RE: RSA?
Title: RSA? 1. No. 2. RSA encryption is included in OpenSSL, so it is now a Legacy reference. If you find any references to it in current documentation, post it to the list and Ralf can remove it. -Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Burgess, JaySent: Friday, April 06, 2001 9:05 AMTo: '[EMAIL PROTECTED]'Subject: RSA? I apologize if this is documented somewhere, but I can't make sense out of the existing docs and maillist postings that I've been reading. Hopefully someone can set me straight, or point me in the right direction. I currently have a modified version of Apache 1.3.19 that we're looking to add SSL support to. mod_ssl seems to be the solution. But I've got two questions: 1 - Given that we're a U.S. company, but that RSA's patent has now expired, are there any licensing issues that I need to be aware of? The "RSA Patent Issues" doc seems to still talk about things as they existed last year. 2 - Technically, is it simply a matter of downloading mod_ssl and OpenSSL and doing the right magic to incorporate them into my current Apache build? I'm still confused by the RSARef box in the architecture diagrams that I've seen. Is it also a legacy reference, or do I also still need some component from RSA? Thanks. Jay
Re: RSA?
Addressed to: [EMAIL PROTECTED] Jay" <[EMAIL PROTECTED]> ** Reply to note from "Burgess, Jay" <[EMAIL PROTECTED]> Fri, 6 Apr 2001 11:04:59 -0500 > > This message is in MIME format. Since your mail reader does not > understand this format, some or all of this message may not be > legible. Please don't send MIME & HTML formatted messages to the list. > 1 - Given that we're a U.S. company, but that RSA's patent has now > expired, are there any licensing issues that I need to be aware of? Not any more! > > 2 - Technically, is it simply a matter of downloading mod_ssl and > OpenSSL and doing the right magic to incorporate them into my current > Apache build? I can't say how your mods to Apache will affect the process. I suggest you start from an unmodified Apache, run thru the instructions in the mod_ssl INSTALL file until after mod_ssl patches Apache then install your changes. Since mod_ssl is tied to a specific version of Apache I am afraid your changes may mix it up if _you_ patch first. > I'm still confused by the RSARef box in the architecture > diagrams that I've seen. Is it also a legacy reference, or do I also > still need some component from RSA? Forget RSARef, the code in openssl is better. Rick Widmer Internet Marketing Specialists http://www.developersdesk.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: rsa
Al, Welcome to it. You're experiencing what most of us in the states have found... dealing with RSA a) is confusing as hell and b) blows dead moose. They certainly haven't shifted gears to think about mod_ssl or OSS development in general. For what it's worth, the first viable opportunity to drop my dependence on RSA algorithms will be where I break from them. I hate their business practices, I hate their policies, and I hate their shortsighted mindset. dsp On Thursday, November 19, 1998 2:15 PM, Albert Etienne [SMTP:[EMAIL PROTECTED]] wrote: > Maybe I haven't done my homework here, but. I got everything installed > and am trying to make sure I am in compliance with rsa's licensing for > commercial profit use. > As I read the agreement that came with the rsaref-2.0: > > WHAT YOU CAN (AND CANNOT) DO WITH RSAREF > > 1. RSAREF is free for personal or corporate use under the > following conditions: > > oRSAREF, RSAREF applications, and services based on >RSAREF applications may not be sold. > > oYou must give RSA the source code of any free RSAREF >application you plan to distribute or deploy within >your company. RSA will make these applications >available to the public, free of charge. > > 2. RSAREF applications and services based on RSAREF > applications may be sold under the following conditions: > > oYou must sign and return the RSAREF Commercial License >Agreement to RSA (call RSA for a copy of this >agreement). Remember, RSAREF is an unsupported toolkit. >If you are building an application to sell, you should >consider using fully supported libraries like RSA's >BSAFE or TIPEM SDK's. > > So I call them up and they want $2,500 for the developer software > package and then I can discuss licensing. WHAT Are they > kidding me? > The person I spoke to said the software that I already have can not be > licensed. I can get Covalent Raven with a license for $357. > What's the deal? Is everybody using rsaref-2.0 under the radar? Or am > I forced to use something like Raven? > > And I was feeling so good about getting this to work ;-) > > Ideas? > > [EMAIL PROTECTED] > > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
Basically, RSA has discontinued all support for their rsaref stuff, and they wish it would just go away. At least, this is how they are making it appear to the outside world. To really use RSA encryption in the US, you have to go with a third party solution, such as Red Hat Secure Web Server, Roxen, Stronghold, Raven, etc. etc. etc. --- -Preston Brown Red Hat Software, Inc. [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: rsa
