[108314] in Cypherpunks
Re: RSAREF / RSAEuro Legal Issues
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Feb 11 22:01:27 1999
Date: Thu, 11 Feb 1999 12:14:06 -0800
To: Anonymous <nobody@replay.com>, cypherpunks@toad.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <199902100328.EAA31637@replay.com>
Reply-To: Bill Stewart <bill.stewart@pobox.com>
>Can anybody shed light on the patent restrictions of the RSA public
>key algorithm?
>Does this mean that a commercial organization outside the US can use a
>RSA implementation without legal hassles from RSADSI, or is there some
>sort of licensing scheme for organizations outside the US? The BSAFE
>toolkit from RSA is really expensive, and a nice alternative to that
>is RSAeuro which is freely available as source code. Any suggestions?
PATENTS
In the US and Canada, the RSA algorithm is patented (for the next 1.5 years.)
Therefore, to use it there, you need a patent license from RSA.
Outside the US and Canada, you do not need a license.
Largely to save face after PGP's widespread violation of their patent,
RSA offered the public a piece of software called RSAREF,
and a license that allowed you to use it for non-commercial applications
at no charge as long as you agree to certain license terms.
The most annoying of these terms restricted you to using some
of their interfaces rather than the raw subroutines,
but they're also flexible about permission if you show you're
using the stuff competently (and if you're in the US or Canada.)
COPYRIGHTS
However, while patent laws from the US are mainly not
cross-supported for things that wouldn't be patentable in other countries,
copyrights are, and the RSAREF software is copyrighted.
This means that if you use RSAREF outside the US,
and if RSA feels like it, they can sue you for copyright violation,
because it's clearly violating their license (even if you weren't
the one that did the illegal export.)
RSAEURO claims to have been written from scratch, not using
any of RSA's code. If this is true, then there's no copyright problem,
and you can use it instead of the RSAREF it claims to be
plug-compatible with, which makes it convenient for providing
non-commercial versions for US users.
I've heard a rumor that alleges that parts of RSAEURO may be
translations of RSAREF rather than clean rewrites;
you'll have to examine the code for yourself if this bothers you.
But if you don't like the code, go write some of your own.
(In the case of RSA, if you don't care about RSAREF compatibility,
recycle the code from PGP international editions instead.)
TRADE SECRETS
The RSA algorithm is public knowledge, but some other algorithms
from RSA companies have been trade secrets provided only under license,
including RC2 and RC4. Both of those algorithms have been
leaked to the public and are widely available.
You can license them from RSA (in the US), or use them anyway;
there are a number of software manufacturers who use things they call
"ARCFOUR" or "Proprietary Name which really means
our Lawyers won't let us call it RC4". (Or else they use
"Proprietary Name because we don't know what Snake Oil means :-)
TRADEMARKS
I don't know what countries RSA Inc. has trademarks in,
so it's possible that you need to identify RSA as trademarked,
but this doesn't interfere with any real work even if it's true.
BSAFE is more likely to be trademarked.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
