On Tue, Feb 06, 2001 at 01:40:32PM -0700, [EMAIL PROTECTED] wrote:
> I asked this a week or so ago, but it was a day that the mailing list was
> having trouble, so I wonder if many people received it. So, I'm asking
> again. My apologies to those who got it the first time.
>
> Is it legal to use mod-ssl (or apache-ssl) in the US for commercial
> purposes? I've seen some conflicting documentation on the matter (and it
> seems like I heard laws changed regarding this recently as well???). Also,
> is using mod-ssl or apache-ssl as secure as one of the secure commercial
> apache solutions (e.g. Stronghold)? And lastly, from what I've seen, most
> people seem to prefer mod-ssl over apache-ssl. I'm interested in
> preferences and opinions on this as well.
It is now.
Before Sept 20, 2000, the RSA algorithm was patented in the US and you
would need a license from RSA to use any implementation of the
algorithm.
A couple weeks before the patent expired, RSA released the algorithm to
the public (which was a nice gesture, but would have been a lot nicer 5
years ago...).
The freeing of RSA wasn't due to the US Govt suddenly getting a clue
(you know the same evil crypto stuff that Evil Terrorists use is what
makes your purchasing a book from Amazon 'safe'?) but due to the
expiration of the patent.
At this point, the only restriction on crypto is the bizarre US export
laws (which haven't changed: an executive order doesn't change the laws,
it's merely a statement on how they will be enforced), but mod_ssl was
written in the UK (which is trying hard to have laws as silly as ours,
but isn't quite there yet in crypto export) and is perfectly legal to
import. [Well, the only restriction for US users anyway... I don't want
to think about how silly French crypto laws are....]
--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;
