Re: OpenSSL usage liability.
Well, if its true, it would be usefull for OpenSSL actually: US developpers could export their applications build upon OpenSSL. Although I understand that they wont be able to contribute to the developments of OpenSSL itself. But what is the percenage of people using OpenSSL vs. people coding OpenSSL after all? Nicolas Roumiantzeff. -Message d'origine- De : Claudio M. Horvilleur Mtz. [EMAIL PROTECTED] À : [EMAIL PROTECTED] [EMAIL PROTECTED] Date : vendredi 26 novembre 1999 04:15 Objet : Re: OpenSSL usage liability. Not exactly right, the US are changing the export law, but we do need to ask for a permit if the end user is a part of a goverment agency. And as I understand, only 'retail' products can be exported. That means no SOURCES and no libraries, only aplications that use cryptography. By the new rules, something like OpenSSL could not be exported from the US. Claudio Horvilleur Cromasoft Mexico Nicolas Roumiantzeff wrote: US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. You mean next month (Dec 15, 1999). Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
Not exactly right, the US are changing the export law, but we do need to ask for a permit if the end user is a part of a goverment agency. And as I understand, only 'retail' products can be exported. That means no SOURCES and no libraries, only aplications that use cryptography. By the new rules, something like OpenSSL could not be exported from the US. Claudio Horvilleur Cromasoft Mexico Nicolas Roumiantzeff wrote: US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. You mean next month (Dec 15, 1999). Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability, RHSWS, and toothbrushes
Jeeze, boobie! Lighten UP!! There have been no court cases on the issue (are you a lawyer or a judge??), .. and your analogy to piece parts is invalid. Quit giving bogus legal advice! Lee At 09:39 AM 11/18/99 , you wrote: -Original Message- From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, November 18, 1999 1:55 AM Subject: Re: OpenSSL usage liability. At 05:59 PM 11/17/99 , you wrote: snip Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. Lee Look at it this way: Manufacturer A patents a new bristle technology for toothbrushes. Manufacturer B makes a toothbrush using the same technology. Does buying a toothbrush from Manufacturer A give you a right to use Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the patent from Manufacturer A. This is entirely independant of any relationship between the end customer and Manufacturer A. I have seen this idea tossed around on this list and on the mod_ssl list, that somehow licensing RHSWS or Raven allows one to use *any* implementation of RSA. I personally don't see any factual or legal evidence to support this conclusion. It seems that with all of these products, (and with their crypto toolkits, too), RSA is licensing you "software", not rights to an algorithm. That software that they are licensing you happens to use their patented algorithm (which is certainly lawful, since they own the patent, and the software). You have a right to use the algorithm ONLY because you have a right to use the *software* that you licensed from them. The license that comes with RHSWS 2.0 states at the top that the software "[is] protected by copyright *and other laws*. Title to these programs ... shall at all times remain with the aformentioned ..." (emphasis mine). The aforementioned the clause refers to are Red Hat Software and RSA Data Security, Inc. (now just RSA Security, Inc.). Subsequently in the RSA portion of the license agreement, it states: "The Software Programs include software licensed from RSA Data Security, Inc. ("RSA Software"). You may not modify, translate, reverse engineer, decompile, or dissasemble the RSA Software or any part thereof, or otherwise attepmt to derive the source code therefrom, and you shall not authorize any third party to do any of the foregoing. *Nothing in this Agreement grants you any rights, license, or interest with respect to the source code for the RSA Software*..." Again, the emphasis is mine. Now, granted, this agreement does not specifically address the patent issue by name. However, I would say that the language of the agreement certainly expresses RSA's intent to limit the licensee's rights to use the "Software". Add that to the fact that, AFAIK, RSA has *never* licensed anyone to use their own implementation of RSA in the US (one must always license BSAFE), and I'd say even a lawyer (one of which I am not) would have a hard time arguing that buying RHSWS in any way grants you rights to use any other implementation of RSA's patented algorithms. I actually had a conversation (via email) with Preston Brown of Red Hat, and he told me that the reason