Subject: Re: quickly find what applications are affected by RSA
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
From: Frederick Bruckman <fb@enteract.com>
List: current-users
Date: 09/08/2000 09:44:28
On Fri, 8 Sep 2000, Jun-ichiro itojun Hagino wrote:

> 	the following twist have been removed by the RSA expiration, and
> 	recently deregulated :
> 	- non-commercials in US can use RSAREF
> 	- commercials in US cannot use RSA at all

Why do you say that? The formerly patented RSA algorithm (and code) is
now in the public domain. "Public domain" means no restrictions. The
*only* caveat in RSA's announcement, is that folks who signed a
contract agreeing to pay a certain amount of $$ for something that is
now free, still have to pay, because _they_ _signed_ _the_ _contract_.
It's not possible to "qualify" a release to public domain, and RSA
knows better than to try to do that!

> 	- non-US people should use non-RSAREF RSA source code
> 
> 	there still are other problems with crypto software:
> 	- export/import regulation in non-US countries

This affects some NetBSD users, certainly, but does not affect NetBSD.

> 	- other patented algorithms, like IDEA/RC4/RC5

I wasn't aware that the algorithms were patented. Are you saying that
the openssl distribution in the NetBSD sources violates some patent?

> 	if we take the safer side, we should change almost nothing but
> 	RSAREF/non-RSAREF issue.

It's a fact that we will be distributing secret key encryption in the
base NetBSD-1.5. Who is served by restricting pkgsrc? There's a
proposal on the table in tech-pkg to change the handling of crypto
packages, which would pave the way to offer binaries for NetBSD-1.5.
Please see

http://mail-index.netbsd.org/tech-pkg/2000/09/07/0005.html