From owner-freebsd-security  Tue Nov  2 12:36:54 1999
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id D7C1E1544E; Tue,  2 Nov 1999 12:36:49 -0800 (PST)
	(envelope-from jwyatt@rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2378 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m11ikeK-000CC4C@bsdie.rwsystems.net>
	for <ports@FreeBSD.ORG>; Tue, 2 Nov 1999 14:35:24 -0600 (CST)
	(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7)
Date: Tue, 2 Nov 1999 14:35:20 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: security@FreeBSD.ORG, ports@FreeBSD.ORG
Cc: "Gary D. Kline" <kline@tao.thought.org>, provos@citi.umich.edu,
	security@FreeBSD.ORG, ports@FreeBSD.ORG, markus@openbsd.org,
	Dug Song <dugsong@monkey.org>
Subject: Re: OpenSSH patches 
In-Reply-To: <Pine.BSO.4.10.9911021403120.1191-100000@funky.monkey.org>
Message-ID: <Pine.BSF.4.10.9911021334400.78894-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 2 Nov 1999, Dug Song wrote:
> you can't use ApacheSSL in the US, unless you've paid RSA for a license
> for the RSA implementation in SSLeay or OpenSSL.

Yes, and I was lead to believe that buying the RadHat server pack (which
comes with an RSA license for Apache/SSLeay) would cover a FreeBSD server
as long as the CPU count was honored. This makes a license $100-150. Any
one else know if this is true or there are other approaches?

> > I can also more easily get an RSA license because I have to cover it for a
> > year or so anyway - until the patent expires. Most businesses are used to
> > paying for the web server certs and licences, but some will balk at
> > something new. "*What* is this for again? I've never heard of it." - Jy@
> 
> paying for certificates is NOT the same as purchasing an RSA license for
> the use of RSA in your webserver. if you haven't done so, and are using
> the webserver for commercial purposes, you're violating their patent.

While I completely understand the differences, it is easier to explain to 
"accounting types" (sorry...) that this is another small fee to run the 
ecommerce web servers like the certificate fees. Most have even heard of
RedHat nowadays, but none have heard of ssh. 8{)

> it sucks, i know. beware.

Agreed, but watch for reasonable deals, some exist. It is also important
that, for ssh, you are not limited to RSA. For Apache/SSLeay, you're
stuck. I rather doubt that the original RSA patents will be extended, as
well, but you never know... - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message