[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSLeay Legality FAQ
Folk,
Here's version 1.4 of the SSLeay Legality FAQ. Additions since 1.3 are
in the areas of import/export controls in various countries.
Enjoy!
---------------------------------- Cut Here ----------------------------------
SSLeay Legality FAQ Version 1.4
Outline:
Disclaimer
Legality/Patent Rights table
Export Considerations
Patent Considerations
References
For more information
Credits
Disclaimer:
This document may contain gross errors, and neither Clifford Heath nor Open
Software Associates Limited accept any liability for same. Users should do
their own research and receive professional legal advice.
With regard to the legalities of using SSLeay, there is a number of
geographical considerations, and a number of kinds of legal considerations.
Legality/Patent Rights table:
I've broken the legal considerations into "legal" (will the govt come after
you :-) and "license" (who do you need to pay patent royalties to).
Algor: Location: Purpose: Legal: License: Ref:
DES world-wide any mostly# public domain
RSA US indiv/free only RSAref free RSA
RSA US commercial RSAref/BSAFE from RSADSI* RSA
DH US ? mostly# Cylink+
DSA/DSS (based on Diffie-Hellman)
RC4/2 US any mostly# from RSADSI RSA
RC4 elsewhere any mostly# seems safe
IDEA US/Europe/Japan indiv/free mostly# free ASCOM
IDEA US/Europe/Japan indiv/commercial mostly# $US15, ASCOM ASCOM
IDEA US/Europe/Japan company site mostly# from ASCOM ASCOM
IDEA elsewhere any mostly# free
SAFER world-wide any mostly# free Safer
MD2 world-wide PEM only yes free@ rfc1319
MD5 world-wide any yes free@ rfc1321
SHA world-wide any yes free
Any(!) France any only with (almost unobtainable) permit
Any(!) Russia any only with permit
Notes:
* RSADSI's patent on RSA (#4,405,829) runs out on 20 Sep 2000. RSAref is free
under certain terms, otherwise can be licensed through Concensus. BSAFE is
stronger and has RC4 but requires purchase and royalties: $25K up front,
royalties the larger of 2% or $2, royalty prepayment of $5000 per annum
required in subsequent years covers 50% of royalties over the following year.
+ DH by itself cannot be used for digital signatures - the El Gamal extension
provides this. CYLINK claim their DH patent covers El Gamal. The US patent
#4,200,770 runs out on 29 April 1997. The Canadian patent (#1,121,480)
registered 6 April, 1982, runs out in 1999.
@ Acknowledgement is required - see the RFC.
# Many countries have nominal export controls, including the UK and Australia,
but I only know of them being enforced in the USA. MD2/5 and SHA are not
subject to export controls anywhere that I know of.
Export considerations:
The USA has regulations under ITAR (International Trade in Arms Regulations)
which categorises "cryptographic and ancillary devices" as munitions.
Two classes of export licenses are granted: Distribution Licenses or DL's
and Individual Validated Licenses or IVL's.
To get an IVL you must say who the customer is and why he needs DES (or 3X
DES, etc.). One may then use the IVL to export to the approved end user.
Thousands are granted every year and very few applications are rejected.
Systems which use cryptography for decryption only, authentication only
(e.g. Kerberos authentication as available from Cybersafe and others), or
can only be used for protecting financial data (e.g Cybercash etc., as long
as it cannot be used for arbitrary messaging) are more-or-less readily
granted a DL. DLs have also been granted for some implementations of
RC4/40 bits (e.g Netscape).
Canada has back-to-back agreements with the USA's ITAR controls, so it's
easy to get crypto from the USA to Canada but you can't export from Canada.
More information is available from Customs Canada (Revenue Canada) and
Department of External Affairs and these URLs:
http://axion.physics.ubc.ca/ECL.html - Excerpts from the Export Control List
of Canada, and http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html
Canada's export controls.
Many other countries have export controls (UK, Australia and others), but
enforcement is less stringent than in the USA. In Australia, export of
cryptographic software is controlled by Customs Regulations 13B (military
technology) and 13E (Dual Use Technology). The regulations are administered
by the Defence Signals Directorate - mail to "Director, Strategic Trade
Policy and Operations, Dept of Defence, Anzac Park West Offices APW1-1-OA1,
Canberra, ACT" or fax (06)266-6412 and ask for their "Australian Controls
on the Export of Technology with Civil and Military Applications". The
Australian regulations are also online at http://www.austlii.edu.au/cgi-bin/sinodisp.pl/au/legis/cth/consol_reg/cer439/sch13.html
Software is defined as "one or more programs fixed in any tangible medium of
expression", which explicitly leaves electronic shipment uncontrolled.
Don't carry or mail media with SSLeay-based software out of Australia -
email or FTP it instead!
The UK Gov't is funding a project at Royal Holloway College which contains
Key Escrow provisions. Watch for the EC DGXIII introducing European
legislation under the banner "European Trusted Services", or visit
http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html,
ftp://ftp.dcs.rhbnc.ac.uk/pub/Chris.Mitchell/istr_a2.ps,
ftp://ftp.cl.cam.ac.uk/users/rja14/euroclipper.ps.Z
France disallows *import* and use of crypto technology without a permit,
and Russia requires a permit for use also.
Patent considerations:
According to 35 U.S.C. 271 (a), "whoever makes, uses, offers to sell, sells
or imports ... infringes the patent." In other words, you better ensure
that you *compile out* and patented algorithms unless you intend to license
them, even if the code is not executed. In fact, if you are in the USA,
merely ftp'ing SSLeay into the USA is a breach of various patents. (Eric,
you might consider splitting it into two ftp archives, one for the USA and
an additional one for the rest of the world.)
References:
RSA: http://www.rsa.com/
CYLINK: http://www.cylink.com/products/security/
ASCOM: http://www.ascom.ch/Web/systec
Safer: ftp://ftp.isi.ee.ethz.ch/pub/simpl/
For more information:
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm - Crypto Law Survey
Credits:
Thanks to to Eric Young, Rich Salz, Donald Lewine, Holger Reif and Bruce
Schneier (author of Applied Cryptography), Peter Trei, Remo Tabanelli,
Ben Laurie, Ulf Moeller, Michael Taylor for their contributions.
------------------------------------------------------------
Clifford Heath [email protected]
Open Software Associates Limited
29 Ringwood Street / P O Box 401 Phone +613 9871 1694
Ringwood VIC 3134 AUSTRALIA Fax +613 9871 1711
------------------------------------------------------------
Deploy Applications across the Internet and Intranets!
Visit our Web site at http://www.osa.com