A few of my random thoughts about what I currently know with regards
to restrictions on the use of SSLeay due to software patents and US
cryptographic export restrictions.
Seth Robertson <seth@soscorp.com> and david d `zoo' zuhn
<zoo@armadillo.com>
have been very helpful in the preparation of this file.
First up, my library is FREE for COMMERCIAL and non-commercial use.
I
make no money from people using the algorithms encoded in this
library. (But I would accept donations :-). I live in Australia and
if there are any cryptographic export restrictions, all I can say is
that I
have had available for anon-ftp crypto routines for nearly 4 years
and
no government type person has ever mentioned a thing.
All code in this library was written by me and I have never seen
SSLref
or RSAref.
DES. I have my libdes DES library in this packages. I wrote it from
documentation in the University of Queensland library. My library is
actually used in SSLref (so I have been told). I find it 'cute' that
it appears that most SSL implementation may end up using a
DES encryption library from Australia :-). People from the USA
are not allowed to export DES due to crypto export restrictions.
It can go in but not out.
RC4. I have RSA's RC4 cipher in my SSL packages. I implemented it
from source code found on a ftp site in Europe. I am not sure of the
legal status of people in the USA using it since I think RSA are not
very happy about it being reverse engineered. I assume that RSA's
implementation is Copyrighted and is a Trade Secret, but that should
not effect this implementation since it was not derived from RSA's
actual source. So, it may be illegal to use in the USA but I don't
know. Export is definitely a no no.
IDEA. The IDEA algorithm can be used in the SSL protocol and as of
version 0.4.2 of my library it is present. I believe it needs
to be licensed for businesses in Europe due to software patents but
am not sure how they are 'enforcing' the licenceing.
RSA. Ah, the big one.
The following is taken from the "The SSL Protocol" as published by
Netscape.
The Massachusetts Institute of Technology and the Board of
Trustees of the Leland Stanford Junior University have
granted
Public Key Partners (PKP) exclusive sub-licensing rights to
the following patents issued in the United States, and all of
their corresponding foreign patents:
Cryptographic Apparatus and Method
("Diffie-Hellman") No. 4,200,770
Public Key Cryptographic Apparatus and Method
("Hellman-Merkle") No. 4,318,582
Cryptographic Communications System and Method
("RSA") No. 4,405,829
Exponential Cryptographic Apparatus and Method
("Hellman-Pohlig") No. 4,424,414
These patents are stated by PKP to cover all known methods of
practicing the are of Public Key encryption, including the
variations collectively known as El Gamal.
Public Key partners has provided written assurance to the
Internet Society that parties will be able to obtain, under
reasonable, nondiscriminatory terms, the right to use the
technology covered by these patents.
......
From my understanding, it is therefor required that US people must
get a license from PKP to use SSLeay. People outside the USA can
use it
as much as the like since I don't think the US software patents are
valid outside of the US. My implementation has been written from
books on algorithms which include sections on number theory. I
basically knew zip about RSA stuff before I started reading at the
start of April'95. So this one is a 'no export' from the USA and
probably
a 'no use' in the USA. The Diffie-Hellman routines are covered by
the same problems.
So we end up with a library that is free, but in the USA you must pay
money to people who the author has never met nor spoken too,
otherwise
you break the law. People can use my SSL library and the encryption
routines (except RSA and RC4) if I make it possible to build SSLeay
to use RSAref. RSAref is the 'public' RSA reference implementation.
It is limited I believe to 1024 bit private keys. My RSA
implementation is not (I have some sample keys of 2048, 4096 bits in
the distribution). RSA Inc. have another implementation of RSA in
their
BSAFE toolkit but it is for commercial use and costs dollars. It is
not limited to 1024 bit keys (I believe). RSAref is free for
non-commercial use under some very interesting conditions. I have
appended their conditions to the end of this document.
This RSA code can probably be imported into the USA but not executed.
Again, not for export once in the USA.
One interesting question I have is what is the status of a binary
program that is a SSL filter between the Internet and a local program
(via a named pipe or UNIX domain socket);
If I make binaries available in Australia, will people who ftp it to
the USA for free then have to pay PKP to run the program? I could
just call it 'securelink' and not tell them the 'secret' encryption
algorithm I use. Would they then be able to be prosecuted for
violating
a patent they don't know is being violated?
