Vin McLellan wrote:
> 3. IMNSHO, RSADSI stopped supporting RSAREFv2 because it found that
> it could not control or manage the actions of RSAREF licencees to guarrantee
> that its patented process (or even it own free code) would not be used to
> undercut the 600-odd commercial OEMs which have always provided its
> lifeblood revenue.
It is interesting to note that RSADSI (now RSA Security) never lived up to
its obligations under the license grant offered under the terms provided
with RSAREF -- probably a disconnect between the RSA Laboratories folks, who
are "good guys" (I have nothing but respect for Burt Kaliski, Bob Silverman,
Matt Robshaw, et al.) and RSADSI (not always the best and the brightest).
Just so I can do this once and for all, here's a point-by-point trashing of
the RSAREF license grant:
1. RSAREF is free for personal or corporate use under the
following conditions:
o RSAREF, RSAREF applications, and services based on
RSAREF applications may not be sold.
o You must give RSA the source code of any free RSAREF
application you plan to distribute or deploy within
your company. RSA will make these applications
available to the public, free of charge.
Other than RIPEM, has RSA done this?
2. RSAREF applications and services based on RSAREF
applications may be sold under the following conditions:
o You must sign and return the RSAREF Commercial License
Agreement to RSA (call RSA for a copy of this
agreement). Remember, RSAREF is an unsupported toolkit.
If you are building an application to sell, you should
consider using fully supported libraries like RSA's
BSAFE or TIPEM SDK's.
There is not, nor has there ever been, any such thing as the "RSAREF
Commercial License Agreement." Feel free to call RSA for a copy. I
encourage you to do so. Call early and often.
3. RSAREF applications and services based on RSAREF
applications may be "sharewared" under the following
conditions:
o Shareware authors do not need to sign a separate
agreement with RSA, provided that their per-copy asking
price is less than $50 and total RSAREF application
revenue is less than $10,000 annually. Otherwise,
shareware authors must sign and return the RSAREF
Commercial License Agreement.
Have any shareware authors discovered an "RSAREF Commercial License Agreement?"
5. You can modify RSAREF to port it to other platforms, or to
improve its performance, as long as you give a copy of the
resulting source code to RSA. Other changes to the RSAREF
code require written consent from RSA.
In my several fruitless discussions with RSA's corporate counsel and
some marketing rube, they repeatedly asserted that patches such
as the recent security patches violate the agreement. Of course,
neither of them had seen the agreement, and didn't have a copy
of it in front of them. Improving its performance is clearly
permitted.
6. You can't send or transmit (or cause to be transmitted)
RSAREF outside the United States or Canada, or give it to
anyone who is not a U.S. or Canadian citizen or doesn't have
a "green card."
Strangely enough, someone seems to have violated this provision of the
agreement. Copies of RSAREFv2 seem to be available from
ftp://utopia.hacktic.nl/pub/replay/pub/crypto/LIBS/rsa/
ftp://ftp.ntua.gr/pub/crypt/mirrors/utopia.hacktic.nl/crypto/LIBS/math/
ftp://ftp.tuwien.ac.at/opsys/linux/replay.com/crypto/LIBS/math/
ftp://ftp.nstu.ru/pub/sources/security/crypt/
Cheers,
Michael
--
QUI ME AMET, CANEM MEUM ETIAM AMET
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
