> LINUX SECURITY > by Jim Reavis and Kurt Seifried > > January 11, 2000 > TODAY: RSA License Issues > > There has been a lot of confusion recently over the exact legal > status of the RSA algorithm, and its usage. RSA is one of the > integral algorithms used in public key cryptography, and, as such, > is used in many modern crypto systems. RSA was patented in the USA > on September 29th, 1983, and the patents extend for 17 years > (expiring on September 29th, 2000). These patents are applicable > only in the U.S., except in rare circumstances. To use the RSA > algorithm in the U.S. you must pay a licensing fee, either directly > or indirectly, to RSA Security. For example you may purchase Raven > SSL for Apache, which makes use of the RSA algorithm, and which > Raven has paid RSA Security for the usage of. If you wish to > create a product that uses the RSA algorithm, you must go to RSA > Security and pay a fee to make use of it. > > Things start to get messy, though, because of a free RSA > implementation (RSAREF) that RSA Security made available some time > ago. The most recent license is version 2.0, and is available on a > variety of Websites. (*Note: I was unable to find a copy on RSA > Security's home page or FTP server; email to > [EMAIL PROTECTED] tells you to go to > ftp://ftp.rsa.com/rsaref/ which no longer exists). > > Excerpted from version 2.0 of the RSAREF license: > WHAT YOU CAN (AND CANNOT) DO WITH RSAREF > > 1. RSAREF is free for personal or corporate use under the following > conditions: > > -RSAREF, RSAREF applications, and services based on RSAREF > applications may not be sold. > > -You must give RSA the source code of any free RSAREF application > you plan to distribute or deploy within your company. RSA will make > these applications available to the public, free of charge. > > 2. RSAREF applications and services based on RSAREF applications > may be sold under the following conditions: > > -You must sign and return the RSAREF Commercial License Agreement > to RSA (call RSA for a copy of this agreement). Remember, RSAREF is > an unsupported toolkit. If you are building an application to sell, > you should consider using fully supported libraries like RSA's > BSAFE or TIPEM SDK's. > > 3. RSAREF applications and services based on RSAREF applications > may be "sharewared" under the following condition: Shareware > authors do not need to sign a separate agreement with RSA, provided > their per-copy asking price is less than $50 and total RSAREF > application revenue is less than $10,000 annually. Otherwise, > shareware authors must sign and return the RSAREF Commercial > License Agreement. > > 4. You must use the interface described in the RSAREF > documentation. > > -The published interface of RSAREF consists of those procedures > and data types listed in the files "global.h" and "rsaref.h," as > described in the RSAREF library reference manual (the file > "rsaref.txt"). If a procedure is not documented in the library > reference manual, then it is not considered published, even if an > application could access it without modification to RSAREF. > > -Furthermore, the published interface is understood as the > reasonable interpretation of the descriptions in the library > reference manual. Although it may well be possible to perform > operations with procedures listed in "rsaref.h" that differ from > what is described in "rsaref.txt," only the intended operations > (e.g., Diffie-Hellman key agreement with the Diffie-Hellman > procedures) are considered to be in line with the published > interface. > > 5. You can modify RSAREF to port to other platforms, or to > improve its performance, as long as you give a copy of the > resulting source code to RSA. Other changes to the RSAREF code > require written consent from RSA. > > 6. You can't send or transmit (or cause to be transmitted) RSAREF > outside the United States or Canada, or give it to anyone who is > not a U.S. or Canadian citizen or doesn't have a "green card." > Source: http://legion.virginia.edu/download/license.html > > Basically this boils down this way: If you are a U.S. or Canadian > citizen, you can use RSAREF for pretty much anything > OpenSource/Commercial as long as you ask nicely. Also, you can > modify it, but you must make those modifications available to RSA > Security (not quite sure how you would do this given that all the > email addresses listed for RSAREF are dead and reply with "go to > ftp://ftp.rsa.com/rsaref/", which no longer exists). > > So, if you are within the U.S. or Canada, and a citizen, you can > write an application using RSAREF and distribute it within Canada > and the States (assuming RSA Security gives you permission). If you > are outside the States, you can write an application that uses the > RSA algorithm, but it cannot be used in the U.S. (since it is > patented). You can, however, separate the code so that it can be > compiled against RSAREF; this way, people in the U.S. should be > able to use it. From a press release on RSA Security's site: > "RIPEM/SIG is built on top of RSA's popular freeware RSAREF > (pronounced "R.S.A. reff" -- short for "RSA reference > implementation") cryptography toolkit, but until now, RSAREF was > only approved for individual usage. Now RSA has relaxed the use > restrictions for RSAREF, and any application built with it may now > be used by individuals in commercial settings as long so it is not > sold or used for company business or to provide a direct for-profit > service." > Source: http://www.rsasecurity.com/news/pr/940318.html > > Did I mention DSA? DSA is an alternative algorithm to RSA, > and is patented, though not as heavily. The general consensus is > that you can use it within the USA and Canada, but you might not > want to -- especially if using certificates. Because the certificates > issued from Thawte, Verisign, and so on are RSA certificates, they > do not work directly with DSA. If, however, you are building a > customized product, it is an alternative. Generally speaking, though, > most North American companies opt to pay the licensing fees to make > use of RSA. > Source: http://www.rsasecurity.com/rsalabs/faq/6-3.html > > I hope this article clears up the issues surrounding usage and > implementation (license-wise) of RSA. In any case, most of this is > moot since the patent runs out on RSA in about 11 months. After > that, most (though not all) uses of RSA will be legal within the > U.S., however, there are several hundred patents pertaining to RSA > that cover various implementations and specific usages of it, so > consult a patent lawyer first. > -- This is The Midgard Project's mailing list. For more information, please visit the project's web site at http://www.midgard-project.org To unsubscribe the list, send an empty email message to address [EMAIL PROTECTED]
