On Wed, 28 Apr 1999, Dave Neuer wrote:
> Subject: Proposal -- better patent FAQ/patent-specific mailing list
>
> With the amount of traffic on this list lately regarding patent issues, and
> the amount of confusion regarding said issues, it seems like it might be a
> good idea to set up a mailing list specifically for these questions.
>
> In the auto-responder for the list, it could send a FAQ with more detailed
> information than is currently available on most of the sites I've seen
> related to mod_ssl/OpenSSL. Despite the frequent discussion and the
> existing documentation from mod_ssl/OpenSSL regarding the topic, it seems
> like there is still a lot of misinformation and incomplete information
> floating around.
This is generally a good idea, except that I don't know of any lawyers on
the list. (I just had to go through this entire question list, plus
export controls, for my work.)
> Topics that I think SHOULD be in a FAQ about this:
>
> 1) RSAREF, and how:
> a) though it is no longer available from RSADSI, should still be legal
> to use and even distribute for non-commercial purposes in the US
> b) NEVER was and still isn't legal to use for commercial (i.e.
> income-generating) purposes in the US
As far as I know, RSA never revoked the license for RSAREF.
(Theoretically, they could do so, but they never have.) Your definition
of 'commercial' needs to be looked at a bit more closely... this includes
all use by any commercial entity that is not using it solely for internal
research. (This also means that you can't have an SSL-protected intranet
server, for example.)
I -think- it's a civil offense, btw, and not a criminal offense, but I may
be wrong.
> 2) RSADSI and how:
> a) what they own is the patents on the RSA algorithms, inclusive of all
> implementations of them, regardless what the source of the implementation
> b) the patents only apply in the US, and if you're not a government
> institution
> c) the patents expire in September 2000
The research that Rivest, Shamir, and Aldeman did was partly funded by the
US Government, so the government has its own license free and clear.
(September of 2000... sheesh. This means it was patented in September of
1983.)
> d) until then, you can't use ANY SSL/RSA implementation in the US
> legally (for commercial OR non-commercial purposes, correct?) unless it's
> i) BSAFE SSL from RSADSI
> ii) from an RSADSI licensee like C2Net (Stronghold), Covalent
> (Raven) and Red Hat (Red Hat Secure Web Server) -- subject to specific
> licensing terms (kudos to anyone who can determine precisely what can and
> can't be done with all three packages -- I know the current situation for
> Red Hat only).
MacMillan Publishing has a version of RedHat Linux 5.2 that they're
selling that includes "Apache + MOD-US-SSL". It claims (on the front box)
to include "a one-server Advanced Cryptography License from RSA". It also
gives a $25 discount on a certificate from Thawte. (Note: I was never
able to find any documentation in the box about the Advanced Cryptography
License; the only proof of purchase was the box itself.)
In any case, Stronghold used to be the only game in town that could get a
Verisign certificate. Ever since Verisign changed their rules (any Apache
+ SSLeay/OpenSSL can now get a server certificate from them), it's not the
only option anymore. Its advantage is that it sells for a lot of
different platforms. It can be used for any non-illegal commercial
activity (I'll double-check the license; my company still uses Stronghold
on SCO machines) in the United States and Canada, but cannot be exported
outside the US.
> 3) SSL and how:
> a) there are cyphersuites which don't use RSA, but they are not
> browser-supported and you can't get a cert from a recognized CA for them
> (right?)
As of right now, there is no way to get a cert from a recognized CA
(specifically Verisign and Thawte) for a non-RSA cyphersuite, for the
simple reason that neither Verisign nor Thawte has (to my knowledge) any
non-RSA root keys. More importantly, even if they do, they're not
embedded into the browsers.
(This is a side note, but I have to wonder if a condition that RSA put on
Netscape and Microsoft was that in order to get a free-distribution
license for RSA, they couldn't put non-RSA public key ciphers into their
browsers.)
> 4) the future of Public Key Cryptography standards and how:
> a) hopefully the next IETF/ANSI/W3C/whatever-standards-body standard for
> Internet security will hopefully be unencumbered by patents (anybody have
> any idea of the status of AES?)
AES is too new to do anything with. All submissions were unencumbered by
patents, I believe... a good source for information on AES is at
http://www.counterpane.com/, Bruce Schneier's company's site. Counterpane
submitted TwoFish as an AES candidate.
> As the comments above should make clear, even someone like myself who has
> spent a lot of time delving into this probably doesn't have all (or even
> most) of the answers -- but it would be nice to have a document to point
> people to when they ask on this list as at least half of the answers they
> get will either be incomplete, wrong or more questions.
That doesn't even -begin- to get into the export problems. Most of those
are covered at http://cryptography.org/, however.
> I welcome any comments, corrections, clarifications, and suggestions.
(Why, oh why, can't we design some intercommunication standard between
PKCS and PGP? </whining>)
Part of the confusion is that no one has any information on what works
together. In my case, one of my company's suppliers wanted to switch from
PGP 4 for Windows to PGP 5DH for Windows... and I had to explain to
everyone involved (which ended up being my company, one of our
subsidiaries, the supplier, and 3 other companies who this supplier
supplied... *sigh*) why the various versions were incompatible. That's
the main downside to cryptography -- the different methods don't work
together if there's no careful planning before implementation.
Anyway, back to the subject at hand:
Links!
http://www.rsa.com/rsalabs/faq/ The RSA Labs Cryptography FAQ
http://www.counterpane.com/ Information about AES, and
the Crypto-Gram newsletter
http://www.cryptography.org/ The North American Cryptography
Archives
Also, if you haven't already, I'd suggest getting onto
http://www.sixdegrees.com/ and joining the cryptography group on there.
-Mat Butler
UNIX System Administrator (night shift)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
