New non-us and main, and RSA
[follow ups to -policy]
I was just taking a bit of a look around the new non-us trying to figure
out what our stance was on things like IDEA and RSA and unfortunately
can't figure it out. :| (BTW the dns has been swtiched over.. email
debian-admin@lists if there are issues)
It seems from what I have heard that we consider IDEA and RSA to be
non-free due to the patents on them in various countries and this is why
we have the gpg-rsa and gpg-idea modules in non-free. However we also have
libssl, openssl, cipe and ssleay in main which all implement the IDEA (and
RSA?) algorithms.
So, what is our policy on this?
There is a bit of an alterior motive here, it looks like it may be
possible to switch completely from PGP for all of Debian signature
checking to use GPG and the RSA module in its place, but that may not be
legal (or even DSFG?) to do so. This would be very nice as it would be one
more large chunk of non-DFSG software that we no longer rely on.
Does any know if use of the RSA module (which does not use RSAREF) is even
legal in the US? Also, what happens on Sept 20, 2000 when the US RSA
patent drops? How many other countries carry this patent?
Given that should Debian aim to drop RSA totally or should we aim to stop
accepting RSA keys and gradually convert over to a DH/DSS system? Should
we just -drop- RSA totally? (AFAIK you do not need IDEA for signatures,
only encryption)
Thanks,
Jason
Reply to: