Re: Is it legal?
Richard Pyne [EMAIL PROTECTED] wrote: What most of you seem to be forgetting is the simple fact that the vast majority of work done by R, S and A that led to their patent was at a public (i.e. taxpayer funded) institution with a taxpayer funded research grant. I find it a very hard to believe that anyone should "own" the results of that research other than those that paid the bills, i.e. the public. The laws on copyrights and patents have long held that whoever pays the bills owns the work. U. 1. Most Americans, at least, know that MIT (the Massachusetts Institute of Technology) is a private higher-education institution. 2. Of the three MIT junior instructors who -- as an answer to the connundrum poised by Diffie and Hellman; a problem that was then probably being considered by thousands of other researchers as well -- invented the RSA public key cryptosystem in '77, only Ron Rivest had received a research grant (to study algorithms, not crypto, not the D-H question) from the US government. 3. Len Aldeman and Adi Shamir did not receive any federal funds. Shamir not only did not receive federal funds; he was not even an American. (Bright people come in all shapes, colors, and nationalities.) The US government owned neither the people or institution -- nor had it "paid the bills" for the brainstorming that resulted in RSApkc. 4. In the initial RSA publication, and in MIT's belated patent application -- belated because this was a pioneering use of the patent process: describing the function of the algorithm in process terms as a key-exchange function for a communications system -- Rivest did note that he had recieved support from a US research grant. 5. US agencies -- just because of that long-ago grant to young Rivest -- have always had royalty-free rights to use the RSApkc patented by MIT. (RSADSI, founded by the three inventors, was subsequently licensed by MIT to develop and exploit the patent.) 6. Using process terms to describe a digital communications function was an innovative way to claim the algorithm in the patent, but why should anything which can be described in an algorithm (the electron flow of an electrical current?) be barred from a patent... when it is novel, not obvious, and fits a perceived need as neatly as the right filament and a vacumn did in Edison's electric lightbulb? 7. Although it is only tangental to the RSApkc patent, US policy and practice -- at least since the post-war push into applied research -- has indeed been to let the recipients of federal research grants file for patents on discoveries made in the course of that research. While I'm sure the alternatives have been discussed and advocated, current US policy seems to presume that this is the most effective way to let a new technology attract the capital usually required to develop it and push it into the marketplace where the citizen can benefit from it. (Most patented technology sits on a shelf, undeveloped, unused.) 9. The fact that the US government has the right to freely use the RSApkc does not automatically confer upon every US citizen either a right of access or a share of the royalties (although this is a fabulous conceit.) A gift, grant, or even a tax return given or submitted to the US government does not automatically become shared property, available to any US citizen. Leland V. Lammert [EMAIL PROTECTED] asked a couple questions. I also believe in SW patents, .. but the current farce with RSA, even you have to admit, is stupid! Why cannot developers purchase a license (I do not call $100,000 a license fee for ANYONE)? Why has RSA abandoned RSAREF? 1. People who own something (and a patent is an property ownership grant) don't have to let anyone, who demands access to it, actually get direct access to it. 2. RSAPKC was a freeware reference implementation and toolkit made available by RSADSI in source. It was intended to let academics and corporate researchers play with the technology and get familiar with it. By the terms of the RSAREF license, users could only access the underlying crypto algorithms through the interface built into the RSAREF package. That interface was limited, and did not, and does not, permit RSAREF to be used to support SSL. 3. IMNSHO, RSADSI stopped supporting RSAREFv2 because it found that it could not control or manage the actions of RSAREF licencees to guarrantee that its patented process (or even it own free code) would not be used to undercut the 600-odd commercial OEMs which have always provided its lifeblood revenue. 4. While this restriction has (temporarily;-) inconvenienced creative programmers who want to use RSAPKC or their own implementation of RSApkc in some local application -- or some commercial profit-making product -- it has proven remarkably successful in pushing the technology through the OEM
Checking client IP address in certificate
