1996-11-20 - SSLeay Legality FAQ

Header Data

From: cjh@osa.com.au
To: cypherpunks@toad.com
Message Hash: e079d5c6ed4c87809145af865b637b8bd2d34e19f1ea0577ae6d08ec4a1704f7
Message ID: <199611202352.KAA04408@rosella.osa.com.au>
Reply To: N/A
UTC Datetime: 1996-11-20 23:43:57 UTC
Raw Date: Wed, 20 Nov 1996 15:43:57 -0800 (PST)

Raw message

From: cjh@osa.com.au
Date: Wed, 20 Nov 1996 15:43:57 -0800 (PST)
To: cypherpunks@toad.com
Subject: SSLeay Legality FAQ
Message-ID: <199611202352.KAA04408@rosella.osa.com.au>
MIME-Version: 1.0
Content-Type: text/plain


Folk,

Here's version 1.4 of the SSLeay Legality FAQ.  Additions since 1.3 are
in the areas of import/export controls in various countries.

Enjoy!

---------------------------------- Cut Here ----------------------------------

			SSLeay Legality FAQ Version 1.4

Outline:
	Disclaimer
	Legality/Patent Rights table
	Export Considerations
	Patent Considerations
	References
	For more information
	Credits

Disclaimer:

This document may contain gross errors, and neither Clifford Heath nor Open
Software Associates Limited accept any liability for same.  Users should do
their own research and receive professional legal advice.

With regard to the legalities of using SSLeay, there is a number of
geographical considerations, and a number of kinds of legal considerations.

Legality/Patent Rights table:

I've broken the legal considerations into "legal" (will the govt come after
you :-) and "license" (who do you need to pay patent royalties to).

Algor:	Location:	Purpose:	Legal:		License:	Ref:

DES	world-wide	any		mostly#		public domain
RSA	US		indiv/free	only RSAref	free		RSA
RSA	US		commercial	RSAref/BSAFE	from RSADSI*	RSA
DH	US		?		mostly#		Cylink+
DSA/DSS	(based on Diffie-Hellman)
RC4/2	US		any		mostly#		from RSADSI	RSA
RC4	elsewhere	any		mostly#		seems safe
IDEA	US/Europe/Japan	indiv/free	mostly#		free		ASCOM
IDEA	US/Europe/Japan	indiv/commercial mostly#	$US15, ASCOM	ASCOM
IDEA	US/Europe/Japan	company site	mostly#		from ASCOM	ASCOM
IDEA	elsewhere	any		mostly#		free
SAFER	world-wide	any		mostly#		free		Safer
MD2	world-wide	PEM only	yes		free@		rfc1319
MD5	world-wide	any		yes		free@		rfc1321
SHA	world-wide	any		yes		free		
Any(!)	France		any		only with (almost unobtainable) permit
Any(!)	Russia		any		only with permit

Notes:
* RSADSI's patent on RSA (#4,405,829) runs out on 20 Sep 2000.  RSAref is free
  under certain terms, otherwise can be licensed through Concensus.  BSAFE is
  stronger and has RC4 but requires purchase and royalties: $25K up front,
  royalties the larger of 2% or $2, royalty prepayment of $5000 per annum
  required in subsequent years covers 50% of royalties over the following year.
+ DH by itself cannot be used for digital signatures - the El Gamal extension
  provides this. CYLINK claim their DH patent covers El Gamal.  The US patent
  #4,200,770 runs out on 29 April 1997.  The Canadian patent (#1,121,480)
  registered 6 April, 1982, runs out in 1999.
@ Acknowledgement is required - see the RFC.
# Many countries have nominal export controls, including the UK and Australia,
  but I only know of them being enforced in the USA.  MD2/5 and SHA are not
  subject to export controls anywhere that I know of.

