Yes, if people want to punish RSA take it out on their tokens business, not the conference. Targeting the conference will harm our ability to fight back against the NSA.
What I don't want to see is people suggesting that people attending the RSA conference are somehow on the side of the NSA. There are maybe a couple of hundred top level crypto protocol designers. And we need all of them right now. The possibility that someone might have been suborned by the NSA changes nothing, we have always been aware of that as a possibility.
It not just RSA people are proposing to boycott. Some people have proposed smashing up the IETF as well. Which is not going to help me with my attempt to make email secure. I need that infrastructure. Whether it might be compromised or not is irrelevant because any replacement is certain to be penetrated from the start.
But the reason to be concerned about the tokens is not (just) because of the NSA breach, its because the token design is intrinsically insecure. The tokens are not based on public key cryptography, they use a symmetric scheme. That means there is no room for transparency or audit. There is no way to know if an access occurred due to malfeasance by the token provider rather than the token user.
To be honest I am a little nervous about saying 'boycott the tokens' as this can be seen as self-interested, I have already proposed an alternative back in 2011 which was in part a response to the RSA/Lockheed breach:
The draft is expired but the technology is still under active development as one of the components in the Prism-Proof email scheme I am working on. I have to provide a way to easily move keys from one device to another and that requires a confirmation type scheme. Which has to be auditable.
The protocol is open (as far as I know) but obsolete at this point since the field has now moved on to JSON and so it needs to be rejiggered.