As many know the NO_RSA compilation option is badly broken. In order to
get it working again here are a few suggestions for discussion.

1. What should NO_RSA do?

Should it behave as though RSA is completely unknown or should it
provide as much functionality as is possible without infringing the RSA
patent? That is should things like the 'rsa' utility and 'genrsa' work
as far as possible or should they not be implemented at all?

Should both kinds of functionality be available: "no RSA at all"
and "as much RSA as possible without infringing the patent"?

2. What does the RSA patent cover?

As I understand it it covers use of the RSA algorithm for encryption and
decryption with public and private keys (including sign, verify).

What else (if anything) else is covered? Is it permissible to do RSA key
generation and use RSA ASN.1 structures, for example RSAPublicKey and
RSAPrivateKey defined in PKCS#1?

3. Use of RSAref.

Is the way that RSAref is compiled into OpenSSL OK? 

I have some concerns about this. If you take a look at crypto/rsa it
seems that all that it does is sets the default RSA method to use
RSAref. In particular the SSLeay RSA code is still present and can be
activated using: 
RSA_set_default_method(RSA_PKCS1_SSLeay());

The discussions about dead code being legal prompted this. This seems to
be very much "live" code. Should all the RSA_PKCS1_SSLeay(); code be in
#ifndef RSAref's ?

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
NOTE NEW (13/12/98) PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to