Re: RSA Security and Red Hat, Inc. Sign Licensing Agreement
After about 2 weeks worth of research (talking to this list, RSA, our lawyers, etc) I found that if your a company in the US, and you want SSL to talk to IE or Netscape, you have to either: - Break the law or - Buy a license from RSA (very expensive) or - Buy a commercial SSL implimentation (not cheap, but about 100 times cheaper than getting a license from RSA) Using only des/des3 won't work because you need a PK algorithm to exchange the des/des3 keys. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com On Wed, 24 Nov 1999, Tim Riker wrote: OK, so what is a distributor to do? ;-) In short: Is it possible to build OpenSSL without and code that is patent infringed, and still have it talk to Netscape and M$IE? What if I did: ./Configure --prefix=/usr --openssldir=%{openssldir} linux-elf \ no-bf no-idea no-rc2 no-rc4 no-rc5 no-rsa no-sha to get just des/des3, is that enough? (the astute will notice that this will not build, but hey) It should be ok to leave in blowfish, but M$IE/Netscape do not have blowfish anyway right? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What US companies need to know about RSA
On Tue, 21 Sep 1999, Terrell Larson wrote: Aaron, My opinion on this is as follows (I'm not a lawyer but I've hired a few for opinions). If you end up breaching the licence then RSA will have the right to revoke it from your company without compensation and secondly - they will have the right to refuse to sell you a new license in which case your company will have to stop using any and all products covered under the license AND they can sue you for damages - whatever they may be. That would suck. All my firewalls use RSA, my SecurID server does too. Oh, so do our HTTPS servers. PGP uses RSA too. Impact? I've lost my ability to do business with my customers. All of a sudden I lost a job. Oops. It will cost THEM between 50,000 and 100,000 to fight the case and it will cost your company between 50,000 and 100,000 to defend itself - unless your company is smart and just says - "Lets go talk to a judge" in which case it can be done for probably 10,000. But Lawyers don't like to stand in front of a judge - they would rather spend the customers $$$ talking to other lawyers and negotiating because then they are still in control. Yep, lots of $$$. But their license is very strong, so they know they'd win and likely recoupe and then some. Ok, In the end if your company loses it woudl have to probably compensate for costs and pay damages which might resonably be assessed at say $1.00. Direct monetary damages yes. But loose the ability to use any product which uses the RSA algorthim would have horrific impacts on my company. Now - the RSA patent expires in about a year I beleive and if you are using OpenSSL my understanding is that you "might" be breaching their patent. But this patent probably has never been defended in court and therefore may in fact not be valid. The USA PTO is guilty of issuing thousands of trivial and therefore invalid patents... but it costs about 100,000 in legal fees to get a court to declare a patent is invalid and most people don't think it is worth the trouble. Agreed. Why fight a patent lawsuit, when I can buy a $1,000 product to solve my problem? OK... bottom line is use something like Blowfish - it is not covered by patent and is probably just fine. A year from now you can switch to RSA if you feel the urge to do so. Nope. Blowfish is a symetric algorithm (shared secrets) while RSA is a public key. They serve two very different functions in SSL. I could use DHA, which is available for free and is public key, but nobody in the commercial world impliments it. Note: I doubt very much that RSA would bother to sue your company for patent infringement because they need to demonstrate damages and if you are not selling a product in competition with them they Damages = loss of revenue for them. will have a very hard time demonstrating any damages. Therefore it is firstly unlikely they will waste their time on it and secondly the courts have a rule of not dealing with trivia and probably would refuse to hear the case anyway. Finally, if you had not bothered to phone RSA they would not know or care about it anyway. Probably not. But is it a risk worth taking? Not in my case. In any event, if I were your manager I would be asking why you are spending company time and why we were paying you to waste lawyers time and piss off the RSA people over trivial matters which can be avoided. As a matter of fact, my manager was very happy and impressed with my throughness in the matter. Any manager who gets pissed off at someone for doing a through job shouldn't be managing anything bigger than an ant farm IMHO. Even if RSA were to complain - your defense could be "sorry, we'll remove that... no harm done." Now, if you were Oh, yeah, the "Ignorance is bliss defense". That's *real* effective. selling a commercial product, and or real financial damages to RSA could result - then the situation might be different and it would make sense to be cautious. What world do you live in? Ever hear of software audits? RSA may choose to make an example out of us. And knowing the US court system, I'd probably loose and loose big. But who knows? I do know that it is my responsibility that if I suggest the company use a product that they understand the risks of doing so. If our lawyers says we can take that risk, then fine, but it's not my position, responisibility, or job to make those decisions; and frankly I wouldn't want to. Lastly, Keven called me back and appolgized for his earlier conversation with me. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List