that they distribute RHSWS as a statically-linked binary only, with source just for the apache part (rather than with the crypto part as a binary DSO, so that the server could be recompiled, as some vendors do), is that their license with RSA prohibited it; it seems RSA wasn't keen on the idea that the user might have some discreet crypto lib lying around on their system that they could try to put to arbitrary uses. I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone adhering to the idea that licensing a particular RSA implementation gives them any rights to the algorithm itself go get one, because they may ending needing his/her service in court. September 2000 can't come soon enough. Dave Neuer Software Engineer Futuristics Labs, Inc. www.futuristics.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: OpenSSL usage liability, RHSWS, and toothbrushes
With all due respect, Lee, I have not given any legal advice on the list except a little "word of caution". RSADSI has certainly sued people for infringement of the of their patents; though maybe not simple users of RSA. It seems to me that you are the one on the list giving legal advice, namely advocating patent infringement. I don't personally care if you want to put your own company's financial stability (remember RSA Security's response to your message a month or so ago: "So your mother raised a theif?") in jeaopardy, but please don't blithely suggest to others that US patent law and corporate patent attorneys are things that they can safely ignore. They may be: but is that a risk you feel comfortable advocating *others* to take with what may be their sole livelihood? Remember that damages in patent infringement lawsuits are tripled when the infringement was willfull. With regard to my legal analysis regarding algorithms and toothbrushes, yes it's a hoky analogy and as I stated several times, no I'm not a lawyer. But neither are you, Lee, correct? What's more, in his reply to my original message, Greg Broiles, A LAWYER, stated: Well, I am a lawyer, and your conclusions are correct. The "buy one product and throw it away but 'keep the license'" theory is attractive but DOES NOT WORK IN THE UNITED STATES. If it did, there'd be no reason to buy any product at all - you could just use the license from a copy of Netscape or IE browsers, available for free, to legitimize your RSA/OpenSSL implementation. Does that pass the "common sense test"? Again, I don't mean any disrespect at all, but this is at least the second time on this list that you've advised people that they really don't need to be concerned with whether or not they're violating some other company's patent rights. Your demeanor suggests that you don't take such things seriously (c.f. your exhoration to me to "lighten up"), but my suggestion is that they should be taken seriously; that's all. I think that's reasonable. Dave Neuer Software Engineer Futuristics Labs, Inc. www.futuristics.net -Original Message- From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, November 22, 1999 2:04 PM Subject: Re: OpenSSL usage liability, RHSWS, and toothbrushes Jeeze, boobie! Lighten UP!! There have been no court cases on the issue (are you a lawyer or a judge??), .. and your analogy to piece parts is invalid. Quit giving bogus legal advice! Lee At 09:39 AM 11/18/99 , you wrote: -Original Message- From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, November 18, 1999 1:55 AM Subject: Re: OpenSSL usage liability. At 05:59 PM 11/17/99 , you wrote: snip Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. Lee Look at it this way: Manufacturer A patents a new bristle technology for toothbrushes. Manufacturer B makes a toothbrush using the same technology. Does buying a toothbrush from Manufacturer A give you a right to use Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the patent from Manufacturer A. This is entirely independant of any relationship between the end customer and Manufacturer A. I have seen this idea tossed around on this list and on the mod_ssl list, that somehow licensing RHSWS or Raven allows one to use *any* implementation of RSA. I personally don't see any factual or legal evidence to support this conclusion. It seems that with all of these products, (and with their crypto toolkits, too), RSA is licensing you "software", not rights to an algorithm. That software that they are licensing you happens to use their patented algorithm (which is certainly lawful, since they own the patent, and the software). You have a right to use the algorithm ONLY because you have a right to use the *software* that you licensed from them. The license that comes with RHSWS 2.0 states at the top that the software "[is] protected by copyright *and other laws*. Title to these programs ... shall at all times remain with the aformentioned ..." (emphasis mine). The aforementioned the clause refers to are Red Hat Software and RSA Data Security, Inc. (now just RSA Security, Inc.). Subsequently in the RSA portion of the license agreement, it states: "The Software Programs include software licensed from RSA Data Security, Inc. ("RSA Software"). You may not modify, translate, reverse engineer, decompile, or dissasemble the RSA Software or any part thereof, or otherwise attepmt to derive the source code therefrom, and you shall not authorize any third party to do any of the foregoing. *Nothing in this Agreement grants you