Is there a way to make Apache with SSL (either Apache+SSL, or mod_ssl, or ...) check the either the X509v3 Subject Alternative Name of type IP Address or the Subject unstructuredAddress against the client IP address? I guess that this is an OpenSSL configuration thing. -- Karsten Spang Senior Software Developer, Ph.D. Belle Systems A/S Tel.: +45 59 44 25 00 Fax.: +45 59 44 25 88 E-mail: [EMAIL PROTECTED] Web:http://www.bellesystems.com/ Defining the Future of IP Services __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Vin McLellan wrote: I also believe in SW patents, .. but the current farce with RSA, even you have to admit, is stupid! Why cannot developers purchase a license (I do not call $100,000 a license fee for ANYONE)? Why has RSA abandoned RSAREF? 1. People who own something (and a patent is an property ownership grant) don't have to let anyone, who demands access to it, actually get direct access to it. Permit me to quote from RFC 2246 (TLS): The Internet Standards Process as defined in RFC 2026 requests that a statement be obtained from a Patent holder indicating that a license will be made available to applicants under reasonable terms and conditions. Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
On Mon, 27 Dec 1999, Dan O'Reilly wrote: Why is it stupid? Maybe usury, but surely they have a right to charge what they want for their products, don't they? The thing that kills me about this whole "free software" thing is that people seem to expect me, as a business owner, to invest literally hundreds of thousands (or even millions) of $$$ to develop software, betting my company on it, then give it away just because people don't want to pay. Where's the incentive, then, to develop quality software, if people are to force you to give it up with no hope of recovering your development costs? I don't know about other people but I certainly don't expect that. I view open source as being more akin to the stone soup model of development. Everyone contributes pieces and someone integrates it into the whole. for example, I'm developing significant IP behind speech driven programming techniques. Programmers that haven't been injured (and some that are) are helping me implement the IP. we all contribute something and we can all benefit from the whole. I'm giving all my IP away because a good speech user interface is too important for anyone company to play "dog in the manger". we're giving away the code again because it's the right thing to do. from economic side, if you're looking at solely recovering development costs, there are other models. For example, customers could pay for "their share" of the development costs or they could pay for specific bug fixes if they needed that fixed done now. Auction techniques could be used to determine what feature should be added for the next release. If you don't like auctions, you can use the PBS begging model. One can sell additional services (support, consulting, training, etc.) to pay for essential development as well. when you leverage to product development off of existing code bases or Toolkits, you'll find your costs of development drop significantly. If you're forced to recreate or re-implement useful tools, development costs go through the roof. The other argument, that of "it's just mathematical equations", is equally as farcical. Books are just collections of words, yet people copyright them. Surely words should be in the public domain, right? If it's that easy, then expend your own resources and write your own algorithms. If you build a better mousetrap... not exactly. Using your analogy, if books are just collections of words, what would a world be like if people patented books. They'd be a single author for mysteries, science-fiction, technical books, etc. and they can use patents to keep other authors from expressing their views and publishing their books. if on the other hand you truly believe that patents are appropriate to protecting software, you might consider doing a patent search if you use linked lists in your code. you're probably in violation of one of the over 400 patents featuring linked lists. check the IBM patent search engine. Try looking up your favorite data structure there. Now, I'm not saying a $100k fee is fair, by any stretch of the imagination. But by the same token, it *IS* their software to license. Just because someone thinks it should be free, isn't any kind of a good reason to MAKE it free. understood and I can even agree somewhat. The problem with software and business process patents is that they are usually based on prior art, too broad and are used to create monopolies. --- eric Eric S. Johansson[EMAIL PROTECTED][EMAIL PROTECTED] This message was composed almost entirely using NaturallySpeaking __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Dan O'Reilly wrote: (...) Caveat