With the amount of traffic on this list lately regarding patent issues, and
the amount of confusion regarding said issues, it seems like it might be a
good idea to set up a mailing list specifically for these questions.
In the auto-responder for the list, it could send a FAQ with more detailed
information than is currently available on most of the sites I've seen
related to mod_ssl/OpenSSL. Despite the frequent discussion and the
existing documentation from mod_ssl/OpenSSL regarding the topic, it seems
like there is still a lot of misinformation and incomplete information
floating around.
Topics that I think SHOULD be in a FAQ about this:
1) RSAREF, and how:
a) though it is no longer available from RSADSI, should still be legal
to use and even distribute for non-commercial purposes in the US
b) NEVER was and still isn't legal to use for commercial (i.e.
income-generating) purposes in the US
2) RSADSI and how:
a) what they own is the patents on the RSA algorithms, inclusive of all
implementations of them, regardless what the source of the implementation
b) the patents only apply in the US, and if you're not a government
institution
c) the patents expire in September 2000
d) until then, you can't use ANY SSL/RSA implementation in the US
legally (for commercial OR non-commercial purposes, correct?) unless it's
i) BSAFE SSL from RSADSI
ii) from an RSADSI licensee like C2Net (Stronghold), Covalent
(Raven) and Red Hat (Red Hat Secure Web Server) -- subject to specific
licensing terms (kudos to anyone who can determine precisely what can and
can't be done with all three packages -- I know the current situation for
Red Hat only).
3) SSL and how:
a) there are cyphersuites which don't use RSA, but they are not
browser-supported and you can't get a cert from a recognized CA for them
(right?)
4) the future of Public Key Cryptography standards and how:
a) hopefully the next IETF/ANSI/W3C/whatever-standards-body standard for
Internet security will hopefully be unencumbered by patents (anybody have
any idea of the status of AES?)
As the comments above should make clear, even someone like myself who has
spent a lot of time delving into this probably doesn't have all (or even
most) of the answers -- but it would be nice to have a document to point
people to when they ask on this list as at least half of the answers they
get will either be incomplete, wrong or more questions.
I welcome any comments, corrections, clarifications, and suggestions.
Dave Neuer
Software Engineer
Futuristics Labs, Inc.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
