[I felt I had to forward this on since I forwarded the first one. I'd
really rather we avoid the entire RSADSI as angel/satan debate here in
the future, though. --Perry]
Russell Nelson, President of Crynwr Software, a prominent Internet
activist, and a leading Open Source advocate, rewrote the recent blurb
which announced that Security Dynamics Technologies Inc. (SDTI), and it's
subsidary RSA Data Security Inc. (RSADSI), have merged into a new entity,
RSA Security, Inc. <www.RSAsecurity.com>.
Mr. Nelson turned this into a very funny screed which he posted to
the Cryptography mailing list <[EMAIL PROTECTED]> in the US. He began:
>The September 13th InfoWorld has an advertisement by RSA Security. If
>you squint your eyes up real tight, and read between the lines, it
>reads like this:
>
>
> Our patents are running out.
> Please don't forget
> who invented this stuff.
>
>
> RSA Security
Truth is, I've seldom seen the demonology of RSA so deftly
encapsulated. This is hilarious!!! (See Nelson's full text below.)
That Mr. Nelson is the appointed Czar for the Computer Newsgroups
under Usenet II only adds to the multiple layers of irony. ROTFL!!!!
When a publicly-traded firm renames itself, the announcement is
broadcast in all directions and predicably cast in immodest language that
begs for statire. The announcement that SDTI and RSADSI had been merged
into RSA Security was par for the genre, but Mr. Nelson over-reached
himself. Nelson's satire twists in upon itself, like a dramatic monologue,
to inadvertently capture the writer's own Voice as its object.
Ron Rivest with horns and a tail. Jim Bidzos as Lucifer himself.
This is the Lilliputian view of American Cryptography (with nary a trace of
awareness that Gulliver had to deal with a whole hungry food chain above
and around him.)
Of course, Nelson got the whole thing upside down; with the wrong
company, RSADSI, buying the other, SDTI -- but that's about par too;-)
RSA as Goliath. MIT's US patent on the RSA public key cryptosystem
as the giant's tree-trunk war club. RSADSI squeezing every cent from the
poor little American corporations which wanted to license RSA's PKC. RSA as
Croesus. Bilked billions stacked from floor to ceiling in some backroom at
RSA Labs.
In 1996 (as most Usenet crypto mavens know,) it was SDTI -- which
made its money selling three or four million of those little SecurID tokens
and ACE authentication servers -- that plunked down some $350M for the
talent, the crypto, the credibility, and the brand awareness associated with
the name of RSA.
RSADSI brought with it a substantial legacy, even aside from the RSA
public key cryptosystem: MD4, MD5, RC2, RC4 (and eventually RC5 and RC6) --
as well as the archive of RSA Labs-crafted cryptographic implementation
standards (PKCS 1, 3, 5, 6, 7, 8, 9, 10, 11, 12, 13, and the nasent PKCS
15,) plus a few odds and ends like SET, S/MIME, and a half-dozen similar
RSA-based protocols. See:
<www.rsasecurity.com/standards/protocols/protocols_table.html>
Unfortunately, RSA was not the Titan of wealth and power Nelson
supposed it was when SDTI purchased it -- except, perhaps, in the eyes of
those who wanted to exploit what RSA had created free, or cheaply. (I say
"unfortunately," because if RSA's PKC or an alternative public key system
had been widely adopted, much of the recent furor about Critical
Infrastructure Protection, FBI cybercops, and the militarization of network
security, in the US and elsewhere, might be unnecessary.)
In 1996, after 15 years in business, RSADSI revenues had just peaked
at $30M. Even with the Internet's booming demand for crypto, third-party
estimates suggest RSA revenues probably don't top $50M today. What's that?
Maybe the prize money for a championship boxing match, or a couple of months
sales of Pokemon monster cards among the little tikes.
> As a combined company, we are the premier monopoly in e-security
> -- at least until our patents run out.
For a little perspective: consider that most people _have_ had a
choice in public-key cryptography, with the option of Diffie-Hellman from
Cylink and NIST's Digital Signature Algorithm (DSA).
As the industry is well aware, the development of the DSA was
directly funded by the NSA as part of the NSA's' decade-long campaign to
block the widespread adoption of RSA's PKC, and/or to control RSADSI -- but
chance or politics might well have left RSADSI as the second-place finisher.
(The IETF, ANSI, and the ISO were largely irrelevant as OEMs tried
to decide how to cryptographically secure their products. For decades, the
US and international standards-generating organizations had been blatently
subverted by the NSA and its allied intelligence agencies. The standards
process was twisted to minimize the quality of the security technology on
the market -- the better to keep commercial IT products weak or broken --
so as to maximize the vulnerability of all to the NSA's infowar techniques.)
Arguably, the US Government's campaign against RSA gave the company
some back-handed advantage. With the standards process corrupted, the
computer and communications firms in the US and around the world chose to
design the future of e-commerce and PKC-enabled network security around the
PKCS series of proprietary standards developed by RSA Labs and RSA's major
OEM customers. See: <http://www.rsasecurity.com/rsalabs/pkcs/>)
> They haven't had any other choice, and neither do you.
Netscape surely could have built SSL around D-H and the DSA -- even
as the IETF's version of TLS, IPsec, SSH, and S/MIME, mandate them today.
