summaryrefslogtreecommitdiff
path: root/doc/legal.doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/legal.doc')
-rw-r--r--doc/legal.doc117
1 files changed, 117 insertions, 0 deletions
diff --git a/doc/legal.doc b/doc/legal.doc
new file mode 100644
index 0000000000..b55ed5ce6a
--- /dev/null
+++ b/doc/legal.doc
@@ -0,0 +1,117 @@
+From eay@mincom.com Thu Jun 27 00:25:45 1996
+Received: by orb.mincom.oz.au id AA15821
+ (5.65c/IDA-1.4.4 for eay); Wed, 26 Jun 1996 14:25:45 +1000
+Date: Wed, 26 Jun 1996 14:25:45 +1000 (EST)
+From: Eric Young <eay@mincom.oz.au>
+X-Sender: eay@orb
+To: Ken Toll <ktoll@ren.digitalage.com>
+Cc: Eric Young <eay@mincom.oz.au>, ssl-talk@netscape.com
+Subject: Re: Unidentified subject!
+In-Reply-To: <9606261950.ZM28943@ren.digitalage.com>
+Message-Id: <Pine.SOL.3.91.960626131156.28573K-100000@orb>
+Mime-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+Status: O
+X-Status:
+
+
+This is a little off topic but since SSLeay is a free implementation of
+the SSLv2 protocol, I feel it is worth responding on the topic of if it
+is actually legal for Americans to use free cryptographic software.
+
+On Wed, 26 Jun 1996, Ken Toll wrote:
+> Is the U.S the only country that SSLeay cannot be used commercially
+> (because of RSAref) or is that going to be an issue with every country
+> that a client/server application (non-web browser/server) is deployed
+> and sold?
+
+>From what I understand, the software patents that apply to algorithms
+like RSA and DH only apply in the USA. The IDEA algorithm I believe is
+patened in europe (USA?), but considing how little it is used by other SSL
+implementations, it quite easily be left out of the SSLeay build
+(this can be done with a compile flag).
+
+Actually if the RSA patent did apply outside the USA, it could be rather
+interesting since RSA is not alowed to let RSA toolkits outside of the USA
+[1], and since these are the only forms that they will alow the algorithm
+to be used in, it would mean that non-one outside of the USA could produce
+public key software which would be a very strong statment for
+international patent law to make :-). This logic is a little flawed but
+it still points out some of the more interesting permutations of USA
+patent law and ITAR restrictions.
+
+Inside the USA there is also the unresolved issue of RC4/RC2 which were
+made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2). I have
+copies of the origional postings if people are interested. RSA I believe
+claim that they were 'trade-secrets' and that some-one broke an NDA in
+revealing them. Other claim they reverse engineered the algorithms from
+compiled binaries. If the algorithms were reverse engineered, I belive
+RSA had no legal leg to stand on. If an NDA was broken, I don't know.
+Regardless, RSA, I belive, is willing to go to court over the issue so
+licencing is probably the best idea, or at least talk to them.
+If there are people who actually know more about this, pease let me know, I
+don't want to vilify or spread miss-information if I can help it.
+
+If you are not producing a web browser, it is easy to build SSLeay with
+RC2/RC4 removed. Since RC4 is the defacto standard cipher in
+all web software (and it is damn fast) it is more or less required for
+www use. For non www use of SSL, especially for an application where
+interoperability with other vendors is not critical just leave it out.
+
+Removing IDEA, RC2 and RC4 would only leave DES and Triple DES but
+they should be ok. Considing that Triple DES can encrypt at rates of
+410k/sec on a pentium 100, and 940k/sec on a P6/200, this is quite
+reasonable performance. Single DES clocks in at 1160k/s and 2467k/s
+respectivly is actually quite fast for those not so paranoid (56 bit key).[1]
+
+> Is it possible to get a certificate for commercial use outside of the U.S.?
+yes.
+
+Thawte Consulting issues certificates (they are the people who sell the
+ Sioux httpd server and are based in South Africa)
+Verisign will issue certificates for Sioux (sold from South Africa), so this
+ proves that they will issue certificate for OS use if they are
+ happy with the quality of the software.
+
+(The above mentioned companies just the ones that I know for sure are issuing
+ certificates outside the USA).
+
+There is always the point that if you are using SSL for an intra net,
+SSLeay provides programs that can be used so you can issue your own
+certificates. They need polishing but at least it is a good starting point.
+
+I am not doing anything outside Australian law by implementing these
+algorithms (to the best of my knowedge). It is another example of how
+the world legal system does not cope with the internet very well.
+
+I may start making shared libraries available (I have now got DLL's for
+Windows). This will mean that distributions into the usa could be
+shipped with a version with a reduced cipher set and the versions outside
+could use the DLL/shared library with all the ciphers (and without RSAref).
+
+This could be completly hidden from the application, so this would not
+even require a re-linking.
+
+This is the reverse of what people were talking about doing to get around
+USA export regulations :-)
+
+eric
+
+[1]: The RSAref2.0 tookit is available on at least 3 ftp sites in Europe
+ and one in South Africa.
+
+[2]: Since I always get questions when I post benchmark numbers :-),
+ DES performace figures are in 1000's of bytes per second in cbc
+ mode using an 8192 byte buffer. The pentium 100 was running Windows NT
+ 3.51 DLLs and the 686/200 was running NextStep.
+ I quote pentium 100 benchmarks because it is basically the
+ 'entry level' computer that most people buy for personal use.
+ Windows 95 is the OS shipping on those boxes, so I'll give
+ NT numbers (the same Win32 runtime environment). The 686
+ numbers are present as an indication of where we will be in a
+ few years.
+--
+Eric Young | BOOL is tri-state according to Bill Gates.
+AARNet: eay@mincom.oz.au | RTFM Win32 GetMessage().
+
+
View Lorry Controller Status