[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propose: `cypherpunks license' (Re: Wanted: Twofish source code)

Lucky Green wrote:
> [Coderpunks distribution removed].
> On Wed, 7 Oct 1998, Frank O'Dwyer wrote:
> > No, it doesn't, because no crypto library gives any application "strong
> > crypto". It has to be used correctly and appropriately for one thing.
> > For another, it needs to be free of back doors, whether intentionally
> > placed there or otherwise. In the long run, full disclosure of source
> > code provides the best assurance that this is so.
> Of course source availablility aids greatly in evaluating the overall
> security of software. However, Jim was correct in pointing out that
> /requirin/g source availability of products by licensing restrictions
> employed in crypto component freeware is
> counterproductive. May companies will not be able to source contaminated
> by GNU-style licensing restrictions. 

[I agree with this point re GPL - hopefully that was clear from the rest
of what I wrote.]

> We should all thank Eric for making SSLeay available under a BSD-style
> license. The world probably would have half as many internationally
> available strong cryptographic products had Eric used GPL.

I also agree that BSD licencing is better for SSLeay, and crypto
components in general, than GPL (false dichotomy, btw--there are other
licences). My interest in this issue is not so much in crypto
components, but in licensing of open-source "product quality" standalone
applications that employ crypto, since I am trying to write one. I think
the issues for such programs may be different than for components. None
of the freeware licences seem ideal to me, but the MozPL seems like a
good compromise between GPL and BSD-style. (The main sticking point for
me is that it states that disputes regarding the licence should be
resolved in the States.) But I think that BSD/'X' might be overly
liberal for a self-contained program, and GPL has the usual issues for
any useful components that might be in the program. 

Having said that I do question whether take-up of free crypto components
by commercial companies genuinely results in "strong cryptographic
products". I'm not meaning to denigrate Eric's work in any way, but in
my experience the likes of SSLeay is very often shovelled into products
by companies who don't understand crypto, don't understand SSL, and
barely understand SSLeay. Even those who do understand what they are
doing are typically working "on Internet time". Certainly merely linking
to SSLeay does NOT result in a "strong cryptographic product", not by
any stretch of the imagination. 

> The bottom line is that GNU-licensing is more restrictive than
> BSD/SSLeay-style licensing. Hence identical freeware will see less
> deployment under GNU than under BSD.
> Cyphpunks believe that more strong crypto is better.

Well then, "Cypherpunks write code". Wide deployment of crypto
components in closed-source programs (especially by cluebags) is neither
necessary nor sufficient to achieve "more strong crypto" in the sense
that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing,
but not much better.)

> The conclusion in the GNU vs. BSD/SSLeay/etc. license debate should be clear.

Well, it clearly isn't, as evidenced by the large number of fairly
bright people arguing about it. :)

Frank O'Dwyer.