Folk, Here's version 1.4 of the SSLeay Legality FAQ. Additions since 1.3 are in the areas of import/export controls in various countries. Enjoy! ---------------------------------- Cut Here ---------------------------------- SSLeay Legality FAQ Version 1.4 Outline: Disclaimer Legality/Patent Rights table Export Considerations Patent Considerations References For more information Credits Disclaimer: This document may contain gross errors, and neither Clifford Heath nor Open Software Associates Limited accept any liability for same. Users should do their own research and receive professional legal advice. With regard to the legalities of using SSLeay, there is a number of geographical considerations, and a number of kinds of legal considerations. Legality/Patent Rights table: I've broken the legal considerations into "legal" (will the govt come after you :-) and "license" (who do you need to pay patent royalties to). Algor: Location: Purpose: Legal: License: Ref: DES world-wide any mostly# public domain RSA US indiv/free only RSAref free RSA RSA US commercial RSAref/BSAFE from RSADSI* RSA DH US ? mostly# Cylink+ DSA/DSS (based on Diffie-Hellman) RC4/2 US any mostly# from RSADSI RSA RC4 elsewhere any mostly# seems safe IDEA US/Europe/Japan indiv/free mostly# free ASCOM IDEA US/Europe/Japan indiv/commercial mostly# $US15, ASCOM ASCOM IDEA US/Europe/Japan company site mostly# from ASCOM ASCOM IDEA elsewhere any mostly# free SAFER world-wide any mostly# free Safer MD2 world-wide PEM only yes free@ rfc1319 MD5 world-wide any yes free@ rfc1321 SHA world-wide any yes free Any(!) France any only with (almost unobtainable) permit Any(!) Russia any only with permit Notes: * RSADSI's patent on RSA (#4,405,829) runs out on 20 Sep 2000. RSAref is free under certain terms, otherwise can be licensed through Concensus. BSAFE is stronger and has RC4 but requires purchase and royalties: $25K up front, royalties the larger of 2% or $2, royalty prepayment of $5000 per annum required in subsequent years covers 50% of royalties over the following year. + DH by itself cannot be used for digital signatures - the El Gamal extension provides this. CYLINK claim their DH patent covers El Gamal. The US patent #4,200,770 runs out on 29 April 1997. The Canadian patent (#1,121,480) registered 6 April, 1982, runs out in 1999. @ Acknowledgement is required - see the RFC. # Many countries have nominal export controls, including the UK and Australia, but I only know of them being enforced in the USA. MD2/5 and SHA are not subject to export controls anywhere that I know of. Export considerations: The USA has regulations under ITAR (International Trade in Arms Regulations) which categorises "cryptographic and ancillary devices" as munitions. Two classes of export licenses are granted: Distribution Licenses or DL's and Individual Validated Licenses or IVL's. To get an IVL you must say who the customer is and why he needs DES (or 3X DES, etc.). One may then use the IVL to export to the approved end user. Thousands are granted every year and very few applications are rejected. Systems which use cryptography for decryption only, authentication only (e.g. Kerberos authentication as available from Cybersafe and others), or can only be used for protecting financial data (e.g Cybercash etc., as long as it cannot be used for arbitrary messaging) are more-or-less readily granted a DL. DLs have also been granted for some implementations of RC4/40 bits (e.g Netscape). Canada has back-to-back agreements with the USA's ITAR controls, so it's easy to get crypto from the USA to Canada but you can't export from Canada. More information is available from Customs Canada (Revenue Canada) and Department of External Affairs and these URLs: http://axion.physics.ubc.ca/ECL.html - Excerpts from the Export Control List of Canada, and http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html Canada's export controls. Many other countries have export controls (UK, Australia and others), but enforcement is less stringent than in the USA. In Australia, export of cryptographic software is controlled by Customs Regulations 13B (military technology) and 13E (Dual Use Technology). The regulations are administered by the Defence Signals Directorate - mail to "Director, Strategic Trade Policy and Operations, Dept of Defence, Anzac Park West Offices APW1-1-OA1, Canberra, ACT" or fax (06)266-6412 and ask for their "Australian Controls on the Export of Technology with Civil and Military Applications". The Australian regulations are also online at http://www.austlii.edu.au/cgi-bin/sinodisp.pl/au/legis/cth/consol_reg/cer439... Software is defined as "one or more programs fixed in any tangible medium of expression", which explicitly leaves electronic shipment uncontrolled. Don't carry or mail media with SSLeay-based software out of Australia - email or FTP it instead! The UK Gov't is funding a project at Royal Holloway College which contains Key Escrow provisions. Watch for the EC DGXIII introducing European legislation under the banner "European Trusted Services", or visit http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html, ftp://ftp.dcs.rhbnc.ac.uk/pub/Chris.Mitchell/istr_a2.ps, ftp://ftp.cl.cam.ac.uk/users/rja14/euroclipper.ps.Z France disallows *import* and use of crypto technology without a permit, and Russia requires a permit for use also. Patent considerations: According to 35 U.S.C. 271 (a), "whoever makes, uses, offers to sell, sells or imports ... infringes the patent." In other words, you better ensure that you *compile out* and patented algorithms unless you intend to license them, even if the code is not executed. In fact, if you are in the USA, merely ftp'ing SSLeay into the USA is a breach of various patents. (Eric, you might consider splitting it into two ftp archives, one for the USA and an additional one for the rest of the world.) References: RSA: http://www.rsa.com/ CYLINK: http://www.cylink.com/products/security/ ASCOM: http://www.ascom.ch/Web/systec Safer: ftp://ftp.isi.ee.ethz.ch/pub/simpl/ For more information: http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm - Crypto Law Survey Credits: Thanks to to Eric Young, Rich Salz, Donald Lewine, Holger Reif and Bruce Schneier (author of Applied Cryptography), Peter Trei, Remo Tabanelli, Ben Laurie, Ulf Moeller, Michael Taylor for their contributions. ------------------------------------------------------------ Clifford Heath cjh@osa.com.au Open Software Associates Limited 29 Ringwood Street / P O Box 401 Phone +613 9871 1694 Ringwood VIC 3134 AUSTRALIA Fax +613 9871 1711 ------------------------------------------------------------ Deploy Applications across the Internet and Intranets! Visit our Web site at http://www.osa.com