Digital Signature Standard

JRAMON at mvax.fmed.uam.es JRAMON at mvax.fmed.uam.es
Fri Jul 2 06:41:00 EST 1993


With respect to the problem of the Digital Signature Standard, while it
concerns mainly the USA (.gov and .people), I'd like to add some comments
of my own.

	First, I'm not too literate on encription algorithms, neither
the legal issues concerning them abroad the USA. But may this affect me,
it interests me.

>...
>Several years ago, Congress directed the NIST (National Institute of
>Standards and Technology, formerly the National Bureau of Standards)
>to choose a single digital signature algorithm as a standard for the
>US.
>
>In 1992, two algorithms were under consideration.  One had been
>developed by NIST with advice from the NSA (National Security Agency),
>which engages in electronic spying and decoding.  There was widespread
>suspicion that this algorithm had been designed to facilitate some
>sort of trickery.
>
>The fact that NIST had applied for a patent on this algorithm
>engendered additional suspicion,...

	IMHO, governments shouldn't interfere with individual rights,
but if they must guarantee them they must have the right to *some times*
***violate*** them (e.g. depriving criminals of liberty). It is the
role of the people to control the government so that it doesn't make
bad use of its powers.

	However, there still remains the moral issue of what happens
when the gov. is stronger than the people. For instance in many
underdevelopped countries *ultimately owned* by another country or
commercial company.

>...
>On June 8, NIST published a new plan which combines the worst of both
>worlds: to adopt the suspect NIST algorithm, and give PKP, Inc. an
>*exclusive* license to the patent for it.  This plan places digital
>signature use under the control of PKP through the year 2010.
>...

	And this is even more appealing. I can never trust a private
company. You can't often trust the public institutions (or politics),
but they are -in democratic countries- under your control. You can't
in any way direct the personal politics of a private party. Which is
the same to say as that you are *absolutely* in their hands and can only
relay in their *good volunteer* if such a thing can be expected from
anyone that works only for his/her own interest. And were it such good-
ness, you must take into account other third parties. Any entity
whose life is threatened by another one will use anything at its reach
to defend itself, i.e. a threatened company could chose to rise its
royalties as much as needed and charge any additional royalties it needed.

>...
> ** The following notice was published in the Federal Register, Vol.
>          58, No. 108, dated June 8, 1993 under Notices **
>
>National Institute of Standards and Technology
>
>Notice of Proposal for Grant of Exclusive Patent License
>
>This is to notify the public that the National Institute of
>Standards and Technology (NIST) intends to grant an exclusive
>world-wide license to Public Key Partners of Sunnyvale, California
 ==================
>to practice the Invention embodied in U.S. Patent Application No.
>07/738.431 and entitled "Digital Signature Algorithm."  A PCT
>application has been filed.  The rights in the invention have been
>assigned to the United States of America... 

(my underlining, some stuff deleted)

	More on the same, but now this not only affects the USA.
Since most USA standards become world standards, and since many under-
developed countries relay on US technologies, now the problem extends
to us all.

>Appendix "A"
>
>... some stuff deleted ...
>
>It is PKP's intent to make practice of the DSA royalty free for
 ============^^^^^^
>personal, noncommercial and U.S. Federal, state and local
>government use.  As explained below, only those parties who enjoy
>commercial benefit from making or selling products, or certifying
>digital signatures, will be required to pay royalties to practice
>the DSA.

	My underlining again. Aha! so all you (and maybe us) have
is a declaration of principles or intentions. Which in principle
sound quite well. But no assurance you won't get later surprises.
Let's see... Uh? Am I paranoic?...

	I remember the LZW compression algorithm issue. Wasn't too
enforced till it went a de-facto standard. Oh, and wasn't it similar
with the Backing-Store algorithm? Freely used in X-windows, which
was developed with public resources, until X became a standard -mainly
por its public accessibility-, and then after several years, the
patent comes suddenly into light! And what happened with the threats
to the Univ. of Wisconsin GCG package last summers? Wasn't it that
it was threatened because of commercial companys pressure on the
politicians or so?

>Having stated these intentions, PKP now takes this opportunity to
>publish its guidelines for granting uniform licenses to all parties
>having a commercial interest in practicing this technology:

	Well, well, all of them sound quite senseful. Do they?

>Fourth, PKP's royalty rates for the right to make or sell products,
>subject to uniform minimum fees, will be no more than 2 1/2% for
>hardware products and 5% for software, with the royalty rate
>further declining to 1% on any portion of the product price
>exceeding $1,000.  These royalty rates apply only to noninfringing
>parties and will be uniform without regard to whether the licensed
>product creates digital signatures, verifies digital signatures or
>performs both.

	Now if I want to make, say, a new program, using a few standards
for it to be useful, say I use encryption, I pay 5%, say I use X
with Backing-Store (which pays royalties), which draws an X-Or cursor
(which is also patented), and compresses the messages with LZ,
and uses a few other standard (or not) libraries... If I have to
pay 5% for each of these, I may end paying more royalties than
the cost of the final product.

	Quite senseful, isn't it? More yet since I'm not american,
and royalties could be greater, and I'd had to add import/export
royalties...

	Fine, what kind of programs can I write?

>Fifth, for the next three (3) years, all commercial services which
>certify a signature's authenticity for a fee may be operated
>royalty free.  Thereafter, all providers of such commercial
>certification services shall pay a royalty to PKP of $1.00 per
>certificate for each year the certificate is valid.

	Wow! I work in the academic world, but this sounds to me as
if a car factory using injection engines from other company were
granted a three-year use license. And each additional year *I* used
my car they had to pay an additional amount. This gets curiouser...

>Sixth, provided the foregoing royalties are paid on such products
>or services, all other practice of the DSA shall be royalty free.

	While the company doesn't decide to change politics...

>... more stuff deleted.

--------------

	Well, I can't say much for myself. If my country didn't invest
in developing these algorithms I agree I must pay. It is my duty to
enforce my politicians to fund research or else to restrict certain
patent application policies.

	But, the same holds for all of us. IMHO the solution NOW is
either to support additional research and develop a new algorithm
that could replace that standard being public, or either to try to
stop certain kinds of patent application which may derive in worst
use of public funds.

	IMHO, a gov. resource should be exploited by the gov. or 
only by a company that is it or its policies directly controlled
by the gov. I agree that govs. have right to develop their own anythings
and to exploit them.

	But I can't see any excuse for any public-dependent (i.e. non
fascist) goverment to give away -in full, in part or temporarily- all
the rights of public goodies to a private party, hence leaving the
public -which is the real owner of the good- at the hands of a private
and self-interested party.

			J. R. Valverde
		Biomedical Research Insitute
			Madrid - SPAIN

Disclaimed: the opinions depicted above are my own and only my own.
They do not necessary reflect the opinion of anyone else.




More information about the Bio-soft mailing list