From: friedman@gnu.ai.mit.edu (Noah Friedman)
To: league-hq@prep.ai.mit.edu
Message Hash: 173106197822e4acd8504d0f1f7391c69c7052b2b5411a5f113a2f0fa594ad38
Message ID: <m0q3Zo9-0000qQC@baalperazim.frob.com>
Reply To: N/A
UTC Datetime: 1994-05-18 00:49:32 UTC
Raw Date: Tue, 17 May 1994 17:49:32 -0700
From: friedman@gnu.ai.mit.edu (Noah Friedman)
Date: Tue, 17 May 1994 17:49:32 -0700
To: league-hq@prep.ai.mit.edu
Subject: [bostic@vangogh.cs.berkeley.edu: RSAREF license makes PGP 2.5 useless for nearly all applications]
Message-ID: <m0q3Zo9-0000qQC@baalperazim.frob.com>
MIME-Version: 1.0
Content-Type: text/plain
FYI, some interesting notes about RSAREF.
------- start of forwarded message (RFC 934) -------
From: bostic@vangogh.cs.berkeley.edu (Keith Bostic)
To: /dev/null@python.bostic.com
Subject: RSAREF license makes PGP 2.5 useless for nearly all applications
Date: Tue, 17 May 1994 15:38:36 -0400
To catch everyone up, it's been widely reported that the Electronic
Frontier Foundation is making version 2.5 of Pretty Good Privacy (PGP)
available via anonymous ftp. That's Good.
However, quoting from the EFF announcement, PGP 2.5 is built upon
the "free RSAREF encryption functions, rather than the previous RSA
functions which required a special licensing arrangement for use in
applications like PGP." That's Bad.
The "free RSAREF encryption functions" are singularly free of any hint
of free-ness. The license is attached for your reading pleasure.
The synopsis is as follows.
To get access to PGP you have to:
+ Read the RSAREF license
+ Send the following by electronic mail to an EFF email address:
Yes, I acknowledge that I have read the RSAREF Program License
Agreement, version 2.0, March 16, 1994. I agree to be bound by
its terms and conditions in my use of RSAREF and/or any programs
that use it. YES, I am a U.S. or Canadian citizen and/or
permanent resident.
The license itself has some interesting conditions:
You may only modify the software for "porting or performance improvement
purposes". The interface is, however, excepted, and you may only change
that if you get permission (in writing) from RSA. RSA states they "will
grant all reasonable requests" for permission. That's a relief.
You have to give RSA source copies and unlimited redistribution rights
for any application that you change to work with the RSA code.
1) So, you've got some application you market. You figure that you
can make the code work with the RSA functions, and the buyer can
then do the integration if they want RSA functionality. Sorry,
but that's only permitted if you give RSA the right to give away
your software.
2) Well, you say, how about internal use? Let's say you've bought
the OfficePower office automation system for N million dollars,
and you want to change it to use RSA email. All you have to do
now is get permission to give away the Computer Consoles Inc.'s
software.
RSA explicitly grants you the right to copy the software for back-up
purposes, but makes no mention of any other copying. And, RSA says,
explicitly, that you may not copy it for any reason not expressly
provided for by the license. I'm not sure what this means, and I'm
really confused as to how you can get it on another distribution tape.
My guess is that the EFF violated their license when they moved the
software to their ftp distribution area.
You can't use the RSA software for ANYTHING that generates revenue.
1) Let's say you run a bulletin board service and you want to provide
secure email to the users. Forget it, the license says you can't
use the RSA software to "provide services to others for which you
are compensated in any manner".
2) Well, what if you're the Free Software Foundation, or UUNET, and you
want to include it on your distribution tapes. No chance. Not only
are you disallowed from charging any amount for the distribution tape,
but you have to get written assurances from everyone that buys the
tape that they won't use the software to generate revenue.
Finally, it gets worse. Paul Borman sent email to RSA asking about some
of this. Here's an excerpt:
> From: Paul Borman <prb@cray.com>
>
> ...
>
> Basically, I asked that if I had a program, say a mail program, that
> called PGP 2.5 as a filter to encrypt some mail I was sending out,
> would I have to give my mail program (which may be licensed from
> someone else) to RSA according to the RSAREF license. The response
> was:
>
>> Date: Tue, 17 May 94 09:19:36 PDT
>> From: jim@RSA.COM (Jim Bidzos)
>>
>> A program that calls or incorporates a program that incorporates
>> RSAREF would need to be subject to the RSAREF license as well,
>> otherwise one could just write App Programs in two parts...
Paul then correctly points out that init calls getty, which calls login,
which calls the shell, which calls mail, which uses the RSA software.
Wonder if I can get Novell to give me permission to send RSA a source
copy of UNIX, System V?
I'm an EFF member, I think a lot of the organization, and I believe that
it provides useful services to me. That said, this wasn't one of them.
