Lucky Green wrote:
[Coderpunks distribution removed]. On Wed, 7 Oct 1998, Frank O'Dwyer wrote:
No, it doesn't, because no crypto library gives any application "strong crypto". It has to be used correctly and appropriately for one thing. For another, it needs to be free of back doors, whether intentionally placed there or otherwise. In the long run, full disclosure of source code provides the best assurance that this is so.
Of course source availablility aids greatly in evaluating the overall security of software. However, Jim was correct in pointing out that /requirin/g source availability of products by licensing restrictions employed in crypto component freeware is counterproductive. May companies will not be able to source contaminated by GNU-style licensing restrictions.
[I agree with this point re GPL - hopefully that was clear from the rest of what I wrote.] [...]
We should all thank Eric for making SSLeay available under a BSD-style license. The world probably would have half as many internationally available strong cryptographic products had Eric used GPL.
I also agree that BSD licencing is better for SSLeay, and crypto components in general, than GPL (false dichotomy, btw--there are other licences). My interest in this issue is not so much in crypto components, but in licensing of open-source "product quality" standalone applications that employ crypto, since I am trying to write one. I think the issues for such programs may be different than for components. None of the freeware licences seem ideal to me, but the MozPL seems like a good compromise between GPL and BSD-style. (The main sticking point for me is that it states that disputes regarding the licence should be resolved in the States.) But I think that BSD/'X' might be overly liberal for a self-contained program, and GPL has the usual issues for any useful components that might be in the program. Having said that I do question whether take-up of free crypto components by commercial companies genuinely results in "strong cryptographic products". I'm not meaning to denigrate Eric's work in any way, but in my experience the likes of SSLeay is very often shovelled into products by companies who don't understand crypto, don't understand SSL, and barely understand SSLeay. Even those who do understand what they are doing are typically working "on Internet time". Certainly merely linking to SSLeay does NOT result in a "strong cryptographic product", not by any stretch of the imagination.
The bottom line is that GNU-licensing is more restrictive than BSD/SSLeay-style licensing. Hence identical freeware will see less deployment under GNU than under BSD.
Cyphpunks believe that more strong crypto is better.
Well then, "Cypherpunks write code". Wide deployment of crypto components in closed-source programs (especially by cluebags) is neither necessary nor sufficient to achieve "more strong crypto" in the sense that Cypherpunks mean it, in my opinion. (Yes, it's better than nothing, but not much better.)
The conclusion in the GNU vs. BSD/SSLeay/etc. license debate should be clear.
Well, it clearly isn't, as evidenced by the large number of fairly bright people arguing about it. :) Cheers, Frank O'Dwyer.