On Tue, May 11, 1999 at 23:21:28 -0600, Jason Gunthorpe wrote: > It seems from what I have heard that we consider IDEA and RSA to be > non-free due to the patents on them in various countries and this is why > we have the gpg-rsa and gpg-idea modules in non-free. However we also have > libssl, openssl, cipe and ssleay in main which all implement the IDEA (and > RSA?) algorithms. > > So, what is our policy on this?
non-US essentially serves two purposes: - Home for cryptographic software, which is currently export-controlled in the USA. - Home for packages that employ algorithms patented in the US. There's an overlap between these in the case of software implementing/using RSA. The tricky thing is whether or not to consider the US situation for non-US packages. For example, giflib implements an algorithm (lzw compression) that is patented in the USA. AFAIK, that patent is USA-only. Should giflib qualify for non-US/main? If giflib qualifies for non-US/main, so should RSA. But not IDEA. The IDEA patent isn't USA-only; see http://www.ascom.ch/infosec/idea/licensing.html . > Does any know if use of the RSA module (which does not use RSAREF) is even > legal in the US? Also, what happens on Sept 20, 2000 when the US RSA > patent drops? RSA will be free, just like DH is now. > How many other countries carry this patent? None as far as I know (I vaguely recall that the patent was issued after a publication; no other country would allow this). Ray -- Obsig: developing a new sig
