On Jan 7, 2007, at 9:44 AM, Garrett Rooney wrote:
Uhh, anyone? It'd be really great if someone with more clue in this are (Cliff, Roy, one of our lawyers, etc) could take a look at this and let me know if it resolves our problem or not. If not, I'll look into an alternate solution (either asking RSA for an explicit clarification or replacing the code somehow).
I thought we did. The "clarification" is completely vague Implementations of these message-digest algorithms, including implementations derived from the reference C code in RFC-1319, RFC-1320, and RFC-1321, may be made, used, and sold without license from RSA for any purpose. No rights other than the ones explicitly set forth above are granted. Further, although RSA grants rights to implement certain algorithms as defined by identified RFCs, including implementations derived from the reference C code in those RFCs, no right to use, copy, sell, or distribute any other implementations of the MD2, MD4, or MD5 message-digest algorithms created, implemented, or distributed by RSA is hereby granted by implication, estoppel, or otherwise. So we can implement them, make them, use them, and even sell them, but no permission to distribute them to third parties? When I did a search the last time, I found at least three other implementations based on public domain code and three more that were probably derived from the RFC with further optimizations. The best two independent ones are by L. Peter Deutsch (new BSD license) and Colin Plumb (public domain). The latter was apparently extended by "Solar Designer" and included in dovecot-1.0. The non-independent implementations are inside the RFC, distributed with bug fixes by Jim Ellis, and an optimized version of the RFC code by Joe Touch. The one in OpenSSL is by Eric Young, and though he claims copyright and demands advertising, he also has comments saying the code is derived from the RFC (okay if the code merely implements the MD5 algorithm in the RFC without using the appendix). That's how far I got before running out of time. We should just compare the speed of each of these and use whichever is best. ....Roy