[25] in WWW Security List Archive
Re: No commercial restrictions on MD5
daemon@ATHENA.MIT.EDU (Bernhard.Schneck@Physik.TU-Muenche)
Tue Aug 16 09:55:26 1994
To: ams@eit.com (Allan M Schiffman)
Cc: hallam@dxal18.cern.ch, www-security@ns1.rutgers.edu
In-Reply-To: Your message of "Mon, 15 Aug 94 13:26:51 PDT."
<9408152026.AA09228@eitech.eit.com>
Date: Tue, 16 Aug 94 13:31:52 +0200
From: Bernhard.Schneck@Physik.TU-Muenchen.DE
In message <9408152026.AA09228@eitech.eit.com> you write:
> Phill writes:
> > Personaly I'd like to base everything on MD5 but that has
> > commercial restrictivities :-(
>
> I'm quite certain that there are *no* restrictions on the use of MD5.
> RFC1321 is titled "The MD5 Message-Digest Algorithm", authored by Ron
> Rivest of MIT (the "R" in "RSA"). It describes the algorithm and
> supplies reference source code. The RFC puts the algorithm in the
> public domain in the third paragraph of section 1:
> "The MD5 algorithm is being placed in the public domain
> for review and possible adoption as a standard."
Well, but there may be other restrictions on MD5: Cryptographic code
may be considered as munitions and thus export controlled by US
authorities.
I remember some folks also stated even exporting RFC1321 would make you
an arms dealer under ITAR, as cryptographic code can be extracted from
the RFC with a sed script.
Things may have changed by now (they havn't yet on DES), but this should
also be kept in mind when designing a security system for Internet services.
\Bernhard.
