Date: Wed, 17 Jan 2001 18:35:10 -0800 (PST)
From: Jason
To: openssh-unix-dev
Subject: RE: BSafe toolkits for implementing RSA public key algorithm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> That is what I am hearing, but our legal department seems to think
> otherwise. Apparently, even though the patent expired, there are
> licensing issues with using the RSA algorithms. This is for a possible
> commercial application.

Let me start by saying that I am not a lawyer, nor am I licensed to
dispense legal advice in any capacity, anywhere in the world.  However,
I've been maintaining software distributions within my (multi-national)
company for a couple of years, so I've dealt with all of these issues.

So there are three issues related to crypto: 1) Copyrights, 2) Patents,
3) Governmental export/import/use restrictions.

The big issue with RSA (the algorithm) was that the algorithm was
patented, so you couldn't implement it in the US without the consent of
RSADSI (RSA the company).  RSADSI released a reference implementation,
called RSAREF - this was a verbatim piece of software and was therefore
copyrighted - you could only use it or change it subject to the license
that RSADSI set down for it.  RSAREF could be freely used, but not sold,
so many open source projects had support for it, but it couldn't become a
standard because US government export restrictions forbid RSAREF from
being used outside of the US (even though the Australian implementation
from SSLEAY was already faster and more robust...).

Today, the RSA patent is expired, so anyone can freely implement the
algorithm in a software or hardware project, for any use, commercial or
otherwise.  BSAFE and RSAREF are still verbatim pieces of software and
therefore still subject to the copyright licenses set down by RSADSI.  
And if you do write crypto software, you still have to have the approval
of your government to use it, export it or import it - in the US,
basically, you can use it however you want, but you can't put it on a web
or ftp site that's accessible from outside the US, and you can't sell it
overseas without filling out lots of tedious forms (though I hear that the
approval process has been streamlined in recent months).

So, bottom line, if you're in the US, you can run openssh and openssl
without any problems (you do have to disable idea and rc5 when you build
openssl, though, because they are both still patented, but openssh doesn't
use/need either).  The only reason you might want to do a port to BSAFE
would be if you were a multinational corporation, and you didn't want to
deal with the export approval process, but all the countries involved were
allowed to import BSAFE - then you would do it the way it was done before
the patent expired - you'd ship openssh without any crypto support, and
you'd have the people in each country independently build against BSAFE.

Hope this clears up any confusion.


 -Jason

 ---------------------------
 If the Revolution comes to grief, it will be because you and those you
 lead have become alarmed at your own brutality.         --John Gardner



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE6ZlZlswXMWWtptckRAnbkAJ9pq8evM6XliMvntybyhPdnxgS2WwCgy2mz
l5xU5/8sKhBY5NdgZ4EDmFE=
=P7Up
-----END PGP SIGNATURE-----