After about 2 weeks worth of research (talking to this list, RSA,
our lawyers, etc) I found that if your a company in the US, and you
want SSL to talk to IE or Netscape, you have to either:

- Break the law

or

- Buy a license from RSA (very expensive)

or

- Buy a commercial SSL implimentation (not cheap, but about 100 times
cheaper than getting a license from RSA)

Using only des/des3 won't work because you need a PK algorithm to
exchange the des/des3 keys.

-- 
Aaron Turner        [EMAIL PROTECTED]  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Wed, 24 Nov 1999, Tim Riker wrote:

> OK, so what is a distributor to do? ;-)
> 
> In short: Is it possible to build OpenSSL without and code that is
> patent infringed, and still have it talk to Netscape and M$IE? What if I
> did:
> 
> ./Configure --prefix=/usr --openssldir=%{openssldir} linux-elf \
>     no-bf no-idea no-rc2 no-rc4 no-rc5 no-rsa no-sha
> 
> to get just des/des3, is that enough? (the astute will notice that this
> will not build, but hey) It should be ok to leave in blowfish, but
> M$IE/Netscape do not have blowfish anyway right?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to