Just a pondering here, but in the -spirit- of the law (and probably not the letter), and given the fact that I'm not a lawyer, what if we (US developers) were to purchase a commercial solution, shelve it, then use that license in our own (individual) mod_ssl package? We still have only one RSA implimentation running, and we have a single RSA license. That way, RSA has their licensing fees. Logically, that make sense to me, but US law only makes sense on rare occasions. dsp On Friday, November 20, 1998 1:16 AM, Preston Brown [SMTP:[EMAIL PROTECTED]] wrote: > Basically, RSA has discontinued all support for their rsaref stuff, and > they wish it would just go away. At least, this is how they are making it > appear to the outside world. > > To really use RSA encryption in the US, you have to go with a third party > solution, such as Red Hat Secure Web Server, Roxen, Stronghold, Raven, > etc. etc. etc. > > --- > -Preston Brown > Red Hat Software, Inc. > [EMAIL PROTECTED] > > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: rsa
I am doing exactly this. I contacted RSA to buy a license to use RSA for my ssl webserver. They told me that I needed to buy a commercial server as their pricing is not setup for small guys like me. I then asked them if I could use the "Advanced Crypto License" that came with RedHat Secure WebServer with my setup (Apache+ssl at the time, now mod_ssl) and they told me this was fine. I contacted RedHat and they told me that they were including the "Advanced Crypto License" with the server. I ordered the RedHat product, and just popped it on the shelf. By the way, the server is available from www.cheapbytes.com for only $79 Dan Roscigno InterSoft Solutions, Inc. [EMAIL PROTECTED] http://issbase.com > were to purchase a commercial solution, shelve it, then use that license in our > own (individual) mod_ssl package? We still have only one RSA implimentation > running, and we have a single RSA license. That way, RSA has their licensing > fees. > > Logically, that make sense to me, but US law only makes sense on rare > occasions. > dsp > > On Friday, November 20, 1998 1:16 AM, Preston Brown [SMTP:[EMAIL PROTECTED]] > wrote: > > Basically, RSA has discontinued all support for their rsaref stuff, and > > they wish it would just go away. At least, this is how they are making it > > appear to the outside world. > > > > To really use RSA encryption in the US, you have to go with a third party > > solution, such as Red Hat Secure Web Server, Roxen, Stronghold, Raven, > > etc. etc. etc. > > __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
In article <> you wrote: > I am doing exactly this. I contacted RSA to buy a license to use RSA for my > ssl webserver. They told me that I needed to buy a commercial server as > their pricing is not setup for small guys like me. I then asked them if I > could use the "Advanced Crypto License" that came with RedHat Secure > WebServer with my setup (Apache+ssl at the time, now mod_ssl) and they told > me this was fine. I contacted RedHat and they told me that they were > including the "Advanced Crypto License" with the server. I ordered the > RedHat product, and just popped it on the shelf. > By the way, the server is available from www.cheapbytes.com > for only $79 These are a really interesting news for the US citizens which wants to use the plain Apache+mod_ssl package. Can someone verify this approach, too? If it's both legal for you US citizens and accepted by all parties (RSA DSI and RH) we should add this information to the mod_ssl FAQ. Because this is mostly FAQ#1 for US citizens... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
Dave, It would appear that great minds think alike :-). I have already ordered my Raven, to bad I will never use it. However it was a hard sell to my manager, and I dread the thought of legal getting wind. Besides, if you whack the build dirs, how can they tell what you are using anyway? Would they even look any further in an audit if you had a commercial product with a license? I think not. And I can certainly live with the morally questionable issues here. cheers, al Dave Paris wrote: > Just a pondering here, but in the -spirit- of the law (and probably not the > letter), and given the fact that I'm not a lawyer, what if we (US developers) > were to purchase a commercial solution, shelve it, then use that license in our > own (individual) mod_ssl package? We still have only one RSA implimentation > running, and we have a single RSA license. That way, RSA has their licensing > fees. > > Logically, that make sense to me, but US law only makes sense on rare > occasions. > dsp > > On Friday, November 20, 1998 1:16 AM, Preston Brown [SMTP:[EMAIL PROTECTED]] > wrote: > > Basically, RSA has discontinued all support for their rsaref stuff, and > > they wish it would just go away. At least, this is how they are making it > > appear to the outside world. > > > > To really use RSA encryption in the US, you have to go with a third party > > solution, such as Red Hat Secure Web Server, Roxen, Stronghold, Raven, > > etc. etc. etc. > > > > --- > > -Preston Brown > > Red Hat Software, Inc. > > [EMAIL PROTECTED] > > > > __ > > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > > Official Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: rsa
