From owner-freebsd-security  Thu Mar 25  8:59:16 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id DAF8814CA0
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 08:59:15 -0800 (PST)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.iserver.com; Thu, 25 Mar 1999 09:58:55 -0700 (MST)
Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1)
	id xma003360; Thu, 25 Mar 99 09:58:29 -0700
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA03117; Thu, 25 Mar 1999 09:58:28 -0700 (MST)
Date: Thu, 25 Mar 1999 09:58:27 -0700 (MST)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
In-Reply-To: <Pine.BSF.3.96.990325104851.483B-100000@fledge.watson.org>
Message-ID: <Pine.BSF.3.96.990325094344.3073A-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 25 Mar 1999, Robert Watson wrote:

> > > There are no licensing costs involved in using ssh1.
> > 
> > This is false, for most reasonable definitions of 'use'.
> > 
> > In particular, the use to which Mike Thompson (the original poster)
> > said he would put the software is explicitly covered in the license
> > for ssh (COPYING in the main ssh source directory) as needing
> > commercial licensing from Data Fellows.
> 
> My impression was that a license was needed from RSA to use RSA public key
> routines commercially.  The Data Fellows purchase would cover that also, I
> believe.

I think this is also only required in countries (such as the US) where the
RSA algorithm is legally patented.  RSA cannot be patented in many other
countries since it was disclosed in a public journal before the patent was
applied for.  As I recall, US patent law allows for a grace period of 12
months after the public disclosure in which to file a patent application
and receive a valid patent (after the typical waiting period of several
years).  But this will all become moot next year when the RSA patent in
the US expires. 

Something else to consider is SSH1's use of IDEA, which is another
patent-protected cipher that could possibly require commercial licensing.
But that's less critical than RSA, since other suitable bulk ciphers are
easily substituted instead.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message