For those who didn't already catch this on Slashdot, RSA Security announced today (September 6, 2000) that they have placed the RSA algorithm into the public domain, two weeks earlier than it was due to expire.
Where do we go from here?
For those who didn't already catch this on Slashdot, RSA Security announced today (September 6, 2000) that they have placed the RSA algorithm into the public domain, two weeks earlier than it was due to expire.
Where do we go from here?
There's no question that this was a PR move; the press release admits as much: "So much misinformation has been spread recently regarding the expiration of the RSA algorithm patent that we wanted to create an opportunity to state the facts." (Emphasis added.) Obviously, this draws attention to RSA Security that they can use for propaganda purposes; waiting until the patent was due to expire on September 20, 2000 would have given no reason for people to visit their site. Now they can try to convince us that we should continue to pay for their BSAFE library, "the world's premier implementation of the RSA algorithm". Releasing the algorithm two weeks early, their "symbolic next step", may not matter much in the grand scheme of things, and the marketing benefits of this announcement probably outweigh the remaining revenue they've forfeited. Nevertheless, it is now in the public domain, which should be good for the industry at large.
Interestingly, the press release has this twist: "This means that RSA Security has waived its rights to enforce the patent for any development activities that include the RSA algorithm occurring after September 6, 2000." This suggests that they fully intend to pursue any infringement before September 6, 2000. I am not a lawyer (IANAL), but I think implementations previously developed outside the U.S. should now be legal to use within the U.S. (I don't know if RSA Security agrees.) Perhaps implementations that were illegally made in the U.S. could be prosecuted, but would such implementations really remain illegal now that the patent is in the public domain? (There is a FAQ that might give RSA Security's views on these questions, but their site is refusing connections at the moment.)
Anyway, back to the main question: where do we go from here? Will you use the RSA algorithm in free software, now that you can? Where do you expect to see it turn up? Does this open any interesting new doors to explore? Do we need a new implementation from scratch, if RSA will pursue previous ones?
How's this for a twist. RSA knew that their patent was going to expire and when. Don't you think it would have been smart to have been developing something newer, stronger, and better to replace what they were going to lose? Just something to ponder.
I'll address the question of what this opens up. Their act does not in
itself open these doors, but rather the non-enforcement of the patent.
What doors? As someone formerly involved in a Linux distro, I can attest
that a lot of distros (ie applications included) had to limit
distribution of secure product and/or manage separate versions of apps
that had major weaknesses w/o the secure components. Namely, the
inclusion of OpenSSL and the apps which can use it. It will be a great
boon to sys admins and users for distros to come standard with
SSL-enabled sendmail, apache, imap, ldap, openssh, stunnel, and the
like. Not on their inclusion, but the addition of managment apps that
will enable tools to be easily implemented and managed. (Can we say
x.509 certificate management anyone?)
Some minor distros were even formed to extend larger distros and
provide such applications and management, and because of this change in
the software landscape, some of these enhancements can be rolled into
the larger work and make any unnecessary duplication of effort go away.
Ever since the US crypto export regulations were loosened (and the clarification that binaries build from exportable source are exportable), lots of US-based free software projects have been planning to add crypto features. This just lets them start adding RSA support a little earlier.
I suspect that most projects which want crypto will simply use OpenSSL, although Mozilla.org is building what looks like a new crypto library (called NSS) mostly from scratch.
If RSA's library is now Free Software (which it would be if its completely public domain) we're one step closer to a GPL compatible SSL implementation. OpenSSL is under a BSD with advertising clause license which makes it GPL incompatible and generally a pain in the ass to work with.
Don't you think they and every other even half-decent cryptographer have been trying to do that all the time since RSA filed their patent many years ago?
Smart public-key algorithms don't grow on trees.
yakk: RSA isn't changing anything about their library (BSAFE), they're just announcing that they won't enforce their patent on the RSA algorithm for the remaining two weeks of its life. So if you want code, you still have to write it yourself.
If RSA's library is now Free Software (which it would be if its completely public domain) we're one step closer to a GPL compatible SSL implementation. OpenSSL is under a BSD with advertising clause license which makes it GPL incompatible and generally a pain in the ass to work with.Sorry, they didn't release their library. They released the algorithm to the public domain. It was inevitable anyhow; it would have entered the public domain automatically when the patent expired on September 20, 2000. All they did was to voluntarily release it 2 weeks early for public-relations reasons.
RSA's BSAFE library is no longer protected by the RSA patent, but it remains copyrighted code that they will continue to charge for licenses. However, other companies may now compete with RSA's code in the U.S., as can free software. So this is good for free software, but RSA certainly isn't giving away any code. It's just a level playing field for once.
They don't have guaranteed income from controlling the patent; their hope now is that people continue to pay for their code either out of habit, or because they believe it is the best (or most trusted) implementation available. (It's not unrealistic; many businesses are very conservative, especially when it comes to security. They will keep many customers who don't want to fix what isn't broken.)
For anyone who hadn't heard the story, apparently British spooks invented public-key encryption (both Diffie-Hellman and RSA algorithms) long before the academic researchers who receive the credit. However, they called it "nonsecret encryption", and the British government classified the discoveries and sat on it, even after the "inventions" of Diffie-Hellman and RSA were made public. Maybe they didn't understand the full implications for key management, but they discovered the algorithm first...
Makes you wonder how meaningful patents on mathematical algorithms really are, doesn't it? Are these really "inventions" or are they simply discoveries? What would have happened if advancements in Calculus or Physics had been patented?
New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.
Keep up with the latest Advogato features by reading the Advogato status blog.
If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!