1994-05-18 - [bostic@vangogh.cs.berkeley.edu: RSAREF license makes PGP 2.5 useless for nearly all applications]

Header Data

From: friedman@gnu.ai.mit.edu (Noah Friedman)
To: league-hq@prep.ai.mit.edu
Message Hash: 173106197822e4acd8504d0f1f7391c69c7052b2b5411a5f113a2f0fa594ad38
Message ID: <m0q3Zo9-0000qQC@baalperazim.frob.com>
Reply To: N/A
UTC Datetime: 1994-05-18 00:49:32 UTC
Raw Date: Tue, 17 May 1994 17:49:32 -0700

Raw message

From: friedman@gnu.ai.mit.edu (Noah Friedman)
Date: Tue, 17 May 1994 17:49:32 -0700
To: league-hq@prep.ai.mit.edu
Subject: [bostic@vangogh.cs.berkeley.edu: RSAREF license makes PGP 2.5 useless for nearly all applications]
Message-ID: <m0q3Zo9-0000qQC@baalperazim.frob.com>
MIME-Version: 1.0
Content-Type: text/plain


FYI, some interesting notes about RSAREF.

------- start of forwarded message (RFC 934) -------
From: bostic@vangogh.cs.berkeley.edu (Keith Bostic)
To: /dev/null@python.bostic.com
Subject: RSAREF license makes PGP 2.5 useless for nearly all applications
Date: Tue, 17 May 1994 15:38:36 -0400


To catch everyone up, it's been widely reported that the Electronic
Frontier Foundation is making version 2.5 of Pretty Good Privacy (PGP)
available via anonymous ftp.  That's Good.

However, quoting from the EFF announcement, PGP 2.5 is built upon
the "free RSAREF encryption functions, rather than the previous RSA
functions which required a special licensing arrangement for use in
applications like PGP."  That's Bad.

The "free RSAREF encryption functions" are singularly free of any hint
of free-ness.  The license is attached for your reading pleasure.

The synopsis is as follows.

To get access to PGP you have to:

    + Read the RSAREF license
    + Send the following by electronic mail to an EFF email address:

    Yes, I acknowledge that I have read the RSAREF Program License
    Agreement, version 2.0, March 16, 1994.  I agree to be bound by
    its terms and conditions in my use of RSAREF and/or any programs
    that use it.  YES, I am a U.S. or Canadian citizen and/or
    permanent resident.

The license itself has some interesting conditions:

You may only modify the software for "porting or performance improvement
purposes".  The interface is, however, excepted, and you may only change
that if you get permission (in writing) from RSA.  RSA states they "will
grant all reasonable requests" for permission.  That's a relief.

You have to give RSA source copies and unlimited redistribution rights
for any application that you change to work with the RSA code.

1) So, you've got some application you market.  You figure that you
   can make the code work with the RSA functions, and the buyer can
   then do the integration if they want RSA functionality.  Sorry,
   but that's only permitted if you give RSA the right to give away
   your software.

2) Well, you say, how about internal use?  Let's say you've bought
   the OfficePower office automation system for N million dollars,
   and you want to change it to use RSA email.  All you have to do
   now is get permission to give away the Computer Consoles Inc.'s
   software.

RSA explicitly grants you the right to copy the software for back-up
purposes, but makes no mention of any other copying.  And, RSA says,
explicitly, that you may not copy it for any reason not expressly
provided for by the license.  I'm not sure what this means, and I'm
really confused as to how you can get it on another distribution tape.
My guess is that the EFF violated their license when they moved the
software to their ftp distribution area.

You can't use the RSA software for ANYTHING that generates revenue.

1) Let's say you run a bulletin board service and you want to provide
   secure email to the users.  Forget it, the license says you can't
   use the RSA software to "provide services to others for which you
   are compensated in any manner".

2) Well, what if you're the Free Software Foundation, or UUNET, and you
   want to include it on your distribution tapes.  No chance.  Not only
   are you disallowed from charging any amount for the distribution tape,
   but you have to get written assurances from everyone that buys the
   tape that they won't use the software to generate revenue.

Finally, it gets worse.  Paul Borman sent email to RSA asking about some
of this.  Here's an excerpt:

> From: Paul Borman <prb@cray.com>
>
> ...
>
> Basically, I asked that if I had a program, say a mail program, that
> called PGP 2.5 as a filter to encrypt some mail I was sending out,
> would I have to give my mail program (which may be licensed from
> someone else) to RSA according to the RSAREF license.  The response
> was:
>
>> Date: Tue, 17 May 94 09:19:36 PDT
>> From: jim@RSA.COM (Jim Bidzos)
>> 
>> A program that calls or incorporates a program that incorporates
>> RSAREF would need to be subject to the RSAREF license as well,
>> otherwise one could just write App Programs in two parts...

Paul then correctly points out that init calls getty, which calls login,
which calls the shell, which calls mail, which uses the RSA software.

Wonder if I can get Novell to give me permission to send RSA a source
copy of UNIX, System V?

I'm an EFF member, I think a lot of the organization, and I believe that
it provides useful services to me.  That said, this wasn't one of them.

