From: Alex Tang <altitude@umich.edu>
I talked with RSA yesterday specifically about free servers and RC4. They just said that they would need a business plan for the server product. When i said that the product would be free, they started talking in circles about how everyone who uses RC4 needed a license (but i was asking about the licenses...) I asked flat out "how much would a license for RC4 cost for a free server product". They only reponded with "Very Expensive", and then went on about a business plan.
Ask them about the free version of RC4 which is circulating. If they say it is patented ask them for the patent number. Ask them why you should pay them big bucks if you can get it for free.
Here's their reply to a similar correspondence:
The RC4 algorithm is copyrighted by and intellectual property of RSA Data Security. For use of this algorithm in a product or service you plan to sell, you may use the RC4 software implementation from our BSAFE toolkit. Licenses are not available for other commercial software implementations of this algorithm other than what is included in our BSAFE toolkit.
I wasn't aware that you could copyright an algorithm. Patent, yes, but not copyright. Intellectual property meens secret, right? Aren't there any precendence cases involving propriety schemes that are reverse engineered? I know there have been, I just can't remember what they are. In any case, RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and even if they lose there are considerable legal fees involved for whoever tries it. What if a bunch of people put secure HTTPd servers online at the same time, without any clear trail pointing to the first one? If the RC4 code really is legal to use, this would make it hard for RSADSI to pinpoint anyone to sue, thus eliminating the intimidation factor. By the way, since RSA is such a vocal opponent of the Clipper chip on the grounds of its secret Skipjack algorithm, why does it market secret algorithms like RC4 and RC2? Does this seen like a double face to anyone else? ----------------------------------------------------------- Russell Ross email: rross@sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953
The RC4 algorithm is copyrighted by and intellectual property of RSA Data Security. For use of this algorithm in a product or service you plan to sell, you may use the RC4 software implementation from our BSAFE toolkit. Licenses are not available for other commercial software implementations of this algorithm other than what is included in our BSAFE toolkit.
I wasn't aware that you could copyright an algorithm. Patent, yes, but not copyright. Intellectual property meens secret, right? Aren't there any precendence cases involving propriety schemes that are reverse engineered? I know there have been, I just can't remember what they are. In any case, RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and even if they lose there are considerable legal fees involved for whoever tries it. What if a bunch of people put secure HTTPd servers online at the same time, without any clear trail pointing to the first one? If the RC4 code really is legal to use, this would make it hard for RSADSI to pinpoint anyone to sue, thus eliminating the intimidation factor.
RSA wants money (this comes from speaking with an RSA sales guy - Dave Garifolio, who incidentially sends out really neat RSA folders full of info you can take out of the folder and put elsewhere leaving you a cool folder) for the toolkit, thats all. They send you to some sister corp of theirs and then charge you for the license. Dave tells me there might be a chance you could buy one kit from RSA, design the server and anyone who wanted to use it could pay something like a $300.00 fee to lic. the thing. However, in the aformentioned folder, Dave sent me all kinds of "we want big cash" paperwork, which I have yet to read (as anything you've gotta put in a really cool folder to get me to read can't be worth the time out from sleeping.)
By the way, since RSA is such a vocal opponent of the Clipper chip on the grounds of its secret Skipjack algorithm, why does it market secret algorithms like RC4 and RC2? Does this seen like a double face to anyone else?
Uh, yeah. Jason Weisberger jweis@primenet.com http://198.147.97.19/~jweis
By the way, since RSA is such a vocal opponent of the Clipper chip on the grounds of its secret Skipjack algorithm, why does it market secret algorithms like RC4 and RC2? Does this seen like a double face to anyone else?
----------------------------------------------------------- Russell Ross email: rross@sci.dixie.edu 1260 N 1280 W voice: (801)628-8146 St. George, UT 84770-4953
Patented does not equal secret. The argument against Clipper (at least one of them ;-), is that it has not been subjected to review outside of the NSA. I believe the code for RC4 and RC2 is accessible and has been subjected to review by many in the crypto field - you just can't use it legally without a license. Noam
| I believe the code for RC4 and RC2 is accessible and has been subjected to | review by many in the crypto field - you just can't use it legally without | a license. This is not correct. RC2 is not public; something that interoperates with RC4 was posted to cypherpunks & sci.crypt last year. Neither have undergone any peer review that has been published (AFAIK). A paper on RC5 is listed in the Crypto 95 schedule, but nothing on RC4. Also, the usability of RC4 is very open to question. Since it was a trade secret, it was not patented. Several smart people have said that once a trade secret becomes well known, its out protections. But few people want to get a nasty letter ffrom RSA's lawyers, so no one in the US has released anything with RC4 in it without the RSA licenses. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
On Wed Jul 26 16:09:38 1995: you scribbled...
Ask them about the free version of RC4 which is circulating. If they say it is patented ask them for the patent number. Ask them why you should pay them big bucks if you can get it for free.
Here's their reply to a similar correspondence:
The RC4 algorithm is copyrighted by and intellectual property of RSA Data Security. For use of this algorithm in a product or service you plan to sell, you may use the RC4 software implementation from our BSAFE toolkit. Licenses are not available for other commercial software implementations of this algorithm other than what is included in our BSAFE toolkit.
I wasn't aware that you could copyright an algorithm. Patent, yes, but not copyright. Intellectual property meens secret, right? Aren't there any precendence cases involving propriety schemes that are reverse engineered? I know there have been, I just can't remember what they are. In any case, RSADSI is likely to sue anyone who attempts to use the RC4 code openly, and even if they lose there are considerable legal fees involved for whoever tries it. What if a bunch of people put secure HTTPd servers online at the same time, without any clear trail pointing to the first one? If the RC4 code really is legal to use, this would make it hard for RSADSI to pinpoint anyone to sue, thus eliminating the intimidation factor.
So, does anyone know for certain if this is the true letter of the law? Since RC4 has been reverse engineered (or leaked) to the public, do they have any claim on it if there is no patent? Seeing the legal web that surrounds a lot of the current crypto situation in the US, it's not surprising that RSA would try to smoke screen everyone into thinking that there would be a clear violation (prosecutable by law) if anyone used RC4 without getting a license. (It's also not surprising that no one's tried as well...) ...alex... Alex Tang altitude@cic.net http://petrified.cic.net/~altitude CICNet: Unix Support / InfoSystems Services / WebMaster / Programmer Viz-It!: Software Developer (Check out http://vizit.cic.net) UM-ITD: TaX.500 Developer (Check out http://petrified.cic.net/tax500)
participants (5)
-
Adam Shostack -
Alex Tang -
Jason Weisberger -
rross@sci.dixie.edu -
stopak@orionsci.com