On Tue, 21 Sep 1999, Terrell Larson wrote:
> Aaron,
>
> My opinion on this is as follows (I'm not a lawyer but I've hired
> a few for opinions). If you end up breaching the licence then RSA
> will have the right to revoke it from your company without
> compensation and secondly - they will have the right to refuse to
> sell you a new license in which case your company will have to
> stop using any and all products covered under the license AND they
> can sue you for damages - whatever they may be.
That would suck. All my firewalls use RSA, my SecurID server does
too. Oh, so do our HTTPS servers. PGP uses RSA too. Impact? I've
lost my ability to do business with my customers. All of a sudden I
lost a job. Oops.
> It will cost THEM between 50,000 and 100,000 to fight the case and
> it will cost your company between 50,000 and 100,000 to defend
> itself - unless your company is smart and just says - "Lets go
> talk to a judge" in which case it can be done for probably 10,000.
> But Lawyers don't like to stand in front of a judge - they would
> rather spend the customers $$$ talking to other lawyers and
> negotiating because then they are still in control.
Yep, lots of $$$. But their license is very strong, so they know
they'd win and likely recoupe and then some.
> Ok, In the end if your company loses it woudl have to probably
> compensate for costs and pay damages which might resonably be
> assessed at say $1.00.
Direct monetary damages yes. But loose the ability to use any product
which uses the RSA algorthim would have horrific impacts on my
company.
> Now - the RSA patent expires in about a year I beleive and if you
> are using OpenSSL my understanding is that you "might" be
> breaching their patent. But this patent probably has never been
> defended in court and therefore may in fact not be valid. The USA
> PTO is guilty of issuing thousands of trivial and therefore
> invalid patents... but it costs about 100,000 in legal fees to get
> a court to declare a patent is invalid and most people don't think
> it is worth the trouble.
Agreed. Why fight a patent lawsuit, when I can buy a $1,000 product
to solve my problem?
> OK... bottom line is use something like Blowfish - it is not
> covered by patent and is probably just fine. A year from now you
> can switch to RSA if you feel the urge to do so.
Nope. Blowfish is a symetric algorithm (shared secrets) while RSA is
a public key. They serve two very different functions in SSL. I
could use DHA, which is available for free and is public key, but
nobody in the commercial world impliments it.
> Note: I doubt very much that RSA would bother to sue your company
> for patent infringement because they need to demonstrate damages
> and if you are not selling a product in competition with them they
Damages = loss of revenue for them.
> will have a very hard time demonstrating any damages. Therefore
> it is firstly unlikely they will waste their time on it and
> secondly the courts have a rule of not dealing with trivia and
> probably would refuse to hear the case anyway. Finally, if you
> had not bothered to phone RSA they would not know or care about it
> anyway.
Probably not. But is it a risk worth taking? Not in my case.
> In any event, if I were your manager I would be asking why you are
> spending company time and why we were paying you to waste lawyers
> time and piss off the RSA people over trivial matters which can be
> avoided.
As a matter of fact, my manager was very happy and impressed with my
throughness in the matter. Any manager who gets pissed off at someone
for doing a through job shouldn't be managing anything bigger than an
ant farm IMHO.
> Even if RSA were to complain - your defense could be
> "sorry, we'll remove that... no harm done." Now, if you were
Oh, yeah, the "Ignorance is bliss defense". That's *real* effective.
> selling a commercial product, and or real financial damages to RSA
> could result - then the situation might be different and it would
> make sense to be cautious.
What world do you live in? Ever hear of software audits? RSA may
choose to make an example out of us. And knowing the US court system,
I'd probably loose and loose big. But who knows? I do know that it
is my responsibility that if I suggest the company use a product that
they understand the risks of doing so. If our lawyers says we can
take that risk, then fine, but it's not my position, responisibility,
or job to make those decisions; and frankly I wouldn't want to.
Lastly, Keven called me back and appolgized for his earlier
conversation with me.
--
Aaron Turner [EMAIL PROTECTED] 650.237.0300 x252
Security Engineer Vicinity Corp.
Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