A few more points for people in the USA regarding putting hooks in
their
code to use SSL/RSA from my library and acquisition of a license
from PKP (the people who own the patent) for use of the RSA
algorithm.
First, PKP have exclusive patent rights on all aspects of public key
cryptography (as 'listed' above). Part of these conditions is that
they are reasonable and non-discriminatory in their licensing.
Unfortunately this does not mean they have to license my
implementation. They have to license an implementation and they can
put as many restrictions as they like (e.g. it cannot be modified or
whatever). I have not actually spoken to PKP at this point in time.
The patent gives a limited (17 year) monopoly, which some would
consider a very very long time in the software game.....
One thing worth considering, there are no crypto export restrictions
between the USA and Canada, and Canada does not have software
patents.
So it is legal to build and use my library in Canada if you live in
the USA.
Second point, the following is the X11R6/xdm-auth/README and the same
README appears in X11R5 (I have been playing with DES for quite a few
years :-)
If you are looking for the file xc/lib/Xdmcp/Wraphelp.c, be
advised that
export of this software from the United States of America is
assumed to
require a specific license from the United States Government. It
is the
responsibility of any person or organization contemplating export
to obtain
such a license before exporting. You will find what you are
looking for,
in compressed form, as the file /private/xdm/help on this machine.
Note
that you have to cd to '/private/xdm' in one step and then 'get'
the
file.
Although it sounds stupid, and it is, we would appreciate if you
would
only tell other people how to find this README file, and not point
them
directly to the actual source code, so that they will read this
warning.
For persons outside the US, a compatible version of this file,
implemented
outside the US, can be obtained by anonymous ftp to
ftp.psy.uq.oz.au
(130.102.32.1) in the directory /pub/X11R5/.
So perhaps other people could get away with doing a similar thing
with their
code. It could be worth talking to the X consortium if you are
not sure about the legal implications. For the RSA code, it may
actually be illegal to even have code that would only work with my
implementation. If you wrote code that could work with either SSLref
or my SSLeay, you should be ok.
Anyway, enough of my rambling, none of this affects me because
a) I'm not making any money from this so I don't need to pay anyone
:-)
b) I'm living in part of the world not covered by software patent.
This information could all be wrong and out of date since alot of
this
stuff seems to be changing daily, so these are some of my off the
cuff
thoughts on the topic as of December 1995.
eric
Oh yes, I believe the laws in France are as follows:
Crypto code is considered munitions, much as in the USA.
The use of crypto stuff is illegal unless it is properly authorized.
Authorization of serious crypto stuff like PGP is impossible.
So if the use of PGP is illegal so is my library (I have the same
algorithms plus more, in library and program form). So if you are in
France you are not even supposed to import this library.
====
What follow is what I believe to be the license for RSAref.
The second part of item 1. is interesting. It appears that these are
be the only conditions that free public key applications can be used
in the
USA. My free library will probably not change this.
--
>WHAT YOU CAN (AND CANNOT) DO WITH RSAREF
>
> 1. RSAREF is free for personal or corporate use under the
> following conditions:
>
> o RSAREF, RSAREF applications, and services based on
> RSAREF applications may not be sold.
>
> o You must give RSA the source code of any free RSAREF
> application you plan to distribute or deploy within
> your company. RSA will make these applications
> available to the public, free of charge.
> 2. RSAREF applications and services based on RSAREF
> applications may be sold under the following conditions:
>
> o You must sign and return the RSAREF Commercial
License
> Agreement to RSA (call RSA for a copy of this
> agreement). Remember, RSAREF is an unsupported
toolkit.
> If you are building an application to sell, you
should
> consider using fully supported libraries like RSA's
> BSAFE or TIPEM SDK's.
>
> 3. RSAREF applications and services based on RSAREF
> applications may be "sharewared" under the following
> conditions:
>
> o Shareware authors do not need to sign a separate
> agreement with RSA, provided that their per-copy
asking
> price is less than $50 and total RSAREF application
> revenue is less than $10,000 annually. Otherwise,
> shareware authors must sign and return the RSAREF
> Commercial License Agreement.