SSLeay Legality FAQ Version 1.4, Thursday Nov 21, 1996

Source: ssl-users mailing list, cjh@osa.com.au

Folk,

Here's version 1.4 of the SSLeay Legality FAQ. Additions since 1.3 are
in the areas of import/export controls in various countries.

Enjoy!

---------------------------------- Cut Here ----------------------------------

SSLeay Legality FAQ Version 1.4

Outline:

Disclaimer
Legality/Patent Rights table
Export Considerations
Patent Considerations
References
For more information
Credits

Disclaimer:

This document may contain gross errors, and neither Clifford Heath nor Open Software Associates Limited accept any liability for same. Users should do their own research and receive professional legal advice.

With regard to the legalities of using SSLeay, there is a number of geographical considerations, and a number of kinds of legal considerations.

Legality/Patent Rights table:

I've broken the legal considerations into "legal" (will the govt come after> you :-) and "license" (who do you need to pay patent royalties to).

Algor Location Purpose Legal License Ref

DES world-wide any mostly [#] public domain

RSA US indiv/free only RSAref free RSA

RSA US commercial RSAref/BSAFE from RSADSI [*] RSA

DH US ? mostly [#] Cylink [+] ??

DSA/DSS (based on Diffie-Hellman)

RC4/2 US any mostly [#] from RSADSI RSA

RC4 elsewhere any mostly [#] seems safe ??

IDEA US/Europe/Japan indiv/free mostly [#] free ASCOM

IDEA US/Europe/Japan indiv/commercial mostly [#] $US15, ASCOM ASCOM

IDEA US/Europe/Japan company site mostly [#] from ASCOM ASCOM

IDEA elsewhere any mostly [#] free

SAFER world-wide any mostly [#] free Safer

MD2 world-wide PEM only yes free [@] rfc1319

MD5 world-wide any yes free [@] rfc1321

SHA world-wide any yes free ??

Any(!) France any only with (almost unobtainable) permit N/A ??

Any(!) Russia any only with permit N/A ??

Notes:

* RSADSI's patent on RSA (#4,405,829) runs out on 20 Sep 2000. RSAref is free under certain terms, otherwise can be licensed through Concensus. BSAFE is stronger and has RC4 but requires purchase and royalties: $25K up front, royalties the larger of 2% or $2, royalty prepayment of $5000 per annum required in subsequent years covers 50% of royalties over the following year.

+ DH by itself cannot be used for digital signatures - the El Gamal extension provides this. CYLINK claim their DH patent covers El Gamal. The US patent #4,200,770 runs out on 29 April 1997. The Canadian patent (#1,121,480) registered 6 April, 1982, runs out in 1999.

@ Acknowledgement is required - see the RFC.

# Many countries have nominal export controls, including the UK and Australia, but I only know of them being enforced in the USA. MD2/5 and SHA are not subject to export controls anywhere that I know of.

Export considerations:

The USA has regulations under ITAR (International Trade in Arms Regulations) which categorises "cryptographic and ancillary devices" as munitions. Two classes of export licenses are granted: Distribution Licenses or DL's and Individual Validated Licenses or IVL's.

To get an IVL you must say who the customer is and why he needs DES (or 3X DES, etc.). One may then use the IVL to export to the approved end user. Thousands are granted every year and very few applications are rejected.

Systems which use cryptography for decryption only, authentication only (e.g. Kerberos authentication as available from Cybersafe and others), or can only be used for protecting financial data (e.g Cybercash etc., as long as it cannot be used for arbitrary messaging) are more-or-less readily granted a DL. DLs have also been granted for some implementations of RC4/40 bits (e.g Netscape).

Canada has back-to-back agreements with the USA's ITAR controls, so it's easy to get crypto from the USA to Canada but you can't export from Canada. More information is available from Customs Canada (Revenue Canada) and Department of External Affairs and these URLs: http://axion.physics.ubc.ca/ECL.html - Excerpts from the Export Control List of Canada, and http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html Canada's export controls.

