From owner-freebsd-security Thu Nov 14 09:18:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA19025 for security-outgoing; Thu, 14 Nov 1996 09:18:28 -0800 (PST) Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA18992 for ; Thu, 14 Nov 1996 09:17:50 -0800 (PST) Received: from [194.100.45.1] (mac.metis.clinet.fi [194.100.45.1]) by hauki.clinet.fi (8.7.6/8.6.4) with SMTP id TAA10670 for ; Thu, 14 Nov 1996 19:17:17 +0200 (EET) X-Sender: pera@pop.hut.fi. Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 14 Nov 1996 19:21:50 +0200 To: freebsd-security@freebsd.org From: petri.riihikallio@hut.fi (Petri Riihikallio) Subject: Re: Secure RPC revisited Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I thought SSH also used diffie hellman. It seems they don't have a problem. >Exactly *where* is the patent living? If it is only in the states, we >might just install it on the internat repository? RSA claims that their Diffie-Hellman patent covers all public key algorithms. Their patent is valid only in the U.S. and Canada, since the algorithm was published before anyone understood its commercial value. You cannot patent published inventions in Europe. SSH was developed in Finland. The free Unix version was made available by FTP. DataFellows is the Finnish company trying to commercialice SSH. They have bought a licence from PKP/RSA/RSADSI to distribute commercial versions of SSH in the U.S. and Canada. There are encryption algorithms with valid patents on both sides of the Atlantic. IDEA is one. A licence for commercial use of IDEA is expensive, and that is the reason there are so few commercial products supporting PGP. The only one I know of is ViaCrypt, and they had already bought an unlimited licence before anyone had heard of PGP. To get back to the topic. It is forbidden by the U.S. export laws to export any product with hooks for a drop-in encryption engine. That is why MS Crypto API and Apple's PowerTalk security API are not fully documented. Nobody ever tried to find out whether INT13 of MS-DOS was such a hook. There are encrypted filesystem implementations available based on it. It appears to be difficult to fully obey the U.S. law when exporting any computer product. If you ask any official opinion it is probably negative just to be on the safe side. The opposite is to try your luck. With a free product that is not reasonable. The law is at fault, but it is the most constant part of this equation. The safe way to do it is to make a public version without any dummy encryption hooks. Then create a patch which adds the hooks and then the additional library. The patch and the library should live outside the U.S. Yes. It is troublesome and many potential users won't do it. But that is the exact intention of the law. Petri -- Petri.Riihikallio@hut.fi