Hi!
Here are my 2c, not guaranteed to be 100% true. Just some previous
expirience.
> From: K [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, November 16, 1999 5:28 PM
> To: [EMAIL PROTECTED]
> Subject: OpenSSL usage liability.
>
>
> Greetings,
>
> I am an SSL newbie so please forgive.
>
> We are a small Swiss hosting company with our servers
> co-located in the US.
> We want to start up another server in Switzerland, and have
> them communicate
> securely through SSL using openSSL. What are the implications
> since we will
> be using openSSL on a US server? Will RSA sue us?
It is a possibility. Try performing search for 'sue' on the RSA site.
They have quite a few. However, since you are a *small* company, you
may go unnoticed. The only way to be sure is to use some licensed
toolkit (such as Baltimore or RSA's C/SSL) instead of OpenSSL. And
these are quite expensive.
> Will the US
> gov. bust us
> since encrypted communications will be going across it's
> borders?
No, as long as you use exportable ciphersuites (see one of the
apendixes of the SSL spec for a list of those). That is, you limit the
length of your symmetric key to what is it now? 56 bit?
BTW, the spec of SSLv3 is outdated from this point of view, since it
says 40 bits is the limit. Shouldn't there be some IANA registry for
ciphersuites or something?
--
Dmitry Rubinstein
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