- --keith

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                           RSA LABORATORIES
                      PROGRAM LICENSE AGREEMENT

                             Version 2.0
                            March 16, 1994

RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA")
GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM:

1.   LICENSE. RSA grants you a non-exclusive, non-transferable,
     perpetual (subject to the conditions of Section 8) license for
     the "RSAREF" program (the "Program") and its associated
     documentation, subject to all of the following terms and
     conditions:

     a.   to use the Program on any computer;

     b.   to make copies of the Program for back-up purposes;

     c.   to modify the Program in any manner for porting or
          performance improvement purposes (subject to Section 2)
          or to incorporate the Program into other computer programs 
          for your own personal or internal use, provided that you 
          provide RSA with a copy of any such modification or 
          Application Program by electronic mail, and grant RSA a
          perpetual, royalty-free license to use and distribute such
          modifications and Application Programs on the terms set
          forth in this Agreement.

     d.   to copy and distribute the Program and Application Programs
          in accordance with the limitations set forth in Section 2.

"Application Programs" are programs which incorporate all or any
portion of the Program in any form. The restrictions imposed on
Application Programs in this Agreement shall not apply to any
software which, through the mere aggregation on distribution media,
is co-located or stored with the Program.

2.   LIMITATIONS ON LICENSE.

     a.   RSA owns the Program and its associated documentation and
          all copyrights therein. You may only use, copy, modify and
          distribute the Program as expressly provided for in this
          Agreement. You must reproduce and include this Agreement,
          RSA's copyright notices and disclaimer of warranty on any
          copy and its associated documentation. The Program and any 
          Application programs must be distributed with their source code.

     b.   The Program may not be used directly for revenue-generating
          purposes. You may not:

          (i)  use the Program to provide services to others for which
               you are compensated in any manner;

          (ii) license or otherwise distribute any Application Program
               in any manner that generates income to you, including
               without limitation any income on account of license
               fees, royalties, maintenance fees and upgrade fees; and

          (iii) license or otherwise distribute any Application
               Program without the express written acknowledgment of
               the end user that the Program will not be used in
               connection with any revenue-generating activity of the
               end user.

          Nothing in this paragraph prohibits you from using the
          Program or any Application Program solely for internal
          purposes on the premises of a business which is engaged in
          revenue-generating activities.

     c.   The Program, if modified, must carry prominent notices
          stating that changes have been made, and the dates of any
          such changes. 

     d.   Prior permission from RSA in writing is required for any
          modifications that access the Program through ways other
          than the published Program interface or for modifications
          to the Program interface. RSA will grant all reasonable
          requests for permission to make such modifications.

3.   NO RSA OBLIGATION. You are solely responsible for all of your
     costs and expenses incurred in connection with the distribution
     of the Program or any Application Program hereunder, and RSA
     shall have no liability, obligation or responsibility therefor.
     RSA shall have no obligation to provide maintenance, support,
     upgrades or new releases to you or to any distributee of the
     Program or any Application Program.

4.   NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED
     DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR
     PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR
     PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF
     THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE
     PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA)
     ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR
     CORRECTION.

5.   LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN
     SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS
     BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE
     PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY
     DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN
     ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

6.   PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set
     forth below, RSA, at its own expense, shall: (i) defend, or at
     its option settle, any claim, suit or proceeding against you on
     the basis of infringement of any United States patent in the
     field of cryptography by the unmodified Program; and (ii) pay any
     final judgment or settlement entered against you on such issue in
     any such suit or proceeding defended by RSA. The obligations of
     RSA under this Section 6 are subject to: (i) RSA's having sole
     control of the defense of any such claim, suit or proceeding;
     (ii) your notifying RSA promptly in writing of each such claim,
     suit or proceeding and giving RSA authority to proceed as stated
     in this Section 6; and (iii) your giving RSA all information
     known to you relating to such claim, suit or proceeding and
     cooperating with RSA to defend any such claim, suit or
     proceeding. RSA shall have no obligation under this Section 6
     with respect to any claim to the extent it is based upon (a) use
     of the Program as modified by any person other than RSA or use of
     any Application Program, where use of the unmodified Program
     would not constitute an infringement, or (b) use of the Program
     in a manner other than that permitted by this Agreement. THIS
     SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE
     REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT.

     NOTE: Portions of the Program practice methods described in and
     subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829,
     and all foreign counterparts and equivalents, issued to Leland
     Stanford Jr. University and to Massachusetts Institute of
     Technology. Such patents are licensed to RSA by Public Key
     Partners of Sunnyvale, California, the holder of exclusive
     licensing rights. This Agreement does not grant or convey any
     interest whatsoever in such patents.

7.   RSAREF is a non-commercial publication of cryptographic
     techniques. Portions of RSAREF have been published in the
     International Security Handbook and the August 1992 issue of Dr.
     Dobb's Journal. Privacy applications developed with RSAREF may be
     subject to export controls. If you are located in the United States
     and develop such applications, you are advised to consult with the
     State Department's Office of Defense Trade Controls.

8.   TERM. The license granted hereunder is effective until
     terminated. You may terminate it at any time by destroying the
     Program and its associated documentation. The termination of your
     license will not result in the termination of the licenses of any
     distributees who have received rights to the Program through you
     so long as they are in compliance with the provisions of this
     license.

9.   GENERAL

     a.   This Agreement shall be governed by the laws of the State of
          California.

     b.   Address all correspondence regarding this license to RSA's
          electronic mail address <rsaref-administrator@rsa.com>, or
          to

               RSA Laboratories
               ATTN: RSAREF Administrator
               100 Marine Parkway, Suite 500
               Redwood City, CA  94065

------- end -------






Thread