FYI, some interesting notes about RSAREF. ------- start of forwarded message (RFC 934) ------- From: bostic@vangogh.cs.berkeley.edu (Keith Bostic) To: /dev/null@python.bostic.com Subject: RSAREF license makes PGP 2.5 useless for nearly all applications Date: Tue, 17 May 1994 15:38:36 -0400 To catch everyone up, it's been widely reported that the Electronic Frontier Foundation is making version 2.5 of Pretty Good Privacy (PGP) available via anonymous ftp. That's Good. However, quoting from the EFF announcement, PGP 2.5 is built upon the "free RSAREF encryption functions, rather than the previous RSA functions which required a special licensing arrangement for use in applications like PGP." That's Bad. The "free RSAREF encryption functions" are singularly free of any hint of free-ness. The license is attached for your reading pleasure. The synopsis is as follows. To get access to PGP you have to: + Read the RSAREF license + Send the following by electronic mail to an EFF email address: Yes, I acknowledge that I have read the RSAREF Program License Agreement, version 2.0, March 16, 1994. I agree to be bound by its terms and conditions in my use of RSAREF and/or any programs that use it. YES, I am a U.S. or Canadian citizen and/or permanent resident. The license itself has some interesting conditions: You may only modify the software for "porting or performance improvement purposes". The interface is, however, excepted, and you may only change that if you get permission (in writing) from RSA. RSA states they "will grant all reasonable requests" for permission. That's a relief. You have to give RSA source copies and unlimited redistribution rights for any application that you change to work with the RSA code. 1) So, you've got some application you market. You figure that you can make the code work with the RSA functions, and the buyer can then do the integration if they want RSA functionality. Sorry, but that's only permitted if you give RSA the right to give away your software. 2) Well, you say, how about internal use? Let's say you've bought the OfficePower office automation system for N million dollars, and you want to change it to use RSA email. All you have to do now is get permission to give away the Computer Consoles Inc.'s software. RSA explicitly grants you the right to copy the software for back-up purposes, but makes no mention of any other copying. And, RSA says, explicitly, that you may not copy it for any reason not expressly provided for by the license. I'm not sure what this means, and I'm really confused as to how you can get it on another distribution tape. My guess is that the EFF violated their license when they moved the software to their ftp distribution area. You can't use the RSA software for ANYTHING that generates revenue. 1) Let's say you run a bulletin board service and you want to provide secure email to the users. Forget it, the license says you can't use the RSA software to "provide services to others for which you are compensated in any manner". 2) Well, what if you're the Free Software Foundation, or UUNET, and you want to include it on your distribution tapes. No chance. Not only are you disallowed from charging any amount for the distribution tape, but you have to get written assurances from everyone that buys the tape that they won't use the software to generate revenue. Finally, it gets worse. Paul Borman sent email to RSA asking about some of this. Here's an excerpt:

From: Paul Borman <prb@cray.com>

...

Basically, I asked that if I had a program, say a mail program, that called PGP 2.5 as a filter to encrypt some mail I was sending out, would I have to give my mail program (which may be licensed from someone else) to RSA according to the RSAREF license. The response was:

...

Date: Tue, 17 May 94 09:19:36 PDT From: jim@RSA.COM (Jim Bidzos)

A program that calls or incorporates a program that incorporates RSAREF would need to be subject to the RSAREF license as well, otherwise one could just write App Programs in two parts...

