RE: Open Source Embedded SSL - (License and Memory)

2003-11-29 Thread Bill Stewart
[Moderator's note: I'd really like to shut down the What license?
debate --Perry]
At 12:52 AM 11/27/2003 -0800, J Harper wrote:
 1) Not GPL or LPGL, please.  I'm a fan of the GPL for most things, but

 for embedded software, especially in the security domain, it's a
 killer.  I'm supposed to allow users to modify the software that runs
 on their secure token?  And on a small platform where there won't be
 such things as loadable modules, or even process separation, the
 (L)GPL really does become viral.  This is, I think, why Red Hat
 releases eCos under a non-GPL (but still open source) license.
We're aware of these issues.  How do other people on the group feel?
That's an obvious call for a BSD / C-News style license
- You're free to copy it but leave our copyright notice in.
- You acknowledge that you got it for free and that any consequences,
no matter how horrible, of what you do with it are not our 
- You're free to change it, but only if you include a notice that you 
changed it.
- Maybe something about you must either distribute the licensed source code
for no more than a copying/handling charge or else a pointer to 
the original.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Open Source Embedded SSL - Export Questions

2003-11-29 Thread Bill Stewart
At 02:45 PM 11/27/2003 +1100, Greg Rose wrote:
At 12:27 PM 11/27/2003, Thor Lancelot Simon wrote:
RC4 is extremely weak for some applications.
A block cipher is greatly preferable.
I'm afraid that I can't agree with this howling logical error.
RC4 is showing its age, but there are other stream ciphers
that are acceptable, and there are block ciphers
(such as FEAL, same vintage as RC4) that aren't even vaguely secure.
Well, to be more precise,
RC4 has restrictions on the ways you can use it that
make its crypto strength fail very badly if you violate them,
and because it's an XOR stream cypher there are sometimes
things you can't do with it that you could do with a block cypher.
RC4 does also have the historical problem that people sometimes
decide to use it with 40-bit keys because they can...
OTOH, of course being a block cypher isn't enough to guarantee
either strength or usefulness, e.g. bass-o-matic.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]