- --keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
RSA LABORATORIES
PROGRAM LICENSE AGREEMENT
Version 2.0
March 16, 1994
RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA")
GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM:
1. LICENSE. RSA grants you a non-exclusive, non-transferable,
perpetual (subject to the conditions of Section 8) license for
the "RSAREF" program (the "Program") and its associated
documentation, subject to all of the following terms and
conditions:
a. to use the Program on any computer;
b. to make copies of the Program for back-up purposes;
c. to modify the Program in any manner for porting or
performance improvement purposes (subject to Section 2)
or to incorporate the Program into other computer programs
for your own personal or internal use, provided that you
provide RSA with a copy of any such modification or
Application Program by electronic mail, and grant RSA a
perpetual, royalty-free license to use and distribute such
modifications and Application Programs on the terms set
forth in this Agreement.
d. to copy and distribute the Program and Application Programs
in accordance with the limitations set forth in Section 2.
"Application Programs" are programs which incorporate all or any
portion of the Program in any form. The restrictions imposed on
Application Programs in this Agreement shall not apply to any
software which, through the mere aggregation on distribution media,
is co-located or stored with the Program.
2. LIMITATIONS ON LICENSE.
a. RSA owns the Program and its associated documentation and
all copyrights therein. You may only use, copy, modify and
distribute the Program as expressly provided for in this
Agreement. You must reproduce and include this Agreement,
RSA's copyright notices and disclaimer of warranty on any
copy and its associated documentation. The Program and any
Application programs must be distributed with their source code.
b. The Program may not be used directly for revenue-generating
purposes. You may not:
(i) use the Program to provide services to others for which
you are compensated in any manner;
(ii) license or otherwise distribute any Application Program
in any manner that generates income to you, including
without limitation any income on account of license
fees, royalties, maintenance fees and upgrade fees; and
(iii) license or otherwise distribute any Application
Program without the express written acknowledgment of
the end user that the Program will not be used in
connection with any revenue-generating activity of the
end user.
Nothing in this paragraph prohibits you from using the
Program or any Application Program solely for internal
purposes on the premises of a business which is engaged in
revenue-generating activities.
c. The Program, if modified, must carry prominent notices
stating that changes have been made, and the dates of any
such changes.
d. Prior permission from RSA in writing is required for any
modifications that access the Program through ways other
than the published Program interface or for modifications
to the Program interface. RSA will grant all reasonable
requests for permission to make such modifications.
3. NO RSA OBLIGATION. You are solely responsible for all of your
costs and expenses incurred in connection with the distribution
of the Program or any Application Program hereunder, and RSA
shall have no liability, obligation or responsibility therefor.
RSA shall have no obligation to provide maintenance, support,
upgrades or new releases to you or to any distributee of the
Program or any Application Program.
4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED
DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR
PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF
THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA)
ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN
SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS
BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE
PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY
DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set
forth below, RSA, at its own expense, shall: (i) defend, or at
its option settle, any claim, suit or proceeding against you on
the basis of infringement of any United States patent in the
field of cryptography by the unmodified Program; and (ii) pay any
final judgment or settlement entered against you on such issue in
any such suit or proceeding defended by RSA. The obligations of
RSA under this Section 6 are subject to: (i) RSA's having sole
control of the defense of any such claim, suit or proceeding;
(ii) your notifying RSA promptly in writing of each such claim,
suit or proceeding and giving RSA authority to proceed as stated
in this Section 6; and (iii) your giving RSA all information
known to you relating to such claim, suit or proceeding and
cooperating with RSA to defend any such claim, suit or
proceeding. RSA shall have no obligation under this Section 6
with respect to any claim to the extent it is based upon (a) use
of the Program as modified by any person other than RSA or use of
any Application Program, where use of the unmodified Program
would not constitute an infringement, or (b) use of the Program
in a manner other than that permitted by this Agreement. THIS
SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE
REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT.
NOTE: Portions of the Program practice methods described in and
subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829,
and all foreign counterparts and equivalents, issued to Leland
Stanford Jr. University and to Massachusetts Institute of
Technology. Such patents are licensed to RSA by Public Key
Partners of Sunnyvale, California, the holder of exclusive
licensing rights. This Agreement does not grant or convey any
interest whatsoever in such patents.
7. RSAREF is a non-commercial publication of cryptographic
techniques. Portions of RSAREF have been published in the
International Security Handbook and the August 1992 issue of Dr.
Dobb's Journal. Privacy applications developed with RSAREF may be
subject to export controls. If you are located in the United States
and develop such applications, you are advised to consult with the
State Department's Office of Defense Trade Controls.
8. TERM. The license granted hereunder is effective until
terminated. You may terminate it at any time by destroying the
Program and its associated documentation. The termination of your
license will not result in the termination of the licenses of any
distributees who have received rights to the Program through you
so long as they are in compliance with the provisions of this
license.
9. GENERAL
a. This Agreement shall be governed by the laws of the State of
California.
b. Address all correspondence regarding this license to RSA's
electronic mail address <rsaref-administrator@rsa.com>, or
to
RSA Laboratories
ATTN: RSAREF Administrator
100 Marine Parkway, Suite 500
Redwood City, CA 94065
------- end -------
Return to May 1994
Return to “friedman@gnu.ai.mit.edu (Noah Friedman)”
1994-05-18 (Tue, 17 May 1994 17:49:32 -0700) - [bostic@vangogh.cs.berkeley.edu: RSAREF license makes PGP 2.5 useless for nearly all applications] - friedman@gnu.ai.mit.edu (Noah Friedman)