Re: OpenSSL usage liability, RHSWS, and toothbrushes
Sorry folks. The legal issues are %100 percent accuarate. He is on the mark, and its better that we listen than we challenge On Mon, 22 Nov 1999 09:45:51 -0600, Leland V. Lammert wrote: Jeeze, boobie! Lighten UP!! There have been no court cases on the issue (are you a lawyer or a judge??), .. and your analogy to piece parts is invalid. Quit giving bogus legal advice! Lee At 09:39 AM 11/18/99 , you wrote: -Original Message- From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, November 18, 1999 1:55 AM Subject: Re: OpenSSL usage liability. At 05:59 PM 11/17/99 , you wrote: snip Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. Lee Look at it this way: Manufacturer A patents a new bristle technology for toothbrushes. Manufacturer B makes a toothbrush using the same technology. Does buying a toothbrush from Manufacturer A give you a right to use Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the patent from Manufacturer A. This is entirely independant of any relationship between the end customer and Manufacturer A. I have seen this idea tossed around on this list and on the mod_ssl list, that somehow licensing RHSWS or Raven allows one to use *any* implementation of RSA. I personally don't see any factual or legal evidence to support this conclusion. It seems that with all of these products, (and with their crypto toolkits, too), RSA is licensing you "software", not rights to an algorithm. That software that they are licensing you happens to use their patented algorithm (which is certainly lawful, since they own the patent, and the software). You have a right to use the algorithm ONLY because you have a right to use the *software* that you licensed from them. The license that comes with RHSWS 2.0 states at the top that the software "[is] protected by copyright *and other laws*. Title to these programs ... shall at all times remain with the aformentioned ..." (emphasis mine). The aforementioned the clause refers to are Red Hat Software and RSA Data Security, Inc. (now just RSA Security, Inc.). Subsequently in the RSA portion of the license agreement, it states: "The Software Programs include software licensed from RSA Data Security, Inc. ("RSA Software"). You may not modify, translate, reverse engineer, decompile, or dissasemble the RSA Software or any part thereof, or otherwise attepmt to derive the source code therefrom, and you shall not authorize any third party to do any of the foregoing. *Nothing in this Agreement grants you any rights, license, or interest with respect to the source code for the RSA Software*..." Again, the emphasis is mine. Now, granted, this agreement does not specifically address the patent issue by name. However, I would say that the language of the agreement certainly expresses RSA's intent to limit the licensee's rights to use the "Software". Add that to the fact that, AFAIK, RSA has *never* licensed anyone to use their own implementation of RSA in the US (one must always license BSAFE), and I'd say even a lawyer (one of which I am not) would have a hard time arguing that buying RHSWS in any way grants you rights to use any other implementation of RSA's patented algorithms. I actually had a conversation (via email) with Preston Brown of Red Hat, and he told me that the reason that they distribute RHSWS as a statically-linked binary only, with source just for the apache part (rather than with the crypto part as a binary DSO, so that the server could be recompiled, as some vendors do), is that their license with RSA prohibited it; it seems RSA wasn't keen on the idea that the user might have some discreet crypto lib lying around on their system that they could try to put to arbitrary uses. I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone adhering to the idea that licensing a particular RSA implementation gives them any rights to the algorithm itself go get one, because they may ending needing his/her service in court. September 2000 can't come soon enough. Dave Neuer Software Engineer Futuristics Labs, Inc. www.futuristics.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation
RE: OpenSSL usage liability.
