Since this is a perennial cause of complaint (and I have been one of the complainers): SuSE customers living in North America who want the *full* distribution, including crypto, on CD-ROM, can order it from Best, Corvin
RSA is now in the public domain (would have been september 20th anyways, so RSA released it two weeks early for PR). http://www.securityportal.com/topnews/rsa20000906.html September 07, 2000 - Yesterday, RSA formally announced that the RSA algorithm will be released into the public domain. This is definitely good news, but not too terribly significant, since it would have happened on September 20 anyway (when their patent expires). The release of the algorithm is a good thing because you can now create cryptographic software using one RSA implementation and distribute it worldwide without having to license anything from RSA. http://www.rsasecurity.com/news/pr/000906-1.html So much misinformation has been spread recently regarding the expiration of the RSA algorithm patent that the company wanted to create an opportunity to state the facts. RSA Security's commercialization of the RSA patent helped create an entire industry of highly secure, interoperable products that are the foundation of the worldwide online economy. Releasing the RSA algorithm into the public domain now is a symbolic next step in the evolution of this market, as it will help cement the position of RSA encryption as the standard in all categories of wired and wireless applications and devices. RSA Security intends to continue to offer the world's premier implementation of the RSA algorithm and all other relevant encryption technologies in our RSA BSAFE software solutions and remains confident in our leadership in the encryption market. Sounds pretty good. You can now build products in the USA that use the RSA algorithm, freely. The most popular "free" implementation of RSA is OpenSSL, the primary author of which was hired by RSA several years ago. Until recently OpenSSL came in two flavors, one compiled against its own RSA and one compiled against RSAREF. While RSA was patented in the U.S., the only "free" implementation of RSA was RSAREF. While it was possible that a company might license the RSA algorithm from the RSA company, it was highly unlikely that RSA (the company) would license them a copy once they found out it was to be freely distributed (and this did in fact never happen). So everyone in the US that wanted "free" RSA was stuck using RSAREF, a reference implementation of RSA that has a very restrictive license. You could not use RSAREF for network services (OpenSSL, secure Web server, etc.) at a university, for example, since they charge tuition, which ultimately pays for network services. Because of this restriction on RSAREF it is pointless to ship encryption products based on it, since a very limited subset of users would legally be able to use it. RSAREF is also very slow, has a maximum keylength and had a serious security bug in the past, making it not incredibly popular among security professionals. But this is no longer a problem (wouldn't have been after September 20 in any case) because you can use a "free" implementation of RSA, such as the one OpenSSL provides, for encryption products you wish to use in the U.S. This is good news because you can, for example, download OpenSSL and OpenSSH Solaris 8.0 packages I created and use them now. I never bothered to compile them against RSAREF, so you would have had to wait another two weeks to download them. Unfortunately. U.S. crypto export laws still exist, so any companies within the U.S. creating spiffy new encryption packages, or open source projects like Linux trying to integrate cryptography, are still out of luck to varying degrees. (U.S. crypto law is in a state of flux, and while people have posted PGP up publicly for download and not been arrested, it is still not 100% clear what is and isn't legal.) However, it appears U.S. crypto laws are slowly moving towards openness, and hopefully in a few years will model Canada's export laws, which have a specific exemption for "Public Domain" (i.e. open source) software. This also creates some rather large issues for U.S. companies selling cryptographic software based on RSA. There are several companies in the U.S. that licensed RSA and then created products such as secure Web servers that were basically Apache+OpenSSL compiled against their licensed RSA crypto products. The cheapest of these was several hundred dollars, and most were not much easier to install and manage than "doing it yourself." These companies will have to figure out some other value-added method of getting customers to pay for something they can download for free. Any American can now download OpenSSL, install it, and use it for OpenSSH (secure administration), Apache (secure Web-serving) and so on. So what are you waiting for? Go do it! ftp://ftp.cryptoarchive.net/pub/