On Tue, May 11, 1999 at 11:21:28PM -0600, Jason Gunthorpe wrote:
> I was just taking a bit of a look around the new non-us trying to figure
> out what our stance was on things like IDEA and RSA and unfortunately
> can't figure it out. :| (BTW the dns has been swtiched over.. email
> debian-admin@lists if there are issues)
RSA and IDEA are currently considered to belong in non-free because of
the patents. Note that mp3 players are in main and that's patented too,
so it seems that this isn't QUITE the cause..
At any rate, on -policy there is an attempt to change this, with initial
proposal made by me. The gist of it is that if something like RSA or
IDEA have a DFSG free implementation, they should be considered suitable
for non-us/main. This would apply to RSA, IDEA, LZW compression, mp3
encoders, etc. It's possible because software patents are illegal where
pandora is.
As to whether the rest of the world can legally use these things or not,
well...
> It seems from what I have heard that we consider IDEA and RSA to be
> non-free due to the patents on them in various countries and this is why
> we have the gpg-rsa and gpg-idea modules in non-free. However we also have
> libssl, openssl, cipe and ssleay in main which all implement the IDEA (and
> RSA?) algorithms.
>
> So, what is our policy on this?
>
> There is a bit of an alterior motive here, it looks like it may be
> possible to switch completely from PGP for all of Debian signature
> checking to use GPG and the RSA module in its place, but that may not be
> legal (or even DSFG?) to do so. This would be very nice as it would be one
> more large chunk of non-DFSG software that we no longer rely on.
The DFSG implementations should be able to go into non-us/main. I think
Wichert has the same idea I have here (say something if you don't, oh
glorious leader!) and probably his message looked better than mine, but
anyway.
RSAREF is afaict not DFSG free. And it is currently not legal to use RSA
without RSAREF in the US. Note I have openssl, ssh, pgp-i, the gpg
RSA/IDEA modules, etc, etc, etc installed and I have not yet seen one
black helicopter or commando in ninja gear around my apartment. So in
practicality, well it's probably not that big of a deal.
However if possible RSAREF-using packages should be built in addition to
the non-RSAREF versions, just so people who care can not have to worry
about breaking the law here in the US. In just about a year it won't
matter and the -i and -us won't mean a thing because RSA's patent will
have expired.
> Does any know if use of the RSA module (which does not use RSAREF) is even
> legal in the US? Also, what happens on Sept 20, 2000 when the US RSA
> patent drops? How many other countries carry this patent?
AFAIK none. September 20th we can happily chuck RSAREF and not bother to
care where it goes. In the meantime we should have RSAREF-using
packages, but I'm betting RSAREF isn't DFSG free offhand. I'll continue
using the free implementations until either the patent expires or I see
the black helicopters personally, but that's my choice and nobody else is
responsible for what happens as a result.
> Given that should Debian aim to drop RSA totally or should we aim to stop
> accepting RSA keys and gradually convert over to a DH/DSS system? Should
> we just -drop- RSA totally? (AFAIK you do not need IDEA for signatures,
> only encryption)
I have no idea when IDEA expires. I'm not certain it's even patented in
the US actually.
--
Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer
PGP: E8D68481E3A8BB77 8EE22996C9445FBE The Source Comes First!
-------------------------------------------------------------------------
<Cylord> Would it be acceptable to debian policy if we inserted a crontab
by default into potato that emailed bill.gates@microsoft.com
every morning with an email that read, "Don't worry, linux is a
fad..."
Attachment:
pgpzYvh58D0OX.pgp
Description: PGP signature