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Friday, November 19, 1999 1:33 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: OpenSSL usage liability. dimrub Sorry for being insufficiently explicit. The company in Swiss dimrub is going to have problems with US gov. not because they use dimrub encryption over the border, but because they use in Swiss dimrub software that does strong encryption that was developed in dimrub US. Namely - OpenSSL. Or am I wrong again? You are wrong on one point: OpenSSL is *not* being developed in the US, and never (as far as I know) has. He same goes from it's predecessor, SSLeay (that was developped in Australia). If you look, you will notice that all developers are currently from or in Germany, UK and Sweden, at least as far as I can tell with whois. If you look, you will notice that www.openssl.org is actually a machine in Switzerland. Oh... Hmmm... I didn't know that. That is, I saw the page that lists the geographics of the developer team of OpenSSL, but didn't pay attention to this fact. Well, one worry less for our lawers. Thanks! -- Dmitry Rubinstein __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL usage liability.
Hi there, On Wed, 17 Nov 1999 [EMAIL PROTECTED] wrote: Will the US gov. bust us since encrypted communications will be going across it's borders? No, as long as you use exportable ciphersuites (see one of the apendixes of the SSL spec for a list of those). That is, you limit the length of your symmetric key to what is it now? 56 bit? The strength of the cryptography being *used* across the border should not matter. Someone in the US can talk to my webserver at 128-bit crypto (and vice versa) if they want and are not guilty of exporting crypto. If they try to send me a 128-bit *tool* with which to conduct such transmissions then they do have a problem. The use of crypto is not the problem with the US (although it was/is in France and may be in other places too) ... it's the distribution of the tools with which to perform the crypto that is the sticking point. NB: I reserve the right to be wrong. :-) Cheers, Geoff -- Geoff ThorpeEmail: [EMAIL PROTECTED] Cryptographic Software Engineer, C2Net Europehttp://www.int.c2.net -- May I just take this opportunity to say that of all the people I have EVER emailed, you are definitely one of them. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. You mean next month (Dec 15, 1999). Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
Nicolas Roumiantzeff wrote: US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. You mean next month (Dec 15, 1999). No. The theory is that there will be no change for source export. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. You mean next month (Dec 15, 1999). U.S. law is not going to change radically on Dec. 15. There will still be a one time review of exported binaries. Exported source code will still be banned. Technical assistance will still be restricted. Not that I know anything in particular about the new regulations. This statement is simply infered by the Executive Branch's continued appeals in the Bernstein case which if the last ruling was allowed to stand would remove the government's prior restraint authority from computer source code. And its continued fight to prevent Congress from voting on any of the bills which would allow mass market software to be shipped without review. I am encouraged by Germany's grant for development of GNU software for personal key management. This action which the U.S. strongly disagrees with is only more likely to put pressure on the U.S. to cave into the development of open source crypto. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
Hi, On Wed, 17 Nov 1999, K wrote: thank you geoff, that was enlightening. really?? oh ... :-) what about the fact that we are a swiss company? we remotely admin our boxes and so obviously we will send this 'tool' to our server from switzerland. is that legal? (i think it might be because i thought i heard somewhere it was ok to send crypto tools TO the US, just not export to the rest of the world FROM the US.) ideas? clue? Operating "across" the border is not just extremely difficult to do without *accidently* violating some restriction, but is also a legal minefield where common sense shares a much lower overlap with the law than you might expect or reasonably hope for. I really don't want to be the one to make statements to you about what you can and can't do - apart from wanting to steer well clear of any liability for pointing you in the wrong direction, there is also the fact that I don't understand much of it myself. The simple stuff is relatively well understood - send a crypto program to the US from outside - sometimes ok (if the country you're sending from has liberal enough laws and even this can depend on whether it is commercial, non-commercial, mass-market, customised, source, binary, etc etc etc). If you try to send it back from the US it's an almost certain no-no. If someone uses it inside the US to communicate with someone using it outside the US - that *should* be fine. This last point is what my original statement was about ... all that other stuff (particularly when you want to complicate things with 'remote admin' across borders) really needs you to get an authoratitive legal opinion from someone who really knows this stuff. And that isn't me :-) Cheers, Geoff -- Geoff ThorpeEmail: [EMAIL PROTECTED] Cryptographic Software Engineer, C2Net Europehttp://www.int.c2.net -- May I just take this opportunity to say that of all the people I have EVER emailed, you are definitely one of them. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL usage liability.