emptor: this is going to continue my unpopular thoughts on this subject, but I have the right to make my feelings known as well. I also think strongly that you have the right to tell us your opinions. (...) The thing that kills me about this whole "free software" thing is that people seem to expect me, as a business owner, to invest literally hundreds of thousands (or even millions) of $$$ to develop software, betting my company on it, then give it away just because people don't want to pay. Where's the incentive, then, to develop quality software, if people are to force you to give it up with no hope of recovering your development costs? We do not say that companies must leave their source for free, you are right in this, but your interpretation of free source software is really unusual. I think that copyright and a *VERY SELDOM* patenting policy could supply our needs. I say 'our' because I am also a developer. I know how much is expensive to write quality sw and how can free source help me in reaching this. You also forget to mention who, for personal reasons, prefers to make his/her source public. We want to let both business companies and free developers continue to exist and continue to sell their products. A free-source based business is possible today, and the word 'free' doesn't mean 'no-cost', but just 'public'. I can sell a open program to someone, adding my 'plus valore' on it. With the actual patenting practice this shouldn't be possible anymore. The other argument, that of "it's just mathematical equations", is equally as farcical. Books are just collections of words, yet people copyright them. It is not farcical and your example does not apply. Infact COPYRIGHT is a totally different thing and words are just similar to language-instructions. Imagine you want to do a movie where one guy must sing in the rain, and that you cannot do it because it's claimed by a patent registered for the famous "singing in the rain"... Intellectual property is a fragile topic. It is not right to solve it your way. Surely words should be in the public domain, right? If it's that easy, then expend your own resources and write your own algorithms. If you build a better mousetrap... I don't feel free in trying to build it better: I could be sued. -- free source for free understanding __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New Server Certificate
At 05:48 PM 12/27/99 , you wrote: Hi I have downloaded and installed openssl-0.9.4. It created its own server certificate to test with which worked fine. I have now purchased a new digital ID and certificate from Verisign, but I cannot figure out how to install the new certificate. I am using Apache 1.3.9. Can someone help me install my new certificate? Thanks in advance for all of your help! Darrin. [EMAIL PROTECTED] Darrin, You must start with an SSL-enabled version OF Apache (i.e. www.modssl.org or www.apachessl.org). You then specify the location of the CERT in the httpsd.conf file. BTW - Verisign SHOULD have FAQs and docs for this process, .. you might want to contact them also. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
At 12:06 PM 12/28/99 +, Ben Laurie wrote: Vin McLellan wrote: I also believe in SW patents, .. but the current farce with RSA, even you have to admit, is stupid! Why cannot developers purchase a license (I do not call $100,000 a license fee for ANYONE)? Why has RSA abandoned RSAREF? 1. People who own something (and a patent is an property ownership grant) don't have to let anyone, who demands access to it, actually get direct access to it. Permit me to quote from RFC 2246 (TLS): The Internet Standards Process as defined in RFC 2026 requests that a statement be obtained from a Patent holder indicating that a license will be made available to applicants under reasonable terms and conditions. So? What does this prove? "Reasonable" is terribly subjective, and is really a terrible word to use when defining something like this for that very reason, simply because it's so imprecise. "Reasonable" to most posters I've seen on this list would be "zero dollars" or "$10", something like that. "Reasonable" to RSA is $100k. Now define what "reasonable" really is, and get a consensus answer from EVERYBODY, including RSA...ain't gonna happen... -- +---+---+ | Dan O'Reilly | | | Principal Engineer| "Time flies like an arrow. Fruit| | Process Software Corporation | flies like a banana." | | http://www.process.com|-- Groucho Marx| +---+---+ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Michael Robinson wrote: ftp://ftp.isi.edu/in-notes/rfc1170.txt Among other bits of unfounded assertion: These patents cover all known methods of practicing the art of Public Key, including the variations collectively known as El Gamal. This has been a matter of some debate among the experts. -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Ben