Paul then correctly points out that init calls getty, which calls login, which calls the shell, which calls mail, which uses the RSA software. Wonder if I can get Novell to give me permission to send RSA a source copy of UNIX, System V? I'm an EFF member, I think a lot of the organization, and I believe that it provides useful services to me. That said, this wasn't one of them. - --keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RSA LABORATORIES PROGRAM LICENSE AGREEMENT Version 2.0 March 16, 1994 RSA LABORATORIES, A DIVISION OF RSA DATA SECURITY, INC. ("RSA") GRANTS YOU A LICENSE AS FOLLOWS TO THE "RSAREF" PROGRAM: 1. LICENSE. RSA grants you a non-exclusive, non-transferable, perpetual (subject to the conditions of Section 8) license for the "RSAREF" program (the "Program") and its associated documentation, subject to all of the following terms and conditions: a. to use the Program on any computer; b. to make copies of the Program for back-up purposes; c. to modify the Program in any manner for porting or performance improvement purposes (subject to Section 2) or to incorporate the Program into other computer programs for your own personal or internal use, provided that you provide RSA with a copy of any such modification or Application Program by electronic mail, and grant RSA a perpetual, royalty-free license to use and distribute such modifications and Application Programs on the terms set forth in this Agreement. d. to copy and distribute the Program and Application Programs in accordance with the limitations set forth in Section 2. "Application Programs" are programs which incorporate all or any portion of the Program in any form. The restrictions imposed on Application Programs in this Agreement shall not apply to any software which, through the mere aggregation on distribution media, is co-located or stored with the Program. 2. LIMITATIONS ON LICENSE. a. RSA owns the Program and its associated documentation and all copyrights therein. You may only use, copy, modify and distribute the Program as expressly provided for in this Agreement. You must reproduce and include this Agreement, RSA's copyright notices and disclaimer of warranty on any copy and its associated documentation. The Program and any Application programs must be distributed with their source code. b. The Program may not be used directly for revenue-generating purposes. You may not: (i) use the Program to provide services to others for which you are compensated in any manner; (ii) license or otherwise distribute any Application Program in any manner that generates income to you, including without limitation any income on account of license fees, royalties, maintenance fees and upgrade fees; and (iii) license or otherwise distribute any Application Program without the express written acknowledgment of the end user that the Program will not be used in connection with any revenue-generating activity of the end user. Nothing in this paragraph prohibits you from using the Program or any Application Program solely for internal purposes on the premises of a business which is engaged in revenue-generating activities. c. The Program, if modified, must carry prominent notices stating that changes have been made, and the dates of any such changes. d. Prior permission from RSA in writing is required for any modifications that access the Program through ways other than the published Program interface or for modifications to the Program interface. RSA will grant all reasonable requests for permission to make such modifications. 3. NO RSA OBLIGATION. You are solely responsible for all of your costs and expenses incurred in connection with the distribution of the Program or any Application Program hereunder, and RSA shall have no liability, obligation or responsibility therefor. RSA shall have no obligation to provide maintenance, support, upgrades or new releases to you or to any distributee of the Program or any Application Program. 4. NO WARRANTY OF PERFORMANCE. THE PROGRAM AND ITS ASSOCIATED DOCUMENTATION ARE LICENSED "AS IS" WITHOUT WARRANTY AS TO THEIR PERFORMANCE, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE PROGRAM IS ASSUMED BY YOU AND YOUR DISTRIBUTEES. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU AND YOUR DISTRIBUTEES (AND NOT RSA) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 5. LIMITATION OF LIABILITY. EXCEPT AS EXPRESSLY PROVIDED FOR IN SECTION 6 HEREINUNDER, NEITHER RSA NOR ANY OTHER PERSON WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION, OR DELIVERY OF THE PROGRAM SHALL BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF RSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 6. PATENT INFRINGEMENT OBLIGATION. Subject to the limitations set forth below, RSA, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against you on the basis of infringement of any United States patent in the field of cryptography by the unmodified Program; and (ii) pay any final judgment or settlement entered against you on such issue in any such suit or proceeding defended by RSA. The obligations of RSA under this Section 6 are subject to: (i) RSA's having sole control of the defense of any such claim, suit or proceeding; (ii) your notifying RSA promptly in writing of each such claim, suit or proceeding and giving RSA authority to proceed as stated in this Section 6; and (iii) your giving RSA all information known to you relating to such claim, suit or proceeding and cooperating with RSA to defend any such claim, suit or proceeding. RSA shall have no obligation under this Section 6 with respect to any claim to the extent it is based upon (a) use of the Program as modified by any person other than RSA or use of any Application Program, where use of the unmodified Program would not constitute an infringement, or (b) use of the Program in a manner other than that permitted by this Agreement. THIS SECTION 6 SETS FORTH RSA'S ENTIRE OBLIGATION AND YOUR EXCLUSIVE REMEDIES CONCERNING CLAIMS FOR PROPRIETARY RIGHTS INFRINGEMENT. NOTE: Portions of the Program practice methods described in and subject to U.S. Patents Nos. 4,200,770, 4,218,582 and 4,405,829, and all foreign counterparts and equivalents, issued to Leland Stanford Jr. University and to Massachusetts Institute of Technology. Such patents are licensed to RSA by Public Key Partners of Sunnyvale, California, the holder of exclusive licensing rights. This Agreement does not grant or convey any interest whatsoever in such patents. 7. RSAREF is a non-commercial publication of cryptographic techniques. Portions of RSAREF have been published in the International Security Handbook and the August 1992 issue of Dr. Dobb's Journal. Privacy applications developed with RSAREF may be subject to export controls. If you are located in the United States and develop such applications, you are advised to consult with the State Department's Office of Defense Trade Controls. 8. TERM. The license granted hereunder is effective until terminated. You may terminate it at any time by destroying the Program and its associated documentation. The termination of your license will not result in the termination of the licenses of any distributees who have received rights to the Program through you so long as they are in compliance with the provisions of this license. 9. GENERAL a. This Agreement shall be governed by the laws of the State of California. b. Address all correspondence regarding this license to RSA's electronic mail address <rsaref-administrator@rsa.com>, or to RSA Laboratories ATTN: RSAREF Administrator 100 Marine Parkway, Suite 500 Redwood City, CA 94065 ------- end -------