Many other countries have export controls (UK, Australia and others), but enforcement is less stringent than in the USA. In Australia, export of cryptographic software is controlled by Customs Regulations 13B (military technology) and 13E (Dual Use Technology). The regulations are administered by the Defence Signals Directorate - mail to "Director, Strategic Trade Policy and Operations, Dept of Defence, Anzac Park West Offices APW1-1-OA1, Canberra, ACT" or fax (06)266-6412 and ask for their "Australian Controls on the Export of Technology with Civil and Military Applications". The Australian regulations are also online at http://www.austlii.edu.au/cgi-bin/sinodisp.pl/au/legis/cth/consol_reg/cer439/sch13.html Software is defined as "one or more programs fixed in any tangible medium of expression", which explicitly leaves electronic shipment uncontrolled. Don't carry or mail media with SSLeay-based software out of Australia - email or FTP it instead!

The UK Gov't is funding a project at Royal Holloway College which contains Key Escrow provisions. Watch for the EC DGXIII introducing European legislation under the banner "European Trusted Services", or visit http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html, ftp://ftp.dcs.rhbnc.ac.uk/pub/Chris.Mitchell/istr_a2.ps, ftp://ftp.cl.cam.ac.uk/users/rja14/euroclipper.ps.Z

France disallows *import* and use of crypto technology without a permit, and Russia requires a permit for use also.

Patent considerations:

According to 35 U.S.C. 271 (a), "whoever makes, uses, offers to sell, sells or imports ... infringes the patent." In other words, you better ensure that you *compile out* and patented algorithms unless you intend to license them, even if the code is not executed. In fact, if you are in the USA, merely ftp'ing SSLeay into the USA is a breach of various patents. (Eric, you might consider splitting it into two ftp archives, one for the USA and an additional one for the rest of the world.)

References:

RSA: http://www.rsa.com/

CYLINK: http://www.cylink.com/products/security/

ASCOM: http://www.ascom.ch/Web/systec

Safer: ftp://ftp.isi.ee.ethz.ch/pub/simpl/

For more information: x

http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm - Crypto Law Survey

Credits:

Thanks to to Eric Young, Rich Salz, Donald Lewine, Holger Reif and Bruce Schneier (author of Applied Cryptography), Peter Trei, Remo Tabanelli, Ben Laurie, Ulf Moeller, Michael Taylor for their contributions.

------------------------------------------------------------
Clifford Heath                          cjh@osa.com.au

Open Software Associates Limited

29 Ringwood Street / P O Box 401        Phone +613 9871 1694
Ringwood  VIC  3134    AUSTRALIA        Fax   +613 9871 1711
------------------------------------------------------------
  Deploy Applications across the Internet and Intranets!
  Visit our Web site at http://www.osa.com

Algor	Location	Purpose	Legal	License	Ref
DES	world-wide	any	mostly [#]	public domain
RSA	US	indiv/free	only RSAref	free	RSA
RSA	US	commercial	RSAref/BSAFE	from RSADSI [*]	RSA
DH	US	?	mostly [#]	Cylink [+]	??
DSA/DSS (based on Diffie-Hellman)
RC4/2	US	any	mostly [#]	from RSADSI	RSA
RC4	elsewhere	any	mostly [#]	seems safe	??
IDEA	US/Europe/Japan	indiv/free	mostly [#]	free	ASCOM
IDEA	US/Europe/Japan	indiv/commercial	mostly [#]	$US15, ASCOM	ASCOM
IDEA	US/Europe/Japan	company site	mostly [#]	from ASCOM	ASCOM
IDEA	elsewhere	any	mostly [#]	free
SAFER	world-wide	any	mostly [#]	free	Safer
MD2	world-wide	PEM only	yes	free [@]	rfc1319
MD5	world-wide	any	yes	free [@]	rfc1321
SHA	world-wide	any	yes	free	??
Any(!)	France	any	only with (almost unobtainable) permit	N/A	??
Any(!)	Russia	any	only with permit	N/A	??

RSA:	http://www.rsa.com/
CYLINK:	http://www.cylink.com/products/security/
ASCOM:	http://www.ascom.ch/Web/systec
Safer:	ftp://ftp.isi.ee.ethz.ch/pub/simpl/