-----Original Message-----
From: Adam D. McKenna <[EMAIL PROTECTED]>
>: There are commercial web-servers based on SSLeay/OpenSSL that are
>: legal to use in the US. Plus, if you desperately want to use a free
>: one, you can obtain an RSA license yourself -- but it'll likely be
>: much more costly than buying a commercial derivate of Apache.
>
>That's not what I meant. What I was saying is that Verisign condones and
>supports the use of "freeware apache", and will issue certificates for it.
>Are you saying that this implies that the users of "freeware apache" have
>also purchased an RSA license? That's not how I read it. But you are free
>to look for yourself at
>http://digitalid.verisign.com/server/apacheNotice.htm
It doesn't imply anything whatsoever about "users of freeware Apache". If
Thawte and Verisign have licensed the RSA technology, they can sign
certificates using RSA. It doesn't matter whether or not the user can
legally use the certificate; that depends on a business arrangement between
the user and RSADSI which Thawte and Verisign are not parties to.
By way of analogy, I can sell you a handgun, but whether or not you can
legally carry it around or whether you register it as required by law, are
no concern of mine.
>
>The other thing I was asking is if using RSAREF within the US, for
>commercial use, is really worth it. It seems that RSAREF for commercial
use
>inside the US is just as bad as using standard OpenSSL.
Correct. RSAREF doesn't grant you any rights to use RSA-patented technology
for commercial purposes.
>
>Also, has anyone here purchased redhat secure server, in order to obtain
the
>RSA license, and then used apache/openssl instead? Any thoughts on the
>legality of this?
>
>--Adam
The RSA license that comes with Red Hat Secure Web Server says:
"The Software Programs include software licensed from RSA Data Security
('RSA Software') ... Nothing in this license grants you *any* rights,
license, or interest with respect to the source code for the RSA Software"
(emphasis mine).
It's interesting that RHSWS uses mod_ssl, but I don't know if they used
OpenSSL as the crypto toolkit, or if they modified mod_ssl to use one of
RSA's BSAFE products (though from comments Preston Brown has made on the
list as well as the wording of the RSA license, I suspect that it's the
latter).
Either way, the wording here seems to strongly suggest that all RSA is
licensing you to use is *this, binary* implementation of the RSA
algorithm -- nothing else.
Dave Neuer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
