-----Original Message-----
From: Leland V. Lammert <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, November 18, 1999 1:55 AM
Subject: Re: OpenSSL usage liability.
>At 05:59 PM 11/17/99 , you wrote:
<snip>
>
>Another option - puchase the RedHat secure server for $149, and throw it
away (retaining the license, of course). That way, you WOULD be legal with
openssl.
>
> Lee
Look at it this way: Manufacturer A patents a new bristle technology for
toothbrushes. Manufacturer B makes a toothbrush using the same technology.
Does buying a toothbrush from Manufacturer A give you a right to use
Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have
a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the
patent from Manufacturer A. This is entirely independant of any
relationship between the end customer and Manufacturer A.
I have seen this idea tossed around on this list and on the mod_ssl list,
that somehow licensing RHSWS or Raven allows one to use *any* implementation
of RSA. I personally don't see any factual or legal evidence to support
this conclusion. It seems that with all of these products, (and with their
crypto toolkits, too), RSA is licensing you "software", not rights to an
algorithm. That software that they are licensing you happens to use their
patented algorithm (which is certainly lawful, since they own the patent,
and the software). You have a right to use the algorithm ONLY because you
have a right to use the *software* that you licensed from them.
The license that comes with RHSWS 2.0 states at the top that the software
"[is] protected by copyright *and other laws*. Title to these programs ...
shall at all times remain with the aformentioned ..." (emphasis mine). The
aforementioned the clause refers to are Red Hat Software and RSA Data
Security, Inc. (now just RSA Security, Inc.).
Subsequently in the RSA portion of the license agreement, it states:
"The Software Programs include software licensed from RSA Data Security,
Inc. ("RSA Software"). You may not modify, translate, reverse engineer,
decompile, or dissasemble the RSA Software or any part thereof, or otherwise
attepmt to derive the source code therefrom, and you shall not authorize any
third party to do any of the foregoing. *Nothing in this Agreement grants
you any rights, license, or interest with respect to the source code for the
RSA Software*..."
Again, the emphasis is mine. Now, granted, this agreement does not
specifically address the patent issue by name. However, I would say that
the language of the agreement certainly expresses RSA's intent to limit the
licensee's rights to use the "Software". Add that to the fact that, AFAIK,
RSA has *never* licensed anyone to use their own implementation of RSA in
the US (one must always license BSAFE), and I'd say even a lawyer (one of
which I am not) would have a hard time arguing that buying RHSWS in any way
grants you rights to use any other implementation of RSA's patented
algorithms.
I actually had a conversation (via email) with Preston Brown of Red Hat, and
he told me that the reason that they distribute RHSWS as a statically-linked
binary only, with source just for the apache part (rather than with the
crypto part as a binary DSO, so that the server could be recompiled, as some
vendors do), is that their license with RSA prohibited it; it seems RSA
wasn't keen on the idea that the user might have some discreet crypto lib
lying around on their system that they could try to put to arbitrary uses.
I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone
adhering to the idea that licensing a particular RSA implementation gives
them any rights to the algorithm itself go get one, because they may ending
needing his/her service in court. September 2000 can't come soon enough.
Dave Neuer
Software Engineer
Futuristics Labs, Inc.
www.futuristics.net
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
