Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Nov 1996 16:30:31 -0500 (EST)
From:      Bradley Dunn <bradley@dunn.org>
To:        Guido van Rooij <Guido.vanRooij@nl.cis.philips.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Secure RPC revisited
Message-ID:  <Pine.BSI.3.95.961113154327.302C-100000@ns2.harborcom.net>
In-Reply-To: <199611130805.JAA02443@spooky.lss.cp.philips.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 Nov 1996, Guido van Rooij wrote:

> > The Diffie-Hellman issue is another matter. My understanding (which may
> > in fact be totally wrong) is that it's not possible to use code which
> > implements Diffie-Hellman without paying a licensing fee to RSA (or whoever
> > it is this week). But the patent in question is supposed to expire in 1997,
> > thus we bide our time, all the while plotting to overthrow the earth and
> > cackling maniacally to ourselves. (Alright, maybe it's just me.)
> > 
> 
> I thought SSH also used diffie hellman. It seems they don't have a problem.
> Exactly *where* is the patent living? If it is only in the states, we
> might just install it on the internat repository?

This is all IMHO, and IANAL, etc, etc...in other words, don't sue me
when RSA starts banging down your door. :-)

I did a little bit of research on this when I was looking into the
possibilty of a free SSL-enabled HTTP server.

RSA appears to claim its patent covers all forms of public-key
cryptography and authentication. RSA licenses its patent as follows:

-Non-commercial use is free
-Commercial users must license it for a fee. See the agreement at:
http://www.rsa.com/rsa/contracts/PatLicAgree.html

>From what I have heard, RSA, not surprisingly, defines commercial use
broadly and non-commercial use narrowly.

And speaking of SSH, I have not installed it on our (we are an ISP)
servers. I do not think we can without signing a license with RSA,
or buying someone's product based on SSH that is licensed from RSA. We
sell access to those servers for a fee, thus it could be construed that we
would be selling a service based on RSA-patented technology.

http://www.epm.ornl.gov/~dunigan/rsaref.txt
may also be of use. The section titled:
WHAT YOU CAN (AND CANNOT) DO WITH RSAREF
should be a pretty good guide on the rules covering code using
Diffie-Hellman, even if the code was written without the use of RSAref.

This only applies to the US. Outside of the US RSA's patent means nothing.
Sometimes it sucks to be an American. :(

-BD




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.961113154327.302C-100000>