[follow ups to -policy] I was just taking a bit of a look around the new non-us trying to figure out what our stance was on things like IDEA and RSA and unfortunately can't figure it out. :| (BTW the dns has been swtiched over.. email [EMAIL PROTECTED] if there are issues)
It seems from what I have heard that we consider IDEA and RSA to be non-free due to the patents on them in various countries and this is why we have the gpg-rsa and gpg-idea modules in non-free. However we also have libssl, openssl, cipe and ssleay in main which all implement the IDEA (and RSA?) algorithms. So, what is our policy on this? There is a bit of an alterior motive here, it looks like it may be possible to switch completely from PGP for all of Debian signature checking to use GPG and the RSA module in its place, but that may not be legal (or even DSFG?) to do so. This would be very nice as it would be one more large chunk of non-DFSG software that we no longer rely on. Does any know if use of the RSA module (which does not use RSAREF) is even legal in the US? Also, what happens on Sept 20, 2000 when the US RSA patent drops? How many other countries carry this patent? Given that should Debian aim to drop RSA totally or should we aim to stop accepting RSA keys and gradually convert over to a DH/DSS system? Should we just -drop- RSA totally? (AFAIK you do not need IDEA for signatures, only encryption) Thanks, Jason