Actually, this is a documentation error of sorts. The section SHOULD read
like this:
---
It used to be that France and the USA had severe restrictions on the use
of and/or export of cryptography. Fortunately, France repealed its
draconian regulation on the use of heavy-strength cryptography, and the
USA has repealed its restriction on the export of freely-available
cryptography. (For information on the requirements to be able to export
cryptography from the USA, please see the Bureau of Export
Administration's "Commercial Encryption Export Controls" site at
http://www.bxa.doc.gov/Encryption/ .)
At this time, the use of encryption in the USA is generally controlled
only by the owners of any applicable patents on the algorithms in use.
As of right now (09Jun2000), the only outstanding patent that appears to
apply to the use of OpenSSL (and thus, Mod_SSL) in the USA is the one
owned by RSA Data Security, Inc. on the use of the RSA data encryption
algorithm (US patent 4,405,829, viewable at
http://www.patents.ibm.com/details?pn=US04405829__ ). Its issuance was
20Sep1983, and its expiration is 20Sep2000. This means that, until
20Sep2000, any and all use of the RSA encryption algorithm in the USA
needs to be licensed from RSA Data Security, Inc.
RSA Data Security released a "reference implementation" of RSA in library
form, called
"RSAREF", that they licensed relatively freely to non-commercial and
research users. Various programs were linked with this library (including
PGP and US versions of SSLeay and OpenSSL), and those programs were
limited to non-commercial use until and unless a separate license was
negotiated (and paid for). The use of RSA in non-commercial and research
settings is ONLY licensed if the RSAREF library is used to perform the
actual encryption.
So, it is not legal to use RSA encryption with OpenSSL and mod_ssl in the
United States for commercial purposes without a license from RSA Data
Security until 20Sep2000, at which time the patent expires and the
technology falls into the public domain. (If you can't wait, there are
companies that provide secure web servers based on older versions of
mod_ssl, but with licenses to use RSA encryption, for relatively small
fees.)
---
I've been able to find no references to any patents on the RC4 algorithm,
but I did find reference to the patents on the IDEA algorithm (which I
don't think is used in SSL, but I may be mistaken). If anyone knows what
patents cover RC4, I'd appreciate knowing them. Thanks!
-Mat Butler
On Fri, 9 Jun 2000, Tim Willis wrote:
> In perusing the documentation of Mod_SSL, I came across these two sections:
>
> ------------
> At least two countries with heavy cryptography restrictions are well known:
> In the United States (USA) first it's not allowed to (re-)export mod_ssl or
> OpenSSL and second it's not allowed to use Apache+mod_ssl+OpenSSL (because
> of patent issues on the RSA and RC4 algorithms) unless OpenSSL is built with
> RSA DSI's RSAref package and used for non-commercial purposes only. And
> inside France it's not allowed to use any cryptography at all when keys with
> more than 40 bits are used.
> ------------
> ------------
> As of this writing (end of the year 1999) the major difference is the RSA
> license which one receives (very cheaply in contrast to a direct licensing
> from RSA DSI) with the commercial Apache SSL products. On the other hand,
> one needs this license only in the US, of course. So for non-US citizens
> this point is useless. And even for US citizens the situations is at least
> solved next year (September 20th, 2000) when the RSA patent expires.
> ------------
>
> What does all this mean? Is it legal for me, in the US, to use
> Apache+mod_ssl+OpenSSL for commercial purposes? Do I read it correctly that
> it isn't legal for me at the moment, but will be after September 20th, 2000?
> Could someone clarify this for me?
>
> Thanks,
>
> Tim Willis
> IS Technician
> Code Rite
> [EMAIL PROTECTED]
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
