On Fri, 12 May 2000, mouss wrote:
> Paul D. Robertson wrote
> > In the United States, RSA [the algorithm] is patent encumbered until this
> > fall, so you'll need to pay RSA [the company] to use SSL that contains
> > RSA [the algorithm] or certificate generation that does the same.
>
> does this mean that code such as openssl may not be used in the US?
I'm not sure exactly what the legality of usage is, I'm not a lawyer and I
don't play one on the Net. I *do* know that both RSA and IDEA are
patented algorithms in the US, and I've done my best to avoid ever
installing them on an employer's machine. I thought (but don't quote me,
unfortunately I don't have time to research it) IDEA was patented by a
European company. I've absolutely no clue if Europe extends IP laws in a
similar way, or if the patent is US-only, but I'd check before I used it
anywhere. I have no idea when IDEA's patent expires, I'm pretty sure
we're around 4 months from the final RSA/Stanford patent on public key
cryptography.
http://www.kfu.com/~nsayer/encryption/rsaclock.html
<rant>
Vin never answered the "Why is BSAFE the only way to implement RSA for
small developers and even with that, why do they force developers who
prefer to roll their own crypto to buy commercial software because RSA
sets the price too high on independent implentations?" question, but I'll
point out again that from my *personal* perspective RSA lost a good deal
of good will by making it cost-prohibitive to license their technology at
an affordable per-server price. It's really too bad that they seem to be
intent on hanging onto every dime they can squeeze out of the patent over
the summer months even, since it'd be really nice for developers on summer
vacation to be able to start work on public key cryptosystems, certificate
servers and things like that inside the US.
Even though the government seems to finally be letting us export crypto
more freely, we've still got the RSA tax in the US for a while longer,
then we'll be able to sign our own non-DH x.509 certificates and build our
own trusted Web server implementations. No expensive crypto libraries,
and even better no exhorbitantly expensive per-server licenses necessary.
I had my last company purchase BSAFE so that I could develop some in-house
servers for specific applications, but the cost of per-server licensing
was way too cost-prohibitive once we got into the project design and
started trying to do a truly distributed architecture.
> > I don't know if SSLeay will build on Win32, but if it does, removing the
> > patent encumbered code and doing the usual Apache mods on the Win32
> > version should work.
>
> SSleay, now openSSl, should run on NT, but I'm not sure whether it is as
> stable as
> on unix. check www.openssl.org.
I wonder if the competition will finally make RSA drop their licesing
terms on BSAFE once the patent expires?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
