[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: commercial web server software
From:       M Taylor <mctaylor () mta ! ca>
Date:       1998-07-23 13:07:20
[Download RAW message or body]

At 01:06 AM 7/23/98 -0700, you wrote:
>On Thu, 23 Jul 1998, Chris Cappuccio wrote:
>> Stronghold is very similar to Apache SSL, but a little more featured for a
>> larger user base and it is the only one legal in the USA

Stronghold is an enhanced Apache, in fact they ship you the apache source
code (with the crypto routines as object code only).

>Apache-SSL is legal to use in the US iff you get a RSA license.  One way
>to do that is to use rsaref which can be used freely, with a license, for
>non-commercial use.

RSAREF (from RSA Data Security Inc.) has been discribed as a very
nit-picking license. 

"Greatly reduced" (free) non-commercial licenses for Stronghold are
available. Contact C2Net for details.

IDEA is also patented in USA, Europe, Japan, ??? (not Canada), so you
either have to disable it in SSLeay (no harm for web server SSL), or
license that from Ascom.

>There are several other packages that include the RSA license; I think
>most of them were mentioned previously on the list.

You can build Apache-SSL/SSLeay with BSAFE, which I believe is non-trivial,
for use of Apache-SSL in USA for commercial purposes.

>> > 2.3, but then there is the problem with getting a certificate from a
>> > reputable authority so that browsers attaching with SSL don't scream
about
>> > an untrusted certificate authority - from what I understand Verisign and
>> > the like don't support signing of non-commercial servers (I could be
>> > wrong).
>> > 
>> 
>> Verisign will now sign certificates for Apache SSL but I don't know what
>> they do if you are obviously in the USA...........
>
>They have no reason to care.  People can use Apache-SSL legally for
>non-commercial purposes, or can get a RSA license in several ways.

I have used Verisign certificates in Canada for several years now.
Encrypted data and digital signatures or certificates can be legally
exported from USA.

-M Taylor

[prev in list] [next in list] [prev in thread] [next in thread]