After about 2 weeks worth of research (talking to this list, RSA,
our lawyers, etc) I found that if your a company in the US, and you
want SSL to talk to IE or Netscape, you have to either:
- Break the law
or
- Buy a license from RSA (very expensive)
or
- Buy a commercial SSL implimentation (not cheap, but about 100 times
cheaper than getting a license from RSA)
Using only des/des3 won't work because you need a PK algorithm to
exchange the des/des3 keys.
--
Aaron Turner [EMAIL PROTECTED] 650.237.0300 x252
Security Engineer Vicinity Corp.
Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com
On Wed, 24 Nov 1999, Tim Riker wrote:
> OK, so what is a distributor to do? ;-)
>
> In short: Is it possible to build OpenSSL without and code that is
> patent infringed, and still have it talk to Netscape and M$IE? What if I
> did:
>
> ./Configure --prefix=/usr --openssldir=%{openssldir} linux-elf \
> no-bf no-idea no-rc2 no-rc4 no-rc5 no-rsa no-sha
>
> to get just des/des3, is that enough? (the astute will notice that this
> will not build, but hey) It should be ok to leave in blowfish, but
> M$IE/Netscape do not have blowfish anyway right?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]