advent of a private sector community of crypto
mavens; the evolution of the "open source" movement; and a widespread
reaction against all proprietary code have had various pious Preachers
pumping up cross winds and sacriligeous wind sheers. ['Ware the Absolute
Creeds, gentle reader.]
Surfing through all that, RSADSI learned several painful lessons
about the unwillingness of many people to honor the Law of the Land on IP.
(Other lessons taught RSADSI about the limits of its own ability to
control whatever uses were made of its technology (e.g., the freeware
RSAREF) -- whatever the language in its license claimed to permit or forbid.)
OTOH, RSA also learned that it *could* generally trust enterprises
which were investing serious money to bring their own IP-protected products
or services to market. Those OEMs usually tried to respect and safeguard
RSA's IP (e.g., the layers of subtle secure-programming tricks in BSAFE) as
they wanted others to respect their own IP.
Pockets of evil popped up all over. Hundreds of them.
OEMs, in turn, found they could trust RSADSI not to allow every
local programming shop to undercut their often-costly and time-consuming
efforts to develop a market nitche and build demand for crypto enhancements
to basic program functions. Evil.
A half-billion installs. 700 OEMs. Makes me skeptical about the
Preacher who said that the End never justifies the Means.
(Heed and beware: I've been a consultant to RSA for many years.
Surely, such Demonic evil as Mr. T attributes to RSA would have had the raw
and unGawdly power to bend me to its wicc'ed ways long since.
(Which is probably why all this makes sense to me.
(Other readers of these Lists, be they sufficiently wicked or
wanton, might also find it comprehensible. The rest of you might consider a
sprinkle of holy water or sacred oils on the screen of the CRT.)
Suerte,
_Vin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
