[1233] in cryptography@c2.net mail archive
Re: Attorneys: RSA patent invalid
daemon@ATHENA.MIT.EDU (tzeruch@ceddec.com)
Tue Jul 22 23:45:18 1997
Date: Tue, 22 Jul 1997 20:36:13 -0400
From: tzeruch@ceddec.com
To: Cryptography@c2.net
In-Reply-To: <v03007802aff9b733458e@[198.115.179.81]>
On Tue, 22 Jul 1997, Vin McLellan wrote:
> Even today, if a company wants to implement RSA PKC as part of a
> commercial product, it might cost them, say, $200K to code it from scratch.
> If a developer can adapt the code one of the several RSA toolkits, the cost
> might drop to one-fourth or one-fifth of that. And as the toolkit
> implimentations have withstood time and the stress of integration into
> multiple apps, they became more trusted, more valuable. To rephrase
> Lucky's bullet:
>
> There is a reason why RSADSI is respected by so many players in the
> industry.
Because they shoot anyone who wants to use anything else (to continue on
the bullet riff :). I never hear the words quality, service, or technical
excellence associated with RSA. Only that they own the patent and have
lots of lawyers.
> Other implementations might be faster (e.g. Eric's SSLeay,) but the
> crediblity and reputation of RSA Labs adds significant commercial value to
> an end-user product -- in the eyes of both RSA's licensee, and that
> licensee's customers, as well.
If the only thing RSA will allow to be used in the US is something from
RSA, it then doesn't follow that people consider the software better, or
the authors more credible. Since it cannot by law be sent outside of the
US, no one outside of the US should have had a chance to evaluate it.
Or has RSA suddenly started selling licenses so that anyone who wants to
use Phil Zimmerman's or Eric Young's implemetation instead of RSAREF (or
BSafe) can do so without much expense or hassle? Neither of these would
cost $200K to code from scratch and are peer-reviewed by the net.
Before there was any competition Xerox could pretend that people valued
and trusted their photocopiers and nothing would happen afterward. I have
to give Xerox credit since they can now compete on quality, but it took a
while.
Alternately if RSA is so good, does the license say that RSA will pay for
all damages arising from any flaw in the code they are providing? Or does
RSA trust its own code less than you suggest the licensee's do? Assumed
Liability is a very good metric of assumed quality.
RSA should hope the crypto export regulations are overturned soon,
otherwise all it will have is the US with it's patent for a few years,
while the rest of the world moves inexorably forward unrestricted.
