117 lines
5.5 KiB
Text
117 lines
5.5 KiB
Text
From eay@mincom.com Thu Jun 27 00:25:45 1996
|
|
Received: by orb.mincom.oz.au id AA15821
|
|
(5.65c/IDA-1.4.4 for eay); Wed, 26 Jun 1996 14:25:45 +1000
|
|
Date: Wed, 26 Jun 1996 14:25:45 +1000 (EST)
|
|
From: Eric Young <eay@mincom.oz.au>
|
|
X-Sender: eay@orb
|
|
To: Ken Toll <ktoll@ren.digitalage.com>
|
|
Cc: Eric Young <eay@mincom.oz.au>, ssl-talk@netscape.com
|
|
Subject: Re: Unidentified subject!
|
|
In-Reply-To: <9606261950.ZM28943@ren.digitalage.com>
|
|
Message-Id: <Pine.SOL.3.91.960626131156.28573K-100000@orb>
|
|
Mime-Version: 1.0
|
|
Content-Type: TEXT/PLAIN; charset=US-ASCII
|
|
Status: O
|
|
X-Status:
|
|
|
|
|
|
This is a little off topic but since SSLeay is a free implementation of
|
|
the SSLv2 protocol, I feel it is worth responding on the topic of if it
|
|
is actually legal for Americans to use free cryptographic software.
|
|
|
|
On Wed, 26 Jun 1996, Ken Toll wrote:
|
|
> Is the U.S the only country that SSLeay cannot be used commercially
|
|
> (because of RSAref) or is that going to be an issue with every country
|
|
> that a client/server application (non-web browser/server) is deployed
|
|
> and sold?
|
|
|
|
>From what I understand, the software patents that apply to algorithms
|
|
like RSA and DH only apply in the USA. The IDEA algorithm I believe is
|
|
patened in europe (USA?), but considing how little it is used by other SSL
|
|
implementations, it quite easily be left out of the SSLeay build
|
|
(this can be done with a compile flag).
|
|
|
|
Actually if the RSA patent did apply outside the USA, it could be rather
|
|
interesting since RSA is not alowed to let RSA toolkits outside of the USA
|
|
[1], and since these are the only forms that they will alow the algorithm
|
|
to be used in, it would mean that non-one outside of the USA could produce
|
|
public key software which would be a very strong statment for
|
|
international patent law to make :-). This logic is a little flawed but
|
|
it still points out some of the more interesting permutations of USA
|
|
patent law and ITAR restrictions.
|
|
|
|
Inside the USA there is also the unresolved issue of RC4/RC2 which were
|
|
made public on sci.crypt in Sep 1994 (RC4) and Feb 1996 (RC2). I have
|
|
copies of the origional postings if people are interested. RSA I believe
|
|
claim that they were 'trade-secrets' and that some-one broke an NDA in
|
|
revealing them. Other claim they reverse engineered the algorithms from
|
|
compiled binaries. If the algorithms were reverse engineered, I belive
|
|
RSA had no legal leg to stand on. If an NDA was broken, I don't know.
|
|
Regardless, RSA, I belive, is willing to go to court over the issue so
|
|
licencing is probably the best idea, or at least talk to them.
|
|
If there are people who actually know more about this, pease let me know, I
|
|
don't want to vilify or spread miss-information if I can help it.
|
|
|
|
If you are not producing a web browser, it is easy to build SSLeay with
|
|
RC2/RC4 removed. Since RC4 is the defacto standard cipher in
|
|
all web software (and it is damn fast) it is more or less required for
|
|
www use. For non www use of SSL, especially for an application where
|
|
interoperability with other vendors is not critical just leave it out.
|
|
|
|
Removing IDEA, RC2 and RC4 would only leave DES and Triple DES but
|
|
they should be ok. Considing that Triple DES can encrypt at rates of
|
|
410k/sec on a pentium 100, and 940k/sec on a P6/200, this is quite
|
|
reasonable performance. Single DES clocks in at 1160k/s and 2467k/s
|
|
respectivly is actually quite fast for those not so paranoid (56 bit key).[1]
|
|
|
|
> Is it possible to get a certificate for commercial use outside of the U.S.?
|
|
yes.
|
|
|
|
Thawte Consulting issues certificates (they are the people who sell the
|
|
Sioux httpd server and are based in South Africa)
|
|
Verisign will issue certificates for Sioux (sold from South Africa), so this
|
|
proves that they will issue certificate for OS use if they are
|
|
happy with the quality of the software.
|
|
|
|
(The above mentioned companies just the ones that I know for sure are issuing
|
|
certificates outside the USA).
|
|
|
|
There is always the point that if you are using SSL for an intra net,
|
|
SSLeay provides programs that can be used so you can issue your own
|
|
certificates. They need polishing but at least it is a good starting point.
|
|
|
|
I am not doing anything outside Australian law by implementing these
|
|
algorithms (to the best of my knowedge). It is another example of how
|
|
the world legal system does not cope with the internet very well.
|
|
|
|
I may start making shared libraries available (I have now got DLL's for
|
|
Windows). This will mean that distributions into the usa could be
|
|
shipped with a version with a reduced cipher set and the versions outside
|
|
could use the DLL/shared library with all the ciphers (and without RSAref).
|
|
|
|
This could be completly hidden from the application, so this would not
|
|
even require a re-linking.
|
|
|
|
This is the reverse of what people were talking about doing to get around
|
|
USA export regulations :-)
|
|
|
|
eric
|
|
|
|
[1]: The RSAref2.0 tookit is available on at least 3 ftp sites in Europe
|
|
and one in South Africa.
|
|
|
|
[2]: Since I always get questions when I post benchmark numbers :-),
|
|
DES performace figures are in 1000's of bytes per second in cbc
|
|
mode using an 8192 byte buffer. The pentium 100 was running Windows NT
|
|
3.51 DLLs and the 686/200 was running NextStep.
|
|
I quote pentium 100 benchmarks because it is basically the
|
|
'entry level' computer that most people buy for personal use.
|
|
Windows 95 is the OS shipping on those boxes, so I'll give
|
|
NT numbers (the same Win32 runtime environment). The 686
|
|
numbers are present as an indication of where we will be in a
|
|
few years.
|
|
--
|
|
Eric Young | BOOL is tri-state according to Bill Gates.
|
|
AARNet: eay@mincom.oz.au | RTFM Win32 GetMessage().
|
|
|
|
|