There's also the option of using IBM's secure toolkit (both Java and C/C++). The C/C++ toolkit requires a BSAFE license from RSA, the Java toolkit does not require any licensing from RSA. Luc -Original Message- From: K [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 17, 1999 10:53 PM To: [EMAIL PROTECTED] Subject: Re: OpenSSL usage liability. are your sure the license that comes with the red hat secure server applies to any rsa technology in use (ie software other than red hats). there is the possibility rsa would give the license under the terms that it only be applied to that specific implementation of rsa technology. kelly - Original Message - From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 17, 1999 6:19 PM Subject: Re: OpenSSL usage liability. At 05:59 PM 11/17/99 , you wrote: Kelly, I started using mod_ssl because Redhat's Secure Server was pathetically behind the times and everything else was too expensive. Redhat recently revised it to 3.1, though, and it's $149. So I broke down and ordered it and won't be using mod_ssl for commerce in the US. Steve Freitas Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability.
Steve Freitas writes: Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. I'd like to do that, but I've never seen an authoritative statement which would legally qualify this. Certainly it passes the 'common sense test,' but that's never meant anything in the courts. If you've seen anything to the contrary, I'd love to see it. Is it really true that on September 20th, 2000 the RSA patents expire and this issue is mute Also, if the buy a license trick works, the Roxen server is $118 USD which is less than Redhat Jim -- == James B. Huber [EMAIL PROTECTED] Genesis Controls, Inc.(V/O) (407) 671-0820 == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL usage liability.
thank you geoff, that was enlightening. what about the fact that we are a swiss company? we remotely admin our boxes and so obviously we will send this 'tool' to our server from switzerland. is that legal? (i think it might be because i thought i heard somewhere it was ok to send crypto tools TO the US, just not export to the rest of the world FROM the US.) ideas? clue? In Switzerland we (yes I'm from Switzerland too ;) also have a crypto export law. Just take a look to http://www.admin.ch/bawi/d/kontroll/index.htm You may also take a look to http://www.admin.ch/ch/d/sr/c946_202_1.html. Regards Rene -- --- Rene G. Eberhard Mail : [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL usage liability.
dimrub Sorry for being insufficiently explicit. The company in Swiss dimrub is going to have problems with US gov. not because they use dimrub encryption over the border, but because they use in Swiss dimrub software that does strong encryption that was developed in dimrub US. Namely - OpenSSL. Or am I wrong again? You are wrong on one point: OpenSSL is *not* being developed in the US, and never (as far as I know) has. He same goes from it's predecessor, SSLeay (that was developped in Australia). If you look, you will notice that all developers are currently from or in Germany, UK and Sweden, at least as far as I can tell with whois. If you look, you will notice that www.openssl.org is actually a machine in Switzerland. US is far away from OpenSSL, and will probably remain that way for some time, unless the US export law changes radically. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability, RHSWS, and toothbrushes
dave - I agree with you 100%. I can ask my legal counsel for an opinion and they do have a group that specializes in specifically this area. If I have a chance I'll ask because it is related to an issue that I'm dealing with and in my case if the patent is a problem I'll simply avoid RSA. On Thu, 18 Nov 1999 10:39:10 -0500, Dave Neuer wrote: -Original Message- From: Leland V. Lammert [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, November 18, 1999 1:55 AM Subject: Re: OpenSSL usage liability. At 05:59 PM 11/17/99 , you wrote: snip Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. Lee Look at it this way: Manufacturer A patents a new bristle technology for toothbrushes. Manufacturer B makes a toothbrush using the same technology. Does buying a toothbrush from Manufacturer A give you a right to use Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the patent from Manufacturer A. This is entirely independant of any relationship between the end customer and Manufacturer A. I have seen this idea tossed around on this list and on the mod_ssl list, that somehow licensing RHSWS or Raven allows one to use *any* implementation of RSA. I personally don't see any factual or legal evidence to support this conclusion. It seems that with all of these products, (and with their crypto toolkits, too), RSA is licensing you "software", not