After a lot of research and talking with people from the Stunnel and
OpenSSL lists, and 3 phone calls to RSA itself, I've learned far more
than I ever wanted to know about RSA's patent and licensing. [Contrary
to the last person who posted on this list, I found both Stunnel and
OpenSSL lists very informative.] I figured there were a lot of people
out there who would benifit from this info. Of course if you see any
errors, feel free to let me know. Maybe I can get this added to some
FAQ?
Basically, all I wanted to do is run a generic SSL reverse proxy for a
number of services/hosts. I also wanted Client Certificates for added
security. All this was for internal use only type stuff like IMAP and
secure access to internal web servers for my employees. None of this
is stuff that I make any money off of directly- ie. I'm not trying to
sell anything with SSL or RSA in it.
Anyways, I found out that:
SSLv3 supports numerous public-key encryption algorithms. However,
most SSL clients only support RSA for public-key. So basically,
unless you use RSA, you can't talk SSL to 99% of the world.
If you are a U.S. company, you must somehow purchase a license for
RSA[3].
If you purchase a piece of software (like Stronghold) that
includes the RSA library, it will include an applicable license for
RSA. Basically C2Net (the "author" of Stronghold) purchases a RSA
license and then is allowed to distribute the RSA library with their
product.
This RSA library license that you recieve with Stronghold, etc, can
not be legally transfered to another piece of software, because the
license requires you to use the RSA approved implimentation of the RSA
algorithm.
The other option is to license the RSA library directly from RSA and
link your software to that.
To license RSA for use with OpenSSL/Stunnel for my "internal use only"
purposes would cost me *at least* ONE HUNDRED THOUSAND DOLLARS.
Basically they wanted .075% of my company's revenue, and that this
$100K was just the DOWN PAYMENT. Your pricing my vary, but the sales
rep indicated that this was what they charged everyone.
Or-
I could go out and buy one of the commercial[1] Stunnel-like
implimentations for about $1,000 per SSL proxy server.
Or-
I could just be illegal and download the RSAref[2] library and link
that with OpenSSL/Stunnel. And on Aug. 20th, 2000, when the RSA
patent expires, I'd be legal. (Though potentially liable for past
unlicensed use.)
So my options were:
1) Pay nothing, use RSAref with OpenSSL and be illegal.
2) Pay about $3,000 for some closed-source software that didn't have
all the features of the Open Source equivalent.
3) Pay at least $100,000 to use OpenSSL.
Patents suck.
----
1) C2 Net's SafePassage Secure Tunnel http://www.c2net.com/
Celocom's SSR Server http://www.celocom.com/
2) RSAref is a implimentation of the RSA algorthim for non-commercial
use in the U.S. http://www.rsa.com/
3) The RC5 algorithm is also patented and illegal to use in the US
without the RSA license.
--
Aaron Turner [EMAIL PROTECTED] 650.237.0300 x252
Security Engineer Vicinity Corp.
Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
