From owner-freebsd-current Sat Feb 19 23:17:43 2000 Delivered-To: freebsd-current@freebsd.org Received: from teknos.teknos.com (teknos-gw.nappr.org [216.0.190.254]) by hub.freebsd.org (Postfix) with ESMTP id 3959537BEA9; Sat, 19 Feb 2000 23:17:35 -0800 (PST) (envelope-from salaman@teknos.com) Received: by teknos.teknos.com with Internet Mail Service (5.5.2650.21) id <19NW71HZ>; Sun, 20 Feb 2000 03:12:30 -0400 Message-ID: <1D45ABC754FB1E4888E508992CE97E4F059CE8@teknos.teknos.com> From: "Victor A. Salaman" To: 'Kris Kennaway' , Garance A Drosihn Cc: "Jordan K. Hubbard" , Doug Barton , freebsd-current@FreeBSD.ORG Subject: RE: openssl in -current Date: Sun, 20 Feb 2000 03:12:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Quoting from OpenBSD: "We took a free license release of ssh and OpenBSD-ifyed it. We get around the USA-based RSA patent by providing an easy way to automatically download and install a RSA-enabled package containing shared library versions of libcrypto and libssl. These packages are based on OpenSSL. People living outside the USA can freely use the RSA patented code, while people inside the USA can freely use it for non-commercial purposes. It appears as if companies inside the USA can use the RSA libraries too, as long as RSA is not used in a profit generating role. But this way almost everyone will get ssh built-in." I have just read several documents from www.eff.org, www.rsa.com, and www.openssl.org and have failed to find anything in there, that forbids us from not using openssl's RSA version. RSA has a patent for the algorithm, and they have provided a reference implementation to help the adoption of the algorithm. In their license (RSAREF) it says you can't export the code outside USA, but the US ITAR laws don't say anything about importing. So in theory, if the CD was made outside the USA, then it could be imported without a single problem. The whole RSA scheme is bogus, because anyone in the world can get an implementation of RSA, so its widely accesible, so why all this RSAREF/non-RSAREF mumbo-jumbo? Perhaps we should send e-mail to RSA to clarify this, and in light of this, ask for permission to distribute RSA with the base OS. Gee, we can get RSA anyway, so what's the point on making harder? Does anyone have ANY document saying that if you are in the US you are obligued to use RSAREF? -----Original Message----- From: Kris Kennaway [mailto:kris@FreeBSD.org] Sent: Sunday, February 20, 2000 2:32 AM To: Garance A Drosihn Cc: Jordan K. Hubbard; Doug Barton; Victor Salaman; freebsd-current@FreeBSD.ORG Subject: Re: openssl in -current On Sun, 20 Feb 2000, Garance A Drosihn wrote: > This will be a lot easier once the patent expires. We would probably Yes. > be better off sticking with the ports-version until then, so we don't > have to delay 4.0-release until all the issues are sorted out. If > 4.0 is delayed, I want it delayed for things which are actually busted, > and not to move features from the ports collection to the base system. No-one's talking about delaying 4.0. > I think everyone agrees that having a cryptography toolkit in the > base system would be great, but we don't have to have it for *this* > release, and there are no "cool things" for *this* release which > depend on some cryptography toolkit being part of the base system. Except it's not just this release, it's "for the life of the 4.x branch" given the rules of what should get put into -stable. I really don't want to have to wait another year or more for 5.0-RELEASE before we can start making use of crypto in the recommended version of FreeBSD. Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message