The big question in my mind: Do you have the "okie dokie" from RSA -in writing-?!? If so .. folks we have a light at the end of the (formerly) Very Dark Tunnel (tm). dsp On Friday, November 20, 1998 10:17 AM, Ralf S. Engelschall [SMTP:[EMAIL PROTECTED]] wrote: > > In article <> you > wrote: > > > I am doing exactly this. I contacted RSA to buy a license to use RSA for > > my > > ssl webserver. They told me that I needed to buy a commercial server as > > their pricing is not setup for small guys like me. I then asked them if I > > could use the "Advanced Crypto License" that came with RedHat Secure > > WebServer with my setup (Apache+ssl at the time, now mod_ssl) and they told > > me this was fine. I contacted RedHat and they told me that they were > > including the "Advanced Crypto License" with the server. I ordered the > > RedHat product, and just popped it on the shelf. > > > By the way, the server is available from www.cheapbytes.com > > for only $79 > > These are a really interesting news for the US citizens which wants to use > the > plain Apache+mod_ssl package. Can someone verify this approach, too? If it's > both legal for you US citizens and accepted by all parties (RSA DSI and RH) > we > should add this information to the mod_ssl FAQ. Because this is mostly FAQ#1 > for US citizens... >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: rsa
On Fri, 20 Nov 1998, Dave Paris wrote: > Just a pondering here, but in the -spirit- of the law (and probably > not the letter), and given the fact that I'm not a lawyer, what if we > (US developers) were to purchase a commercial solution, shelve it, > then use that license in our own (individual) mod_ssl package? We > still have only one RSA implimentation running, and we have a single > RSA license. That way, RSA has their licensing fees. Probably easier to wait until the patent runs out. It isn't too far off. --- Preston Brown Red Hat Software, Inc. [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
On Fri, Nov 20, 1998, Preston Brown wrote: > On Fri, 20 Nov 1998, Dave Paris wrote: > > > Just a pondering here, but in the -spirit- of the law (and probably > > not the letter), and given the fact that I'm not a lawyer, what if we > > (US developers) were to purchase a commercial solution, shelve it, > > then use that license in our own (individual) mod_ssl package? We > > still have only one RSA implimentation running, and we have a single > > RSA license. That way, RSA has their licensing fees. > > Probably easier to wait until the patent runs out. It isn't too far off. RSA's patent expires on September 20, 2000. This is in two years, Preston. And two years in real life is a long time on the web... In the meantime a compromise seems to be reasonable. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: rsa
I have just emailed RSA asking them to "put it in writing." Whatever I get back will go directly to Ralf. Dan Roscigno InterSoft Solutions, Inc. [EMAIL PROTECTED] http://issbase.com On Fri, 20 Nov 1998, Dave Paris wrote: > The big question in my mind: > Do you have the "okie dokie" from RSA -in writing-?!? If so .. folks we have a > light at the end of the (formerly) Very Dark Tunnel (tm). > > dsp > > On Friday, November 20, 1998 10:17 AM, Ralf S. Engelschall > [SMTP:[EMAIL PROTECTED]] wrote: > > > > In article <> you > > wrote: > > > > > I am doing exactly this. I contacted RSA to buy a license to use RSA for > > > my > > > ssl webserver. They told me that I needed to buy a commercial server as > > > their pricing is not setup for small guys like me. I then asked them if I > > > could use the "Advanced Crypto License" that came with RedHat Secure > > > WebServer with my setup (Apache+ssl at the time, now mod_ssl) and they told > > > me this was fine. I contacted RedHat and they told me that they were > > > including the "Advanced Crypto License" with the server. I ordered the > > > RedHat product, and just popped it on the shelf. > > > > > By the way, the server is available from www.cheapbytes.com > > > for only $79 > > __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
On Thu, Nov 19, 1998 at 01:14:39PM -0600, Albert Etienne wrote: > Maybe I haven't done my homework here, but. I got everything installed > and am trying to make sure I am in compliance with rsa's licensing for > commercial profit use. [out of date rsaref-2.0 text removed] > So I call them up and they want $2,500 for the developer software > package and then I can discuss licensing. WHAT Are they > kidding me? It's hard to tell. Some time ago, I reported here the results of my endeavors to find out just how much licensing of BSAFE would cost ExecPC... At the time, I was told that the BSAFE development libs for Linux would be $295 (v3.0, that is--v4.0 wasn't available, and probably won't be until someone with lots of $$$ convinces RSA to do the work) and that there were a number of licensing options: an annual royalty or a flat per-user buyout. Not a big fan of recurring license costs, I asked about the flat buyout. 100 users = $3000, 250 = $4000, etc. I asked whether it applied to the servers we were running, or to our virtual hosted customers, and the answer (again, at the time) was a virtual hosted customer was considered a user. Not that terrible of a deal. So, I went ahead, bought the libraries, got it to work with mod_ssl, and got some other things done for the server. I was just about ready to bring it into production when I called RSA again (the very same person, no less) to go ahead and get the licenses. Someone must have chewed her out about something, because the story was all different. She tried to tell me now that a 'user' meant any connection that used the RSA libraries! Thats 1 user per hit, or at least 1 user per any IP that talks SSL to the server... EVER! After trying to get her to understand the situation and how silly that kind of a scheme is in the world of serving secure HTML, we explored the royalty option. Basically, you pre-pay some amount (I think the _minimum_ was $25,000), and then a certain percentage (1% or so) of what you charge your customer per quarter is deducted from that initial pre-pay. Once that money's been spoken for, then you start paying quarterly. I pretty much knew that this kind of arrangement was going to be very difficult to sell to the people who hold the purse strings here... Especially since the RedHat Secure Server's under $100. While I had her on the phone I asked her what kind of deal RedHat, Stronghold, and other companies had. Of course, she couldn't give me the details, but indicated that they'd paid a very large sum of money for their resale licensing rights... I asked if there was anything keeping me from buying a RedHat server for the license, shelving it, and applying the RSA license to mod_ssl, and the response I got gave me the feeling that there really wasn't anything preventing me from doing that. -- Jake Buchholz http://www.execpc.com/~jake ExecPC Senior Systems Administrator [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
On Fri, Nov 20, 1998, Dan Roscigno wrote: > I have just emailed RSA asking them to "put it in writing." > Whatever I get back will go directly to Ralf. >[...] And I've sent a mail from me to them, too. In this I gave them a little bit more information about mod_ssl and me and described the most important questions for which we need an RSA DSI answer: 1. Is it ok to apply the bought license to a different package and 2. which RSA-code has to be used (the one from BSAFE, or from RSAref, or from SSLeay). Now I'm very corious about the response. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
Hopefully Dan Roscigno's account is correct, and RSA will be satisfied as long as one has a license for a commercial product such as Red Hat's (which comes with that $25 Thwate discount too - so the price is quite reasonable). Meanwhile, folks may wish to note the Apache "ServerTokens" directive, which when set to "min" or "os" (in httpd.conf) will cause Apache to not send information on the installed modules with every HTTP request, instead just announcing itself as "Apache 1.3.3" or "Apache 1.3.3 (Unix)," respectively. With all respect to the good name of module authors, and their generous contributions, giving away details on your installation beyond the minimum is bad security practice anyway. Are there other steps that should be taken if one - having a valid RSA license but wanting to avoid inviting trouble about it - should take to be sure one's signature is not giving off notice of the exact configuration being run? Should, for instance, certain protocols not be enabled in an application to avoid the remote deduction of the precise configuration being run? \/\/ I-I I T Blauvelt [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
On Fri, Nov 20, 1998, Jake Buchholz wrote: > [...] > While I had her on the phone I asked her what kind of deal RedHat, > Stronghold, and other companies had. Of course, she couldn't give me > the details, but indicated that they'd paid a very large sum of money > for their resale licensing rights... I asked if there was anything > keeping me from buying a RedHat server for the license, shelving it, > and applying the RSA license to mod_ssl, and the response I got gave > me the feeling that there really wasn't anything preventing me from > doing that. Fine. And when we can get such a statement on paper from RSA DSI the problem is solved... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa
On Fri, Nov 20, 1998, Whit Blauvelt wrote: > Hopefully Dan Roscigno's account is correct, and RSA will be satisfied as > long as one has a license for a commercial product such as Red Hat's > (which comes with that $25 Thwate discount too - so the price is quite > reasonable). > > Meanwhile, folks may wish to note the Apache "ServerTokens" directive, > which when set to "min" or "os" (in httpd.conf) will cause Apache to not > send information on the installed modules with every HTTP request, instead > just announcing itself as "Apache 1.3.3" or "Apache 1.3.3 (Unix)," > respectively. With all respect to the good name of module authors, and > their generous contributions, giving away details on your installation > beyond the minimum is bad security practice anyway. > > Are there other steps that should be taken if one - having a valid RSA > license but wanting to avoid inviting trouble about it - should take to be > sure one's signature is not giving off notice of the exact configuration > being run? Should, for instance, certain protocols not be enabled in an > application to avoid the remote deduction of the precise configuration > being run? Perhaps you also want to disable mod_info... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA
Hello all. Just joined the list, but thought I'd put in my 2 sense about RSA. Back before I grew a brain and migrated to Apache, I was running several Netscape Enterprise servers on an intranet and wanted to keep traffic to it private. Being the low-level gumby that I am, I knew that my superiors (?) wouldn't approve the $$ for a server certificate. In steps SSLeay. Got everything humming along within a day or so when the licensing issue hit me. Let me say that my first inclination was to drop any RSA algorithms and use DSA, but IE didn't support it. So I called RSA and told them I wanted to license their encryption algorithms. After being transferred half a dozen times, I got to someone who tried to tell me that I had to buy support for the BSafe dev kit. I told them, no, and they finally fessed up that I could just license the algorithms that were being used by SSLeay. Now the issue was which kind of licensing. The cheapest option was to get a 1-5 machine license at $3000 for a year or $6000 for life. Kinda curious how the lifetime license is the same as ( yearly license * number of years left in the patent). Anywho, since all I wanted to do was create certificates for existing NS servers, we agreed that even though I might have 200 servers and 1M clients on those servers, the only licensing issues were concerning the creation of the certificates. This is because NS has already licensed the RSA algorithms for the servers and the browsers. The only unlicensed use of the algs was in signing the server certificate requests. Since I only needed one machine to do this, I could get the 1-5 machine license. Never got around to it though. Since I've been migrating to Apache, I've been looking at Raven by Covalent Tech, which is apparently derived from mod_ssl. Their license (including RSA) is under $400 for life. According to one of the Covalent people, the license that comes with Raven entitles the user to generate/sign certificates, but I don't know if it would carry over to the use of SSLeay/mod_ssl on multiple servers. I'm hoping to get the RSA part of the license text to verify it's agreement. Kind of long winded for a first post, but I figured maybe someone else could benefit from the days I spent fighting the issue. -Brad Waite __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa licensing
On Thu, Feb 18, 1999, Chris Myers wrote: > A while ago on this list there was some discussion as to buying RedHat > Secure server and shelving it so you had a license to use rsaref. > > did it come to a concrete conclusion? Please read the file README.Patents for the summary of the topic. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa licensing
On Thu, Feb 18, 1999 at 04:59:53AM -0500, Chris Myers wrote: > A while ago on this list there was some discussion as to buying RedHat > Secure server and shelving it so you had a license to use rsaref. > > did it come to a concrete conclusion? I asked RSA that specific question and the answer was "no". Note this was for commercial use of mod_ssl within the U.S. The message I received is below. Seems like a opportunity for someone to sell "licenses". Or wait until next Sept when the patent expires. alan From: Chip Davis <[EMAIL PROTECTED]> Subject: RE: RSA Licensing Information Date: Fri, 15 Jan 1999 16:07:41 -0800 No, the license agreements with companies such as Red Hat and C2Net apply only to their products, not Apache+mod_ssl. We get countless requests like yours, but we cannot legally allow use of Apache, mod_ssl, or RSAREF. (The licensing text found with RSAREF is outdated and no longer valid.) There are currently other companies in discussions with RSA for providing licensed, commercial versions of Apache+mod_ssl but this would also only apply the those specific products. While those products may be posted for download on the Internet, RSA licensing would not apply to any and all freeware source code. We would like to help you any way we can. Let me know if you are interested in licensing or purchasing source code. Regards, Chip Davis __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA or DSA certificate
On Tue, Aug 29, 2000 at 12:42:54PM +0800, Mark Lo wrote: > I would like to know the difference between DSA or RSA certificate. and which >one should I use? RSA is the thing to use if you want it to work with netscape and msie. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA released into Public domain