rights to an algorithm. That software that they are licensing you happens to use their patented algorithm (which is certainly lawful, since they own the patent, and the software). You have a right to use the algorithm ONLY because you have a right to use the *software* that you licensed from them. The license that comes with RHSWS 2.0 states at the top that the software "[is] protected by copyright *and other laws*. Title to these programs ... shall at all times remain with the aformentioned ..." (emphasis mine). The aforementioned the clause refers to are Red Hat Software and RSA Data Security, Inc. (now just RSA Security, Inc.). Subsequently in the RSA portion of the license agreement, it states: "The Software Programs include software licensed from RSA Data Security, Inc. ("RSA Software"). You may not modify, translate, reverse engineer, decompile, or dissasemble the RSA Software or any part thereof, or otherwise attepmt to derive the source code therefrom, and you shall not authorize any third party to do any of the foregoing. *Nothing in this Agreement grants you any rights, license, or interest with respect to the source code for the RSA Software*..." Again, the emphasis is mine. Now, granted, this agreement does not specifically address the patent issue by name. However, I would say that the language of the agreement certainly expresses RSA's intent to limit the licensee's rights to use the "Software". Add that to the fact that, AFAIK, RSA has *never* licensed anyone to use their own implementation of RSA in the US (one must always license BSAFE), and I'd say even a lawyer (one of which I am not) would have a hard time arguing that buying RHSWS in any way grants you rights to use any other implementation of RSA's patented algorithms. I actually had a conversation (via email) with Preston Brown of Red Hat, and he told me that the reason that they distribute RHSWS as a statically-linked binary only, with source just for the apache part (rather than with the crypto part as a binary DSO, so that the server could be recompiled, as some vendors do), is that their license with RSA prohibited it; it seems RSA wasn't keen on the idea that the user might have some discreet crypto lib lying around on their system that they could try to put to arbitrary uses. I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone adhering to the idea that licensing a particular RSA implementation gives them any rights to the algorithm itself go get one, because they may ending needing his/her service in court. September 2000 can't come soon enough. Dave Neuer Software Engineer Futuristics Labs, Inc. www.futuristics.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability, RHSWS, and toothbrushes
On Thu, Nov 18, 1999 at 10:39:10AM -0500, Dave Neuer wrote: Another option - puchase the RedHat secure server for $149, and throw it away (retaining the license, of course). That way, you WOULD be legal with openssl. [...] I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone adhering to the idea that licensing a particular RSA implementation gives them any rights to the algorithm itself go get one, because they may ending needing his/her service in court. September 2000 can't come soon enough. Well, I am a lawyer, and your conclusions are correct. The "buy one product and throw it away but 'keep the license'" theory is attractive but DOES NOT WORK IN THE UNITED STATES. If it did, there'd be no reason to buy any product at all - you could just use the license from a copy of Netscape or IE browsers, available for free, to legitimize your RSA/OpenSSL implementation. Does that pass the "common sense test"? -- Greg Broiles [EMAIL PROTECTED] PO Box 897 Oakland CA 94604 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL usage liability.
From: Geoff Thorpe [mailto:[EMAIL PROTECTED]] The strength of the cryptography being *used* across the border should not matter. Someone in the US can talk to my webserver at 128-bit crypto (and vice versa) if they want and are not guilty of exporting crypto. If they try to send me a 128-bit *tool* with which to conduct such transmissions then they do have a problem. The use of crypto is not the problem with the US (although it was/is in France and may be in other places too) ... it's the distribution of the tools with which to perform the crypto that is the sticking point. Sorry for being insufficiently explicit. The company in Swiss is going to have problems with US gov. not because they use encryption over the border, but because they use in Swiss software that does strong encryption that was developed in US. Namely - OpenSSL. Or am I wrong again? I assume that no one of the OpenSSL dev team is US citizen and Eric Young is from .nz. Regards Rene -- --- Rene G. Eberhard Mail : [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]