Re: silc thingies
On Sat, Jul 06, 2002 at 00:50:30 +0200, Tamas SZERB wrote:
> After a while I'm here to discuss the situation of the silc-server and
> silc-client's problems why they cannot be in the official debian release.
> Long time ago I got an email which I unfortunately lost concerning the
> patent problems about the crypto methods used by the silc,
Caveat emptor: IANAL nor a cryptography expert.
There are two SILC internet-drafts which specify ciphers:
The first specifies a key exchange using Diffie-Hellman which isn't
The second is more problematic. It specifies both public and shared key
algorithms as well as some MAC algorithms.
HMAC-SHA1, HMAC-MD5: Not patent-encumbered to my knowledge
RSA (REQUIRED) - used to be problematic but the patent has finally
DSS (OPTIONAL) - apparently the DSA, a US standard selected by NIST.
This alogrithm isn't patent-encumbered AFAIK.
AES (REQUIRED) - FIPS-197. Not patent-encumbered; see
http://csrc.nist.gov/encryption/aes/ for details.
Blowfish (REQUIRED) - unpatented; see
AES finalist, unpatented; see
AES candidate; not patent-encumbered to my knowledge
(statements concerning intellectual property rights of AES
submissions used to be available via http://aes.nist.gov,
but I can't find them anymore)
RC6 (OPTIONAL), MARS (OPTIONAL)
AES finalists; patent-encumbered.
Note that the IETF has started to pay more attention to intellectual
property right notices; you might want to have a look at
http://www.ietf.org/ipr.html and ask for the drafts to be updated with IPR
notices regarding the ciphers. It would be nice to see the SILC drafts drop
RC6 and MARS completely, perhaps adding Serpent (so all
non-patent-encumbered AES finalist algorithms are included) in their place.
> I'd be happy if somebody would like to say what problems are they,
The SILC sources contain code that implements the MARS and RC6 ciphers which
> and why,
The conditions under which the right to employ a patented algorithm is
granted typically prevent the software employing them to meet the Debian
Free Software Guidelines (http://www.debian.org/social_contract#guidelines).
For more general information regarding the evils of software patents, see
e.g. http://lpf.ai.mit.edu/Patents/patents.html .
> and ideas how to solve them.
At the very least, your packages should not contain any object code built
from the source files that implement MARS and RC6.
I don't know what the current concensus on debian-legal is regarding source
files that implement patent-encumbered (cryptographic) algorithms, in
particular I don't know whether you should remove such source files from
your source package, or if not using them to produce binaries is considered
We do not worry about Microsoft developing Open Source applications. Their
revenue stream is based on a heroin addiction of selling ever more software.
Red Hat's Bob Young quoted in
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com