Export considerations:

The USA has regulations under ITAR (International Trade in Arms Regulations)
which categorises "cryptographic and ancillary devices" as munitions.
Two classes of export licenses are granted: Distribution Licenses or DL's
and Individual Validated Licenses or IVL's.

To get an IVL you must say who the customer is and why he needs DES (or 3X
DES, etc.).  One may then use the IVL to export to the approved end user.
Thousands are granted every year and very few applications are rejected.

Systems which use cryptography for decryption only, authentication only
(e.g. Kerberos authentication as available from Cybersafe and others), or
can only be used for protecting financial data (e.g Cybercash etc., as long
as it cannot be used for arbitrary messaging) are more-or-less readily
granted a DL.  DLs have also been granted for some implementations of
RC4/40 bits (e.g Netscape).

Canada has back-to-back agreements with the USA's ITAR controls, so it's
easy to get crypto from the USA to Canada but you can't export from Canada.
More information is available from Customs Canada (Revenue Canada) and
Department of External Affairs and these URLs:
http://axion.physics.ubc.ca/ECL.html - Excerpts from the Export Control List
of Canada, and http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html
Canada's export controls.

Many other countries have export controls (UK, Australia and others), but
enforcement is less stringent than in the USA.  In Australia, export of
cryptographic software is controlled by Customs Regulations 13B (military
technology) and 13E (Dual Use Technology).  The regulations are administered
by the Defence Signals Directorate - mail to "Director, Strategic Trade
Policy and Operations, Dept of Defence, Anzac Park West Offices APW1-1-OA1,
Canberra, ACT" or fax (06)266-6412 and ask for their "Australian Controls
on the Export of Technology with Civil and Military Applications".  The
Australian regulations are also online at http://www.austlii.edu.au/cgi-bin/sinodisp.pl/au/legis/cth/consol_reg/cer439/sch13.html
Software is defined as "one or more programs fixed in any tangible medium of
expression", which explicitly leaves electronic shipment uncontrolled.
Don't carry or mail media with SSLeay-based software out of Australia -
email or FTP it instead!

The UK Gov't is funding a project at Royal Holloway College which contains
Key Escrow provisions.  Watch for the EC DGXIII introducing European
legislation under the banner "European Trusted Services", or visit
http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html, 
ftp://ftp.dcs.rhbnc.ac.uk/pub/Chris.Mitchell/istr_a2.ps,
ftp://ftp.cl.cam.ac.uk/users/rja14/euroclipper.ps.Z

France disallows *import* and use of crypto technology without a permit,
and Russia requires a permit for use also.

Patent considerations:

According to 35 U.S.C. 271 (a), "whoever makes, uses, offers to sell, sells
or imports ... infringes the patent."  In other words, you better ensure
that you *compile out* and patented algorithms unless you intend to license
them, even if the code is not executed.  In fact, if you are in the USA,
merely ftp'ing SSLeay into the USA is a breach of various patents. (Eric,
you might consider splitting it into two ftp archives, one for the USA and
an additional one for the rest of the world.)

References:

RSA:	http://www.rsa.com/
CYLINK:	http://www.cylink.com/products/security/
ASCOM:	http://www.ascom.ch/Web/systec
Safer:	ftp://ftp.isi.ee.ethz.ch/pub/simpl/

For more information:

http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm - Crypto Law Survey

Credits:

Thanks to to Eric Young, Rich Salz, Donald Lewine, Holger Reif and Bruce
Schneier (author of Applied Cryptography), Peter Trei, Remo Tabanelli,
Ben Laurie, Ulf Moeller, Michael Taylor for their contributions.

------------------------------------------------------------
Clifford Heath                          cjh@osa.com.au
Open Software Associates Limited
29 Ringwood Street / P O Box 401        Phone +613 9871 1694
Ringwood  VIC  3134    AUSTRALIA        Fax   +613 9871 1711
------------------------------------------------------------
  Deploy Applications across the Internet and Intranets!
	 Visit our Web site at http://www.osa.com





Thread