A few of my random thoughts about what I currently know with regards
to restrictions on the use of SSLeay due to software patents and US
cryptographic export restrictions.

Be warned, I only tune into this subject in the news groups every few
months and so any corrections from people who actually know will
gladly be incorporated.

First up, my library is FREE for COMMERCIAL and non-commercial use.  I
make no money from people using the algorithms encoded in this
library. (But I would accept donations :-).  I live in Australia and
as far as I know there are no cryptographic export restrictions for
me.  If there are, I have not been 'taken away' by the guys in suits
yet and I have had my DES encryption library up for anon ftp for quite
a few years now.

All code in this library was written by me and I have never seen SSLref
or RSAref.

DES.  I have my libdes DES library in this packages.  I wrote it, from
documentation in the University of Queensland library.  My library is
actually used in RSAref as well (so I have been told).  So not a
problem with this, in fact I find it 'cute' that it appears that most
SSL implementation may end up using a DES encryption library from
Australia :-).  People from the USA are not allowed to export DES due
to crypto export restrictions.  It can go in but not out.

RC4.  I have RSA's RC4 cipher in my SSL packages.  I implemented it
from source code found on a ftp site in Europe.  I am not sure of the
legal status of people in the USA using it since I think RSA are not
very happy about it being reverse engineered.  I would have assumed
that it is covered by a software patent since RSA seem to be
pioneering the field but if I remember correctly, a patented process
needs to be published before it can be issued, so since it was never
published, 'we' can use it.  So, it may be illegal to use in the USA
but I don't know.  Export is definitely a no no.

IDEA.  The IDEA algorithm can be used in the SSL protocol but I have
not currently implemented my version (I probably will if there is
the demand and perhaps just for completeness :-).  I believe it needs
to be licenced in Europe but I'm not sure if it is due to software
patents or how they are 'enforcing' it.  It would be simple to drop in
an existing IDEA library but if it becomes part of SSLeay, I'll write
my own version to make sure I can definitely ship it under my free
licence and to keep my makefile structure neat :-).

RSA.  Ah, the big one.
The following is taken from the "The SSL Protocol" as published by
Netscape.
	The Massachusetts Institute of Technology and the Board of
	Trustees of the Leland Stanford Junior University have granted
	Public Key Partners (PKP) exclusive sub-licencing rights to
	the following patents issued in the United States, and all of
	their corresponding foreign patents:

	Cryptographic Apparatus and Method
	("Diffie-Hellman")			No. 4,200,770
	Public Key Cryptographic Apparatus and Method
	("Hellman-Merkle")			No. 4,318,582
	Cryptographic Communications System and Method
	("RSA")					No. 4,405,829
	Exponential Cryptographic Apparatus and Method
	("Hellman-Pohlig")			No. 4,424,414

	These patents are stated by PKP to cover all known methods of
	practising the are of Public Key encryption, including the
	variations collectively known as El Gamal.

	Public Key partners has provided written assurance to the
	Internet Society that parties will be able to obtain, under
	reasonable, nondiscriminatory terms, the right to use the
	technology covered by these patents.
	......

From my understanding, it is there for required that US people must
get a licence from PKP to use SSLeay.  People outside; they can use it
as much as the like since I don't think the US software patents are
valid outside of the US.  My implementation has been written from a
book on algorithms which included a section on number theory.  I
basically knew zip about RSA stuff before I started reading at the
start of April'95.  So this one is a no export from the USA and probably
a no use in the USA.  Again, I don't think they will come for you in the
middle of the night unless you make money from the code.

So we end up with a library that is free but in the USA, you must pay
money to people who the author has never met or spoken to, to not
break the law.

This same library can be imported into the USA but not exported again.

One interesting question I have is what is the status of a binary
program that is a SSL filter between the Internet and a local program
(via a named pipe or UNIX domain socket);
If I make binaries available in Australia, will people who ftp it to
the USA for free then have to pay PKP to run the program?  I could
just call it 'securelink' and not tell them the 'secret' encryption
algorithm I use.  Would they then be able to be prosecuted for violating
a patent they don't know is being violated?

Anyway, enough of my rambling, not of this affects me because
a) I'm not making any money from this so I don't need to pay anyone :-)
b) I'm living in part of the world not covered by software patent or
   cryptographic export restrictions (as far as I know :-)


eric (who can't can't wait until SSLeay gets posted to comp.sources.misc :-).
