Path: utzoo!attcan!uunet!dino!ux1.cso.uiuc.edu!brutus.cs.uiuc.edu!apple!well!rsa From: rsa@well.UUCP (RSA Data Security) Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos, standards, servers, PKE, etc... Message-ID: <15151@well.UUCP> Date: 21 Dec 89 22:06:34 GMT References: <28785.630171696@tis.com> Reply-To: rsa@well.UUCP (RSA Data Security) Organization: Whole Earth 'Lectronic Link, Sausalito, CA Lines: 83 The debate over the use of Kerberos vs. RSA has been interesting to observe. I feel that since so many posters have discussed what they see as the cost of RSA, this post is appropriate. Let's at least set the record straight. What has been proposed to both CCITT and to NIST/OSI is a licensing proposal where the cost of using RSA is $2.50 per user *one time*. People are confusing the use of RSA in directory authentication with the cost of a certificate ala RFCs 1113-5, which describe the cost of obtaining a *service* (getting a public key certified, at $25 for a two year certificate) Having a certificate for Internet Privacy Enhanced Mail has nothing (at this time) to do with X.509. All cost assumptions thus far posted are based on information that is 100% wrong. It is not possible to address the differences between digital signatures and Kerberos for authentication here. I would simply suggest that any comparison should be made by someone who understands certificate based key management. If someone really wants to understand what public-key is and how it can be uses *and* how it compares to symmetric systems, I suggest "The First Ten Years ofPublic-key Cryptography," by Whitfield Diffie. It appeared in Preceeding of the IEEE Vol. 76, No. 5, May 1988. It also may be appropriate to ask members of the IAB Privacy Task Force why they chose RSA over Kereberos (even though it costs money). Back to X.509: Note that the $2.50 is typically paid by a vendor building a directory product. Also consider the 1988 recommendations in X.411 (many of which require digital signatures to accomplish) and the $2.50 one time seems quite reasonable. This price has not changed since our original proposal to CCITT in 1984. In the meantime, a large number of companies have licensed RSA and are introducing products that use it (Digital Equipment, Motorola, Lotus, Racal-Milgo, Fischer International, Tektronix, Simpact Associates, etc). Apparently these companies saw a reasonable way to purchase licenses to use RSA; don't knock the process if you haven't tried it. The people who complain the loudest about patents and licenses are the ones who seem to know the least about them. There's an awful lot of "hip shooting" on this subject. Anyone who wants to discuss this further can send me E-Mail. On the "alternative" signature scheme proposed by NIST/OSI: ElGamal is a scheme that requires a license to use (it employs methods covered in the patent on exponential key exchange). Unlike RSA, there is no written guarantee of the cost of using the scheme, yet it is named in the NIST/OSI documents. There is *no* public-key cryptosystem we know of that is *not* patented. RSA is the only one we know of to actually submit licenses with defined costs so that standardization can be considered. Standards allow for the adoption of *patented* technology (proprietary is the wrong term for RSA in *this* case as used by James Galvin; no proprietary issues exist, only patent issues - also the "heated exchange" referred to was over the implications of naming the RSA algorithm in the IEEE 802.10 SILS documents and had nothing to do with proprietary/patent issues). ANSI even states that between 2% and 5% is a "reasonable" royalty for such things. Anyone genuinely interested in understanding these issues should obtain and read the related documents and publications. Finally, the $2.50 amount *came from* CCITT and NIST/OSI. It is not even our number; it is the number the representatives on the standards committees insisted on in 1984 and again in 1989 and which we agreed to! No, I don't think the dollar cost of RSA is the problem. The problems are (1) political and (2) mis and disinformation (our main competitors are apathy and ignorance). While organizations in Europe openly adopt and endorse public-key such as RSA (EFTPOS UK, with an endorsement of RSA by the NPL, or National Physical Laboratory), our own government has been strangely silent in the area of public-key while they seem at the same time to be the largest user. Also, the computer security budget of NIST has been cut by over 3 million dollars. Is electronic privacy and authentication for the most automated society on earth so unimportant that congress (or those advising them) feels compelled to cut the equivalent of 6 minutes of of the annual Defense budget from it? Jim Bidzos, President RSA Data Security, Inc. PS: It may be appropriate to have a newsgroup on X.509 and or the Internet RFC's.