Re: New non-us and main, and RSA

["J.H.M. Dassen" <jdassen@wi.leidenuniv.nl>]

On Tue, May 11, 1999 at 23:21:28 -0600, Jason Gunthorpe wrote:
> It seems from what I have heard that we consider IDEA and RSA to be
> non-free due to the patents on them in various countries and this is why
> we have the gpg-rsa and gpg-idea modules in non-free. However we also have
> libssl, openssl, cipe and ssleay in main which all implement the IDEA (and
> RSA?) algorithms.
> 
> So, what is our policy on this?

non-US essentially serves two purposes:
- Home for cryptographic software, which is currently export-controlled in
  the USA.
- Home for packages that employ algorithms patented in the US.

There's an overlap between these in the case of software implementing/using
RSA.

The tricky thing is whether or not to consider the US situation for non-US
packages. For example, giflib implements an algorithm (lzw compression) that
is patented in the USA. AFAIK, that patent is USA-only. Should giflib
qualify for non-US/main?

If giflib qualifies for non-US/main, so should RSA. But not IDEA. The IDEA
patent isn't USA-only; see http://www.ascom.ch/infosec/idea/licensing.html .

> Does any know if use of the RSA module (which does not use RSAREF) is even
> legal in the US? Also, what happens on Sept 20, 2000 when the US RSA
> patent drops?

RSA will be free, just like DH is now.

> How many other countries carry this patent?

None as far as I know (I vaguely recall that the patent was issued after a
publication; no other country would allow this).

Ray
-- 
Obsig: developing a new sig