[ Quite long, and rather vapid in places - sorry in advance; there
*is* some relatively interesting stuff about RSA's licensing further
on though... ]
About a week ago, I posted a message here asking if anyone could
point me at a working set of Win32 binaries for OpenSSL (I also asked
about FAQs, but have had an answer about that). I got a couple of
answers from people inside the U.S.A. saying that they were sorry
they couldn't help me, and one message telling me that everything
worked fine if you compiled with Visual C++ (which I don't have - I'm
a long-term Borland shop).
Before I start burrowing into the messy business of trying to compile
a port of what is essentially a unix source code base under Win32, I
thought I'd risk being a pain and asking one more time if anyone
outside the U.S.A. has a working implementation they'd be willing to
share. The simple fact is that I'm not a cryptographer, and I'm not a
unix programmer; I understand TCP/IP pretty well, but I don't trust
myself to incorporate a major toolkit that is peppered with warnings
about its maintenance level under Windows, in a Windows application
with millions of users... Obviously, I'd sooner leverage the efforts
that other people must already have made.
Out of curiosity, is there any reason why there isn't an archive of
compiled binaries? Source is all very well, and I can see absolutely
why you *have* to have it when you're dealing with encryption
technology, but couldn't the OpenSSL site be regarded as being
authoritative enough to host some "official" binaries as well? I
mean, I'm presuming here that OpenSSL *is* implemented as
libraries...
Anyone willing to help me out would be warmly welcomed in my mailbox.
:-)
And now onto something more meaty:
Since I originally wrote, I've exchanged mail with RSA's Asia/Pacific
people regarding licensing their B-SAFE SSL libraries... Actually, it
was a pretty short conversation. It appears that they want US$100,000
per annum per application as a minimum license for using B-SAFE in an
application like Pegasus Mail. Now, Pegasus Mail is free software and
it doesn't earn a whole lot of money from its optional manual sales;
there's also no doubt that like all e-mail applications (or so I
believe), Pegasus Mail's limited income has been increasingly
impacted by Outl**k over the last year or so. All of this is a long-
winded way of saying that I could dive to the bottom of the Marianas
Trench more easily than I could pay licensing fees like that.
The one big advantage of using RSA's code is that you can use it
anywhere in the world. I understand the patent problems that make it
difficult to use non-RSA software inside the U.S.A. What I want to
know is whether there is any way around this...
For instance: Pegasus Mail is officially distributed from two sites
in the U.S.A, one in the Netherlands and one in New Zealand. If I
were to implement my SSL code as a separately loadable DLL, is there
any reason why I can't just make that available from the Netherlands
and New Zealand sites, but not the U.S. sites? Is there any effective
reason why someone in the U.S.A. couldn't go to those sites, download
the SSL enabler, and use it? [ Remember that I'm based in New Zealand
and have no formal representation or presence in the U.S.A. ]
How are real-life application developers actually dealing with this
problem? RSA are clearly only interested in gouging as much money as
they possibly can before their patents start running out - I can't
imagine that any developer except the really big corporates could
afford license fees like this... So what does a developer do? There's
a real danger of smaller players being forced out of the industry
because they don't have the financial capacity to license things like
this - does that worry anyone else as much as it worries me? (That's
a rhetorical question, by the way - I'm sure it bothers *everyone* on
this list just as much as it bothers me).
A comment in advance of any discussion here... I *have* been
following the various threads on the legalities of the whole thing
here in the last few days... But they didn't seem to address the
issue of someone who actually has no formal physical presence within
the U.S.A, like myself.
I'd be grateful to hear what people think about this. SSL support is
getting to be an increasing demand item and I really have to do
something about it, but that doesn't include selling everything I own
to pay for the CEO of RSA Security's new Ferrari...
Cheers!
-- David --
--
David Harris, Pegasus Mail
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