Re: What US companies need to know about RSA
On Mon, 20 Sep 1999, Dave Neuer wrote: -Original Message- From: Aaron D. Turner [EMAIL PROTECTED] To: Stunnel Maillist [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Friday, September 17, 1999 5:43 PM Subject: What US companies need to know about RSA After a lot of research and talking with people from the Stunnel and OpenSSL lists, and 3 phone calls to RSA itself, I've learned far more than I ever wanted to know about RSA's patent and licensing. [Contrary to the last person who posted on this list, I found both Stunnel and OpenSSL lists very informative.] I figured there were a lot of people out there who would benifit from this info. Of course if you see any errors, feel free to let me know. Maybe I can get this added to some FAQ? I've suggested this before too, but the closer we get to September 2000, the less urgent it seems. Still though, it's a very common question. Basically, all I wanted to do is run a generic SSL reverse proxy for a number of services/hosts. I also wanted Client Certificates for added security. All this was for internal use only type stuff like IMAP and secure access to internal web servers for my employees. None of this is stuff that I make any money off of directly- ie. I'm not trying to sell anything with SSL or RSA in it If this is the case (ie, it's not part of a product or service you sell), why not just use RSARef? You can't get it from RSADSI any more, but you can still get it, and the license would appear to permit this. [disclaimer, I'm not a lawyer] My understanding of the RSAref license does not support this. My understanding is that if I'm a corporate entity, I must license the RSA algorithm directly or indirectly from RSA Security. RSA also supported this conclusion in my phone conversations with them. The problem revolves around the fact that they see my use of RSA as enabler in my efforts to make money. Hence I'm making money indirectly from RSA and they want a (big) cut of that profit. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What US companies need to know about RSA
After a lot of research and talking with people from the Stunnel and OpenSSL lists, and 3 phone calls to RSA itself, I've learned far more than I ever wanted to know about RSA's patent and licensing. [Contrary to the last person who posted on this list, I found both Stunnel and OpenSSL lists very informative.] I figured there were a lot of people out there who would benifit from this info. Of course if you see any errors, feel free to let me know. Maybe I can get this added to some FAQ? Basically, all I wanted to do is run a generic SSL reverse proxy for a number of services/hosts. I also wanted Client Certificates for added security. All this was for internal use only type stuff like IMAP and secure access to internal web servers for my employees. None of this is stuff that I make any money off of directly- ie. I'm not trying to sell anything with SSL or RSA in it. Anyways, I found out that: SSLv3 supports numerous public-key encryption algorithms. However, most SSL clients only support RSA for public-key. So basically, unless you use RSA, you can't talk SSL to 99% of the world. If you are a U.S. company, you must somehow purchase a license for RSA[3]. If you purchase a piece of software (like Stronghold) that includes the RSA library, it will include an applicable license for RSA. Basically C2Net (the "author" of Stronghold) purchases a RSA license and then is allowed to distribute the RSA library with their product. This RSA library license that you recieve with Stronghold, etc, can not be legally transfered to another piece of software, because the license requires you to use the RSA approved implimentation of the RSA algorithm. The other option is to license the RSA library directly from RSA and link your software to that. To license RSA for use with OpenSSL/Stunnel for my "internal use only" purposes would cost me *at least* ONE HUNDRED THOUSAND DOLLARS. Basically they wanted .075% of my company's revenue, and that this $100K was just the DOWN PAYMENT. Your pricing my vary, but the sales rep indicated that this was what they charged everyone. Or- I could go out and buy one of the commercial[1] Stunnel-like implimentations for about $1,000 per SSL proxy server. Or- I could just be illegal and download the RSAref[2] library and link that with OpenSSL/Stunnel. And on Aug. 20th, 2000, when the RSA patent expires, I'd be legal. (Though potentially liable for past unlicensed use.) So my options were: 1) Pay nothing, use RSAref with OpenSSL and be illegal. 2) Pay about $3,000 for some closed-source software that didn't have all the features of the Open Source equivalent. 3) Pay at least $100,000 to use OpenSSL. Patents suck. 1) C2 Net's SafePassage Secure Tunnel http://www.c2net.com/ Celocom's SSR Server http://www.celocom.com/ 2) RSAref is a implimentation of the RSA algorthim for non-commercial use in the U.S. http://www.rsa.com/ 3) The RC5 algorithm is also patented and illegal to use in the US without the RSA license. -- Aaron Turner[EMAIL PROTECTED] 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]