From owner-freebsd-current Tue Feb 22 13:27:10 2000 Delivered-To: freebsd-current@freebsd.org Received: from heimdall.piqnet.org (adsl-63-197-64-194.dsl.snfc21.pacbell.net [63.197.64.194]) by hub.freebsd.org (Postfix) with ESMTP id 7B07137B7E8; Tue, 22 Feb 2000 13:27:04 -0800 (PST) (envelope-from joelh@gnu.org) Received: from detlev.piqnet.org (adsl-63-197-64-195.dsl.snfc21.pacbell.net [63.197.64.195]) by heimdall.piqnet.org (8.9.3/8.9.3) with ESMTP id NAA08567; Tue, 22 Feb 2000 13:31:28 -0800 (PST) (envelope-from joelh@gnu.org) Received: (from joelh@localhost) by detlev.piqnet.org (8.9.3/8.9.3) id NAA66959; Tue, 22 Feb 2000 13:28:45 -0800 (PST) (envelope-from joelh@gnu.org) X-Authentication-Warning: detlev.piqnet.org: joelh set sender to joelh@gnu.org using -f To: "'Kris Kennaway'" , freebsd-current@FreeBSD.ORG Subject: Re: openssl in -current References: <1D45ABC754FB1E4888E508992CE97E4F059CE8@teknos.teknos.com> From: Joel Ray Holveck Date: 20 Feb 2000 17:23:48 -0800 In-Reply-To: "Victor A. Salaman"'s message of "Sun, 20 Feb 2000 03:12:26 -0400" Message-ID: <86k8jzqrfe.fsf@detlev.UUCP> Lines: 80 X-Mailer: Gnus v5.7/Emacs 20.5 MIME-Version: 1.0 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I have just read several documents from www.eff.org, www.rsa.com, and > www.openssl.org and have failed to find anything in there, that forbids us > from not using openssl's RSA version. RSA has a patent for the algorithm, > and they have provided a reference implementation to help the adoption of > the algorithm. In their license (RSAREF) it says you can't export the code > outside USA, but the US ITAR laws don't say anything about importing. So in > theory, if the CD was made outside the USA, then it could be imported > without a single problem. I'm not a lawyer. Here's my take. Let's consider that we are in Switzerland making the One Great CD that I may legally use inside of the US. (We may assume that I also may use it outside of the US, but that's irrelevant to this discussion.) While I use this CD, I'm using the RSA algorithm. This is covered by US patent 4,405,829, meaning that I have to have RSA Labs' permission to use it. I am now obligated to obtain their permission. I have their permission to use it, so long as I'm using RSAREF, and I'm using it for non-commercial purposes. So, we now have to use RSAREF. However, since we're making this in Switzerland, and RSAREF originated in the US, we (or somebody else) must have exported it from the US. We could put a non-RSAREF algorithm on it, but then I do not have RSA's permission to use it in the US. This is entirely disregarding the expense of setting up a Walnut Creek CD-ROM plant in Switzerland, or flying Jordan out of the country every time he wants to build a new release. > The whole RSA scheme is bogus, because anyone in the world can get an > implementation of RSA, so its widely accesible, so why all this > RSAREF/non-RSAREF mumbo-jumbo? The whole RSA scheme is not entirely bogus, at least not from a commercial point of view. The RSAREF/non-RSAREF scheme is the implementation of RSA's goals within our current legal framework. Anybody who is inside the US and using RSA for commercial purposes must pay RSA Labs. That is the purpose of RSA's patent. Encouraging R&D using RSA is the purpose of RSAREF. Then, people outside of the US want a way to use RSA. Because of ITAR, they can't get at RSAREF. So, that is the purpose of non-RSAREF. No doubt RSA Labs would love to be able to patent their algorithm outside of the US and export their software, but ITAR forbds it. > Perhaps we should send e-mail to RSA to clarify this, and in light > of this, ask for permission to distribute RSA with the base OS. Gee, > we can get RSA anyway, so what's the point on making harder? RSA is not likely to be helpful. They cannot allow non-US users to use RSAREF, so the best they could do would be to allow a non-RSAREF implementation to be used in the US. That may open them up to certain legal problems, and doesn't gain them anything, so they are very likely to say "go away". > Does anyone have ANY document saying that if you are in the US you are > obligued to use RSAREF? Patent #4,405,829, issued 20Sep1983, availible online from the horse's mouth at http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='4,405,829'.WKU.&OS=PN/4,405,829&RS=PN/4,405,829 This means that if I'm in the US, I must have permission from RSA Labs to use the RSA algorithm. Now, there are two main ways to get permission. Either set up an agreement with RSA (and probably give them money as part of the agreement), or use RSAREF. Cheers, joelh -- Joel Ray Holveck - joelh@gnu.org Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped --BAC18391.951126129/detlev.piqnet.org-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message