Even someone less biased than I -- and as a consultant to SDTI for
years, I am admittedly biased -- might ask: how then, if alternatives exist,
did RSA public-key cryptography became so widely adopted throughout US
industry?
> We know you have almost no idea who we are, but you should.
Mr. Nelson is one of the multitude who argue that RSA Security
should not be permitted to hold any proprietary claim to the label "RSA" as
a trademark, just because it is also the name of the RSA cryptosystem (a
mathematical construction no less than a patented process for secure key
exchange among parties who have had no previous contact.) Mr. Nelson
insists that the RSA Security is trying to create an RSA brand
identification that does not now exist.
> Now that we have to persuade you to purchase from us, we're now trying
> to build a brand name before it's too late.
There are doubtless legitimate issues about the context in which RSA
Security can or can't claim an "RSA" trademark, but I think anyone who
believes that corporate RSA will not be able to use "RSA" to distinguish
itself for potential buyers as the firm which developed the PKCS and other
once-proprietary RSA crypto standards, and invented all these RSA-brand
cryptosystems, is both smoking and inhaling illicit weed.
If RSA's corporate and commercial identity were as negligible today
as Mr. Nelson believes, you've got to wonder about a few questions:
Why are so many top US financial institutions buying RSA's 3DES code
today? Why, for that matter, have RSA's implementations of simple DES (from
RSA-Japan) been sold at a premium throughout Asia for years?
Why is RSA-branded implementation code -- of DES, 3DES, and eliptic
curve crypto, as well as the RSA family of algorithms -- in such demand in
both the US and overseas?
Why did Baltimore Tech's founder flip out and denounce RSA's PKC as
a secret stolen from the British GCHQ... shortly after RSA-Australia began
shipping Eric Young's new SSL implementation code under the RSA brand name
in the international market? (Young's BSAFE SSL-C was the first challenge
from RSADSI to Baltimore and other non-American vendors which have sold
full-strength RSA PKC for years.)
Why did Intel license RSA's toolkits and implementation code early
this year -- when, given the vagaries of US government policy, Intel
probably won't ship any RSA-patented crypto embedded in Intel microchips
until long after MIT's RSA patent is lapsed?
Why was Checkpoint -- the Israeli firm which dominates the world
firewall market; a market-savvy firm rooted in a society with more
cryptographers per thousand than any other -- so eager to buy the right to
use the RSA brand name, and as well as the RSA implemenation code, for their
international products?
I concede there are multiple answers to all these questions (and
guarranteed compatability with installed RSA crypto is a major factor in
most), but I also suggest that RSA Security and RSA-branded craftsmanship in
crypto have earned widespread trust and commercial credibility in the years
RSADSI maintained its stewardship of MIT's RSA patent... and that this
reputation extends far beyond the US market to which corporate RSA was,
until very recently, largely restricted by the US government.
When you come down to it, the only real product in the cryptography
business is Trust.
Anyone (other than a few of my Canadian friends;-) want to bet that
RSA Security will _not_ be a major player -- if not the dominant player --
among the vendors providing, say, eliptic curve implementation code to OEM
product developers... five years from now?
RSA's Keon PKI products -- RSA in the "retail" market, if you will
-- is a new thing, and no one can yet tell how that venture will turn out;
but Security Dynamics has had a little experience providing mission critical
products to the enterprise market over the years.
Suerte,
_Vin
----------- in response to -----------------------
Russell Nelson <[EMAIL PROTECTED]>, president of Crynwr Software, and
the Czar for the multiple Computer Newsgroups in Usenet II, rewrote the
announcement that SDTI and it's subsidiary, RSADSI, have merged into "RSA
Security" to read:
> For almost two decades, More than 450
million copies
> businesses have had no choice of our RSA BSAFE(r) encryption
> but to purchase public-key technology are installed in
> cryptography from RSA Data today's most successful
> Security. Because we've applications and devices. And
> gotten so much money, we've why shouldn't it be that way?
> purchased another company, All other software is illegal,
> Security Dynamics and we like it like that. To
> Technologies, Inc. Today, the try to keep you using our
> companies have unified under software, we have a new RSA
> one name, RSA Security, Inc. Keon(tm) product line,
> Our new name and look reflects providing companies with a
> our desperate desire for you complete digital certificate
> to continue to purchase system, known as "PKI," to
> products from us, even after enable and manage security for
> our patents run out. We know e-commerce applications.
> you have almost no idea who we Thousands of customers have
> are, but you should. Chances chosen RSA Security, including
> are pretty close to 100% Cisco, Compaq, Ericsson,
> you've had to rely on one or Fidelity, IBM, and Lucent.
> more of our products to They haven't had any other
> purchase something over the choice, and neither do you.
> Internet, securely send email, Now that we have to persuade
> safely connect to your you to purchase from us, we're
> network, or do you banking now trying to build a brand
> online. As a combined name before it's too late. To
> company, we are the premier learn how we might serve your
> monopoly in e-security -- at e-security needs, please visit
> least until our patents run us at
www.rsasecurity.com, or
> out. contact us at
> [EMAIL PROTECTED] or
> 1-877-RSA-4900
>
>
> Your Only Choice in e-Security
>
>
>--
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for good
and ill... yet basically an intellectual construct, an idea, which by its
nature will resist efforts to restrict it to bureaucrats and others who deem
only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