Laurie wrote: Permit me to quote from RFC 2246 (TLS): The Internet Standards Process as defined in RFC 2026 requests that a statement be obtained from a Patent holder indicating that a license will be made available to applicants under reasonable terms and conditions. An excellent example of the wry, understated humor we've come to expect from the English. -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Vin McLellan wrote: 3. IMNSHO, RSADSI stopped supporting RSAREFv2 because it found that it could not control or manage the actions of RSAREF licencees to guarrantee that its patented process (or even it own free code) would not be used to undercut the 600-odd commercial OEMs which have always provided its lifeblood revenue. It is interesting to note that RSADSI (now RSA Security) never lived up to its obligations under the license grant offered under the terms provided with RSAREF -- probably a disconnect between the RSA Laboratories folks, who are "good guys" (I have nothing but respect for Burt Kaliski, Bob Silverman, Matt Robshaw, et al.) and RSADSI (not always the best and the brightest). Just so I can do this once and for all, here's a point-by-point trashing of the RSAREF license grant: 1. RSAREF is free for personal or corporate use under the following conditions: oRSAREF, RSAREF applications, and services based on RSAREF applications may not be sold. oYou must give RSA the source code of any free RSAREF application you plan to distribute or deploy within your company. RSA will make these applications available to the public, free of charge. Other than RIPEM, has RSA done this? 2. RSAREF applications and services based on RSAREF applications may be sold under the following conditions: oYou must sign and return the RSAREF Commercial License Agreement to RSA (call RSA for a copy of this agreement). Remember, RSAREF is an unsupported toolkit. If you are building an application to sell, you should consider using fully supported libraries like RSA's BSAFE or TIPEM SDK's. There is not, nor has there ever been, any such thing as the "RSAREF Commercial License Agreement." Feel free to call RSA for a copy. I encourage you to do so. Call early and often. 3. RSAREF applications and services based on RSAREF applications may be "sharewared" under the following conditions: oShareware authors do not need to sign a separate agreement with RSA, provided that their per-copy asking price is less than $50 and total RSAREF application revenue is less than $10,000 annually. Otherwise, shareware authors must sign and return the RSAREF Commercial License Agreement. Have any shareware authors discovered an "RSAREF Commercial License Agreement?" 5. You can modify RSAREF to port it to other platforms, or to improve its performance, as long as you give a copy of the resulting source code to RSA. Other changes to the RSAREF code require written consent from RSA. In my several fruitless discussions with RSA's corporate counsel and some marketing rube, they repeatedly asserted that patches such as the recent security patches violate the agreement. Of course, neither of them had seen the agreement, and didn't have a copy of it in front of them. Improving its performance is clearly permitted. 6. You can't send or transmit (or cause to be transmitted) RSAREF outside the United States or Canada, or give it to anyone who is not a U.S. or Canadian citizen or doesn't have a "green card." Strangely enough, someone seems to have violated this provision of the agreement. Copies of RSAREFv2 seem to be available from ftp://utopia.hacktic.nl/pub/replay/pub/crypto/LIBS/rsa/ ftp://ftp.ntua.gr/pub/crypt/mirrors/utopia.hacktic.nl/crypto/LIBS/math/ ftp://ftp.tuwien.ac.at/opsys/linux/replay.com/crypto/LIBS/math/ ftp://ftp.nstu.ru/pub/sources/security/crypt/ Cheers, Michael -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
Michael Robinson wrote: Yes, they DO have the right to conduct their business by means of fraud and deceit, just so long as they break no legally binding agreement. And everyone else DOES have the right to dance a happy jig and flip the bird in the general direction of RSA Data Security, Inc. when the patent finally expires next year. Well, if you're doing voodoo, you'll need to note that the name of the company has changed -- RSADSI and Security Dynamics, the "parent" company, merged into one: RSA Security (RSAS). Something that happened just before I left the company. Astute readers will note that I have repented, and will be happy to supply GPS coordinates if you're targeting a missile. What the heck, try these: 37 32 11 N 122 19 30 W Maybe we could all meet there in September and defecate in the parking lot? Note that Labs West closed, I think Matt Robshaw is no longer with the company, and the research assistants all left. -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]