Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement

Sat, 13 Nov 1999 12:37:08 -0800 

On Sat, Nov 13, 1999 at 08:45:07AM -0600, William H. Geiger III wrote:
> Real-To:  "William H. Geiger III" <[EMAIL PROTECTED]>
> 
> In <[EMAIL PROTECTED]>, on 11/13/99 
>    at 12:19 PM, Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>
> said:
> 
> >gbroiles> It was my understanding that RHSS is BSAFE-based, which
> >gbroiles> means the crypto libraries are likely slower than an gbroiles>
> >SSLeay-derived implementation.
> 
> >Uhmm...  BSAFE SSL-C is, as far as I understand, SSLeay with a few
> >changes...

BSAFE and BSAFE SSL-C are not the same product; or at least they haven't
been historically, though I've lost track of product renaming. Perhaps
the old BSAFE libraries are being phased out in favor of the newer
SSLeay-like code. In any event, when RHSS was released, and when Red Hat
negotiated their first RSA license, BSAFE and SSLeay weren't at all the
same, and OpenSSL didn't exist yet.

> I am rather confused as to why Red Hat would go with a closed, proprietary
> crypto library instead of going with OpenSSL, doesn't seem to be the Linux
> way.

Perhaps because they don't want to be sued for patent infringement?

If Red Hat and RSAS want to work together, this allows Red Hat to
outsource crypto (and crypto export law) expertise to RSAS, which is
good business for both sides.

If Red Hat doesn't want to work with RSAS in the future, this allows
them to migrate their (Red Hat) code to an API that's (almost?)
identical to OpenSSL, which should facilitate an easy replacement of the
RSAS code with the open source alternative once the RSA patent expires,
and thereby avoid paying royalties on the copyrighted code (which will
continue to belong to RSA after the patent expiration).

I haven't looked at RHSS in a long time (and no longer have access to a
copy) but BSAFE libraries were generally distributed to RSA licensees in
object-only format, so it's likely that RHSS is already using (and has
been) a closed, proprietary crypto library; so a move to a
non-open-source library with an open API is still a step in the right
direction. 

--
Greg Broiles [EMAIL PROTECTED]
PO Box 897
Oakland CA 94604
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to