Path: gmdzi!unido!mcsun!uunet!spool.mu.edu!snorkelwacker.mit.edu! bionet!rutgers!netnews.upenn.edu!msuinfo!news From: rior...@clvax1.cl.msu.edu (Mark Riordan) Newsgroups: sci.crypt,gnu.misc.discuss,misc.legal Subject: rpem: current status Keywords: rpem RSA patent Message-ID: <1991May20.145058.10669@msuinfo.cl.msu.edu> Date: 20 May 91 14:50:58 GMT Sender: ne...@msuinfo.cl.msu.edu Organization: Michigan State University Lines: 62 Xref: gmdzi sci.crypt:53920 gnu.misc.discuss:42719 misc.legal:66298 Let me start by thanking the scores of Internetters who have sent me messages of support and advice over the past few days. Some of the advice was contradictory, but I appreciate it all. In a nutshell, I am no longer distributing rpem, my free public key encryption/Privacy Enhanced Mail program. Michigan State University asked me to remove it from their computer, which I did around noon EDT on 17 May. I can't blame them for not wanting to get involved in a legal dispute over a project in which they have no interest. (rpem was purely a personal project.) Obviously, I could find other means of distributing rpem. However, I have decided, for now, not to do so. My motivation for the project was to provide an encryption/PEM scheme that could be used freely by all (monetarily and legally). My ends are thwarted if a murky legal cloud hangs over the project, and advice I've received over the last few days indicates that the cloud is indeed murky. The idea of rpem as an "underground" program, secretly used by a few individuals hoping to escape legal entanglements through anonymity, does not appeal to me. It's not a significant contribution to humanity, and anyway I do not wish to engage in illegal activities. Here are the options I see. They are not mutually exclusive. -- Mount a determined legal challenge to the patent. This is beyond my capabilities at the moment. With a lot of legal assistance I might be up to it. A half-hearted challenge would likely be counterproductive, as a loss in court would just make it that much harder for the next RSA challenger to win his case. And, it would be bad news for me personally. Continuing to distribute rpem without clear plans to mount a challenge to the patent would seem to be equivalent to mounting a half-hearted challenge, with the attendant poor outlook for us all. For this reason, I request that others also refrain from distributing rpem. -- Find some other public key algorithm that clearly doesn't violate any patents, and make a version of rpem that uses it. I don't know whether this is possible. Some correspondants have suggested that algorithms based on Galois arithmetic, or the McEliece-Goppa system, fit the bill. I'd be willing, even eager, to undertake such a project over the summer if I were sure that there weren't any legal problems. -- Make a version of rpem that doesn't use public key (asymmetric) cryptosystems. Privacy Enhanced Mailers of this type are allowed for in RFCs 1113-1115. However, I expect that the interest in rpem is due to the promise of free public key cryptography and not due so much to the PEM aspects per se. Without evidence to the contrary, I will not pursue this path. -- Wait to see if the rumored availability within the next few weeks of "free" RSA software to the Internet, pans out. -- Obtain a license to the RSA patent, and distribute rpem or its successor on a for-pay basis under that license in order to recoup the licensing fees. At that point, rpem might as well be converted to use RSA, for better RFC 1113 compatibility. I am skeptical that very many people would be interested in rpem under these conditions, though. Mark Riordan rior...@clvax1.cl.msu.edu