Re: [suse-security] How do Europeans build against BSAFE?
Kurt Seifried wrote:
If you have to ask what it costs, you can't afford it. RSA is far from checp. Depending on what you do with it it can cost a lot, especially including it in products. I know of several companies (some pretty medium sized to large) that would love to buy an RSA license for free products, if you're open source it's damn unlikely (BTW when I mean a lot I'm talking like 7 figures).
Steve
-Kurt
Kurt, My project uses BSAFE. Then I contract under the US DoD, so we have a few nickels throw at the project. The problem is the Bureaucracy is so messed up, they will waste a thousand man-hours to save a hundred bucks. And that is unfortunately a drastic understatement. When I need tools to do my job, I don't even bother asking procurement, it took over three yeast to get tape backup in place! NO LIE! Other distributions of Linux which go for about $200 come with some form of an RSA license. I believe at least one comes with a full developers version of BSAFE. I don't want another Linux distribution! I just want to be able to compile and use NSS and related tools. I don't want to distribute the stuff right now, and if I did, I'd work that out when it happened. First our Government says we can't export our cryptographic technology, so the rest of the world reproduces it for free, and now our Government makes it impossible to use it domestically! Hey, anybody in Germany or the UK hiring? Steve
Other distributions of Linux which go for about $200 come with some form of an RSA license. I believe at least one comes with a full developers version of BSAFE. I don't want another Linux distribution! I just want to be able to compile and use NSS and related tools. I don't want to distribute the stuff right now, and if I did, I'd work that out when it happened.
First our Government says we can't export our cryptographic technology, so
Red Hat secure server (I assume this is what you refer to ass the sub 200 product) has an RSA license for the crypto components in the webserver. You cannot use that license to say compile RSA into OpenSSH. You would need a license from RSA to (legally) compile in RSA (unless you use RSAREF, which has it's own interesting license and may or may not be usable for you). I don't think SuSE for example will be able to get an RSA license that says "users can just compile anything they want with RSA". I hate to say this but September 20th is only ~44 days away, I'd advise waiting. I highly doubt even if SuSE threw (past tense of thrown anyone?) a semi-truck full of 100 dollar bills at RSA that they would be able to get this licensed and out the door/etc by sept 20th. the
rest of the world reproduces it for free, and now our Government makes it impossible to use it domestically! Hey, anybody in Germany or the UK hiring?
Write your congresscritter.
Steve
-Kurt
Kurt Seifried wrote:
I hate to say this but September 20th is only ~44 days away, I'd advise waiting. I highly doubt even if SuSE threw (past tense of thrown anyone?) a semi-truck full of 100 dollar bills at RSA that they would be able to get this licensed and out the door/etc by sept 20th.
I'm not sure what Sep 20 brings. One person told me he didn't believe all of BSAFE will be freed up then. Im also don't know if Mozilla will build to anything other than BSAFE. One person told me he has built using BSAFEeay, but that looks pretty shaky at this point. Even the libs I have for the older NSS don't look like they will seamlessly fit into the current code base. I can't go into details, but there is no one-to-one matching.
First our Government says we can't export our cryptographic technology, so the rest of the world reproduces it for free, and now our Government makes it impossible to use it domestically! Hey, anybody in Germany or the UK hiring?
Write your congresscritter.
The guy who said "I'm proud to be a tax and spend liberal?" And "no one is going to eliminate waste, fraud and inefficiency in the Federal Government?" - Steny Hoyer
Steve
-Kurt
Steve
I'm not sure what Sep 20 brings. One person told me he didn't believe all of
On september 20th the RSA patent should expire (assuming RSA does not try to renew it, hopefully not). You americans can then use a proper RSA implementation (like the rest of the world uses right now =).
BSAFE will be freed up then. Im also don't know if Mozilla will build to anything other than BSAFE. One person told me he has built using BSAFEeay, but that looks pretty shaky at this point. Even the libs I have for the older NSS don't look like they will seamlessly fit into the current code base. I can't go into details, but there is no one-to-one matching.
As far as RSA software packages/etc go you'll still need to buy those, but at least you can choose to go with the free implementations of RSA.
Steve
-Kurt
Kurt Seifried wrote:
I'm not sure what Sep 20 brings. One person told me he didn't believe all of
On september 20th the RSA patent should expire (assuming RSA does not try to renew it, hopefully not). You americans can then use a proper RSA implementation (like the rest of the world uses right now =).
For private "client-side" use we are pretty much free to use what we will. I'm quite impressed with SSLeay/OpenSSL. I don't know how the code stacke up against BSAFE as far as speed goes, but the free stuff seems quite stable as far as I can tell. I haven't put much of a load on it yet though. RSA strikes me as a quality oriented company, and they seem to produce good products. Even if the algorithms are public domain, (I wonder if I could get a patten on the pythagorean theorem? ...hmmmmm?) they may still have a market for BSAFE. As far as the specifics of the pattem go, I'm not sure what it actually covers. Steve Henson suggests a leagal build would result from ./config no-rc5 no-idea no-rsa. rc5 and idea are both symmetric algorithms. RSA is the one that works the magic for PKI. It is a descendent of Diffi-Hellman, which may rightfully be called 'Williamson'. It's the only one I use in my work.
BSAFE will be freed up then. Im also don't know if Mozilla will build to anything other than BSAFE. One person told me he has built using BSAFEeay, but that looks pretty shaky at this point. Even the libs I have for the older NSS don't look like they will seamlessly fit into the current code base. I can't go into details, but there is no one-to-one matching.
As far as RSA software packages/etc go you'll still need to buy those, but at least you can choose to go with the free implementations of RSA.
I'm not convinced that there won't be a bsafe.h and so forth in the opensource community soon. I'm just not sure it will hit the net at 0:01 on the 23rd.
-Kurt
Steve
participants (2)
-
Kurt Seifried -
Steven T. Hatton