Skip site navigation (1)Skip section navigation (2)
Date:      20 Feb 2000 17:23:48 -0800
From:      Joel Ray Holveck <joelh@gnu.org>
To:        "'Kris Kennaway'" <kris@FreeBSD.ORG>, freebsd-current@FreeBSD.ORG
Subject:   Re: openssl in -current
Message-ID:  <86k8jzqrfe.fsf@detlev.UUCP>
In-Reply-To: "Victor A. Salaman"'s message of "Sun, 20 Feb 2000 03:12:26 -0400"
References:  <1D45ABC754FB1E4888E508992CE97E4F059CE8@teknos.teknos.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> I have just read several documents from www.eff.org, www.rsa.com, and
> www.openssl.org and have failed to find anything in there, that forbids us
> from not using openssl's RSA version. RSA has a patent for the algorithm,
> and they have provided a reference implementation to help the adoption of
> the algorithm. In their license (RSAREF) it says you can't export the code
> outside USA, but the US ITAR laws don't say anything about importing. So in
> theory, if the CD was made outside the USA, then it could be imported
> without a single problem.

I'm not a lawyer.  Here's my take.

Let's consider that we are in Switzerland making the One Great CD that
I may legally use inside of the US.  (We may assume that I also may
use it outside of the US, but that's irrelevant to this discussion.)
While I use this CD, I'm using the RSA algorithm.  This is covered by
US patent 4,405,829, meaning that I have to have RSA Labs' permission
to use it.

I am now obligated to obtain their permission.  I have their
permission to use it, so long as I'm using RSAREF, and I'm using it
for non-commercial purposes.  So, we now have to use RSAREF.

However, since we're making this in Switzerland, and RSAREF originated
in the US, we (or somebody else) must have exported it from the US.

We could put a non-RSAREF algorithm on it, but then I do not have
RSA's permission to use it in the US.

This is entirely disregarding the expense of setting up a Walnut Creek
CD-ROM plant in Switzerland, or flying Jordan out of the country every
time he wants to build a new release.

> The whole RSA scheme is bogus, because anyone in the world can get an
> implementation of RSA, so its widely accesible, so why all this
> RSAREF/non-RSAREF mumbo-jumbo?

The whole RSA scheme is not entirely bogus, at least not from a
commercial point of view.  The RSAREF/non-RSAREF scheme is the
implementation of RSA's goals within our current legal framework.

Anybody who is inside the US and using RSA for commercial purposes
must pay RSA Labs.  That is the purpose of RSA's patent.  Encouraging
R&D using RSA is the purpose of RSAREF.

Then, people outside of the US want a way to use RSA.  Because of
ITAR, they can't get at RSAREF.  So, that is the purpose of
non-RSAREF.

No doubt RSA Labs would love to be able to patent their algorithm
outside of the US and export their software, but ITAR forbds it.

> Perhaps we should send e-mail to RSA to clarify this, and in light
> of this, ask for permission to distribute RSA with the base OS. Gee,
> we can get RSA anyway, so what's the point on making harder?

RSA is not likely to be helpful.  They cannot allow non-US users to
use RSAREF, so the best they could do would be to allow a non-RSAREF
implementation to be used in the US.  That may open them up to certain
legal problems, and doesn't gain them anything, so they are very
likely to say "go away".

> Does anyone have ANY document saying that if you are in the US you are
> obligued to use RSAREF? 

Patent #4,405,829, issued 20Sep1983, availible online from the horse's
mouth at http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='4,405,829'.WKU.&OS=PN/4,405,829&RS=PN/4,405,829

This means that if I'm in the US, I must have permission from RSA Labs
to use the RSA algorithm.  Now, there are two main ways to get
permission.  Either set up an agreement with RSA (and probably give
them money as part of the agreement), or use RSAREF.

Cheers,
joelh

-- 
Joel Ray Holveck - joelh@gnu.org
   Fourth law of programming:
   Anything that can go wrong wi
sendmail: segmentation violation - core dumped

--BAC18391.951126129/detlev.piqnet.org--




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k8jzqrfe.fsf>