CommonLine use of 4.0 toolkit: Draft to NAI Please review immediately

[Scott Fullerton <sfullerton@glhec.org>]

This is a letter to Rich Hornstein, NAI VP of legal.  Please review.  I would 
like to send it by beginning of working day pacific time.
Scott

Mr. Hornstein
I am writing on behalf of the CommonLine Electronic Exchange Subcommittee to 
express my shock and dismay upon hearing you will possibly withdraw your offer 
to sell the 4.0 toolkit.  This places us in a very bad position, as many 
schools and guarantors have already done extensive work to release products 
using the RSA algorithm.   Over the course of the winter during your merger, 
our dealings with PGP/NAI became very problematic due to poor internal 
communication among NAI/PGP.  This was bad enough.  But now, after we have 
proceeded assiduously and in good faith toward final closure of a deal, this 
presents a much larger problem.  You must understand, this is not only costing 
ten to twenty student loan guaranty agencies as much as six months of 
development time.  At this late date, it jeopardizes student loan processing 
nationwide. We are hoping, therefore, the information we received that you have 
withdrawn this offer is unfounded, or if it is true, that the decision can be 
revisited and reversed.

Should this be true, we would be left with meager options, as we move toward 
the summer when a very high volume of applications come in for fall semester 
loans.  CompuServe/AOL wants to move its users from their proprietary mail 
system and do not at this point guaranty continued service on that system. We 
set up procedures in a timely fashion to migrate users to POP3 and included 
specifications therein for encryption and authentication through the use of 
PGP.  We have delayed our migration first because of members' inability to 
negotiate contracts with your representatives over the course of January and 
February, and now because we are attempting to complete the purchase on the 
offer that was extended to us.  Should you withdraw the offer, we would be left 
with very high exposure to disruption of service.

In our use of PGP, we need an algorithm that allows compatibility across our 
entire group of colleges, lenders, and guarantors.  Mutual compatibility is 
essential because of the many-to-many nature of the communications.   RSA and 
Diffie-Hellman are mutually incompatible, however, and you have not provided 
the necessary "bridge" technology.   The most recent release of the development 
toolset (the SDK) does not support RSA, only Diffie-Hellman, and Diffie-Hellman 
is not available for 16-bit end-use or development. Our options are determined 
by the lowest common denominator.   Since many SBS products are still 16-bit 
Windows, our entire network must settle on an algorithm that is available to 
that platform and compatible with the rest.

By waiting until now to inform us, you have left us in a vulnerable position, 
as we are running out of time.  After the problems experienced directly 
following the merger, we were prepared to look elsewhere for encryption 
technology when there was still sufficient time to do so.  But, because of the 
very attractive offer extended by Brian Jackman, we chose to stay with NAI. 
 The offer included software and licensing for the toolkit and the 
corresponding end-user software along with technical support of sufficient 
duration to allow a transition to 32-bit Windows after the peak processing 
period.   Now, having waited this long, we have run out of effective 
alternatives.  We cannot count on the continued availability of the existing 
proprietary CompuServe system.

CommonLine is a standards-setting body under the auspices of National Council 
of Higher Education Loan Programs (NCHELP www.nchelp.org).  Its members include 
guaranty agencies, secondary markets, lenders, servicers, collection agencies, 
schools, and other organizations involved in the administration of the Federal 
Family Education Loan Program.    Members include USA Group, Edfund, SLMA, 
Nellie Mae, AFSA,  The Access Group, TGSLC, PHEAA, Great Lakes, NYHESC, 
Citibank Student Loan Corp, Signet Bank, Penn State, US Bank, Bank One, UC 
Berkeley to name but a few.

Should we use PGP software as we had planned, NAI would enjoy high visibility 
as part of a national standard in an attractive market niche intersecting 
higher education, finance, and the Department of Education.   This would be 
widely publicized and provide ready entree into lending institutions and the 
administrative branch of colleges and universities.  Should we be denied its 
use,  we would need to explain our situation in terms of our negative 
experiences with NAI this winter and spring.   This is something I am sure you 
would not want associated with your company.

I hope we can continue with the offer as Brian framed it to us in February.  We 
have been awaiting resolution from NAI on the specifics of tech support and 
licensing.  On our side, we have been pursuing negotiations very aggressively. 
 Our team met with Dave Tauber (of NAI legal) and Brian Jackman on Friday 3/20 
to develop a common OEM agreement that all agencies could agree to.  We have 
been working hard to craft this document.  In fact Dave sent me material for 
this today after we heard about the withdrawal!  We have circulated a letter of 
intent form for all participating lenders, guarantors, and schools to fill out 
to specify the purchases they will make when the license terms are complete.

Please review the issues and respond immediately.

Scott Fullerton
Chair CommonLine Electronic Exchange Subcommittee
608.246.1779
sfullerton@glhec.org