On Wed, Sep 06, 2000, James Ford wrote: > http://www.rsasecurity.com/news/pr/000906-1.html > > RSA Security Releases RSA Encryption Algorithm into Public Domain > > BEDFORD, Mass., September 6, 2000 -- RSA Security Inc. (NASDAQ: RSAS) > today announced it has released the RSA public key encryption algorithm > into the public domain, allowing anyone to create products that > incorporate their own implementation of the algorithm. This means that RSA > Security has waived its rights to enforce the patent for any development > activities that include the RSA algorithm occurring after September 6, > 2000. ROTFL aren't they nice? They really do everything to get out a press release, even if the action they announce is a null-action. AFAIK after the patent expires officially on September 20, the RSA algorithm automatically becomes owned by the "public domain", with and without RSA DSI's blessing. Or do I miss some important point here? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA released into Public domain
> Or do I miss some important point here? They could have waited and they didn't. It's also now abundantly clear to everyone what the status is. And the press release headline was very cute. And they're giving away free t-shirts. And boy, do these types of communities (cryptography, openssl, etc) really look a gift horse in the mouth. Sheesh. /r$ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA released into Public domain
"Ralf S. Engelschall" wrote: > ROTFL aren't they nice? They really do everything to get out a press > release, even if the action they announce is a null-action. AFAIK after the > patent expires officially on September 20, the RSA algorithm automatically > becomes owned by the "public domain", with and without RSA DSI's blessing. > Or do I miss some important point here? I see their action as a sign that everyone should feel at ease about the RSA business from now on. There have have been a few posts lately wondering what will happen on the 20th, and this anouncement can now put all of that to rest...and a couple of weeks early, no less! I don't feel as though RSA are the cat's pajamas for this 2 week reprieve, but it's nice (certainly for their sake as well) that they put out a press release 'officially releasing' it in to the public domain...they could have kept quiet about it and instead they do their best to put a positive spin on the situation. My $0.02, Patrick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA released into Public domain
On Wed, Sep 06, 2000 at 05:35:00PM +0200, Ralf S. Engelschall wrote: > > ROTFL aren't they nice? They really do everything to get out a press > release, even if the action they announce is a null-action. AFAIK after the > patent expires officially on September 20, the RSA algorithm automatically > becomes owned by the "public domain", with and without RSA DSI's blessing. > Or do I miss some important point here? I'm guessing that a "really smart marketing droid"[1] got the really smart idea that they should try to get some positive press out of something that they probably haven't sold for quite a while. Buying a license from them during the last couple of weeks would make about as much sense as setting fire to your $100.000+ ... except setting fire to that money would at least have kept you warm for a couple of minutes ;-) But at least there is a couple of nice things in their press release ... next time somebody asks about that patent, we've got an url to throw at them and they are giving away free t-shirts ;-) [1] yeah, I know, there is no such thing as a "really smart marketing droid" ;-) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA -> DSA, 3DES -> IDEA, MD5 -> SHA1
On Wed, Sep 29, 1999, Fabrizio Pivari wrote:
> I've read the FAQ and I was able to test SSL and Client- Authentication
> The documentation is very well and explain like to generate all the
> certificates with RSA, 3DES, MD5
>
> Is it possible to use
> DSA, IDEA, SHA1 ?
>
> Could you explain me the command I need to use?
The certificates are not created with "RSA, 3DES, MD5". What you mean is
certainly that you use ciphers under run-time which are based on RSA/3DES/MD5
and that you know also want to use DH/IDEA/SHA1, right? Then you've to
generate a DSA based certificate ("make certificate ALGO=DSA" is your friend)
and reference this instead or (better) in addition to the RSA cert/key pair.
Then the DH ciphers magically start to work ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: RSA WebAgent5.1 and Apache 1.3.26 not 1.3.27?
On Tue, 18 Feb 2003, Ron Rough wrote: > I would like fo get the technical reason for > this. I know of someone who installed the > WebAgent.tar file from your web site and > it worked with the latest versions of > Apache and mod_ssl. WebAgent.tar would have been downloaded from http://www.rsasecurity.com/go/apacheagent/, not from http://www.modssl.org/. If you're having a problem with WebAgent, contact RSA, not the mod_ssl group. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
