Of course, you'll have to learn to build igloos (since that's what we live in) and you'll also have to buy a snowmobile to get around (or get a dog sled team if you're a traditionalist). :)

If you mean about the igloo and such, of course I am... I'm from Alberta.

If your site is a commercial site in the US, then there is no way around it--you must license the RSA algorithm from RSA (unless you want to challenge the RSA patent in court!). If you call up RSA they will give you a price quote in the thousands (I tried this once). A far cheaper way to get an RSA license is to buy RedHat Secure Web Server (now repackaged as RedHat Linux Professional).

IANAL, but I have read the "Advanced Cryptography License" that comes with Secure Web Server and I believe that the license does in fact allow you to legally run an implementation RSA using any SSL server software you want on your site. That means you can buy Secure Web Server and then legally run mod_ssl on your web site. That's what I would do if I were in your position, since mod_ssl is a quality free software product.

TLS (the IETF standard), the slightly modified SSL, does have non-proprietary algorithms. More, it requires implementations to support DSS.

Good luck in getting a DSS certificate from a CA, however, and you may need to wait a while until browsers reliably support non-RSA keys.

All in all, it's probably best to pay up for RSA until next September, when the patent expires anyway, IIRC.

Fortunately, it expires next year, so you can look forward to more open imlementations in the furure.

Having dealt with RSA on this very topic, all I can say is "Thank God!"

-137

A project I'm involved in will soon need to set up an Apache/SSL server on NetBSD. The site is commercial and located in Norway.

What are my options? (I want to stay legal of course.)

Where can I read more about the licensing terms and legalities involved in doing this?

Gunnar

Until September 2000, RSA is protected by a US patent, which is (it seems) strictly enforced by RSA Inc.

There's a whole lot of meta-discussion that could take place about the bizarre intricacies of American patent law; in fact, it's all been done here on /. Several times, I'll wager.

In most of the rest of the world, if you disclose your patent-able process/algorithm/whatever BEFORE you apply for the patent, you won't be granted a patent. Period. In the States, though, you generally have up to a year AFTER you publish, and you'll still get the patent.

The RSA algorithm was published before the patents were applied for. So, in most of the world, RSA can be used free of legal implications. Not in the US, though.

Apache/SSL uses SSLeay (I believe). SSLeay has all the software you need, including parts that are illegal in the US because of RSA's patent.

Since you will be running in Norway, I think RSA's patent doesn't apply at all, and you can use the standard Apache/SSL configuration with SSLeay (which I think is actually faster than RSA's version).

IANAL

Basically, because of this patent, US sites must license the RSA algorithm from RSADSI to use it.
Anyone outside the US doesn't really need to worry about that, and can use mod_ssl, or any other free variant you want.

While doing work-study as an (underpaid!) web administrator at a university, I was given the job of getting a secure web server up and running on a minimal budget. So I built Apache-SSL using SSLeay for our Linux web server. In the process of building SSLeay, of course, I discovered that it wasn't leagal to use in the US because of the patent owned by RSA.

So I contacted RSA and whined about being at an educational institution on a shoe-string budget, and how we really weren't going to make a multi-million-dollar eToys site or anything, and could we please use RSAREF without paying them. They were annoyed, but they didn't want to waste the time it would take to get me off their backs, so they made me promise that we would never distribute the server, that it would only be installed at our site, etc. and let me go ahead.

It was a pain to get the permission, and to get all the pieces to compile and link together, and to get a cheap certificate from Thawte and make that work... But in the end, work it did, and we were able to let people send in their confidential financial aid information on a secure socket.

So was it worth the $100 or $200 we saved? Probably not for anyone but a college student, but then again things may be easier than when I did it (circa 1996).

Get Stronghold.

When the RSA patent expires next year, it will be nice to see these people have to drop their prices to a sane level.

I'm not in the USA so the RSA patent is a non-issue.

It also has some decent modules that can be slapped in very easily. and some built in toys for application building (like support for a number of databases out of the box).

The product is free, but they'll want to try to sell you site developement tools and the like after you've had a chance to use it. It's also written in a strangish language called pike, but you really don't have to deal with it much if at all, and if you're familiar with C, then pike will look very normal to you. Pike is basically C, but in an interpreted form like perl.

http://www.roxen.com/

Once I got all that straight, I found Raven to be a very good product. You don't have to worry about RSA problems and it is easier to upgrade to the latest Apache. And since I use non-standard modules I find it a plus. Oh yah, and having an intergrated configuration file is really nice too.

Course I am just getting to play with the Red Hat version now. So far, I don't like it but that is probably because I am cleaning up someone elses mess.

In my opnion, Raven's only real draw back is price. But compare it to Stronghold and one will have a change of heart.

if you are in the unpleasant situation of living in a non-free country that doesn't allow you to use RSA encryption on your secure HTTP(S) server, just disable RSA. HTTPS is not depandant on the encryption algorithm and runs just as fine with IDEA, 3DES or blowfish. Of these encryption schemes 3DES is patent free, as secure as 128bit RC4 and implemented by all major browsers.

here is your cooking receipt for an unencumbered secure http server residing in the US:

1. dowload openssl, mod_ssl, apache
2. build & install openssl *without* RSA
3. patch apache with mod_ssl
4. build, install & configure apache as usual, enabling mod_ssl
5. lean back and enjoy

Will expiration of the RSA patent in 2000 make it free to implement RSA in the US?

However, Netscape has a patent on SSL. They apparently haven't been trying to force people to license it... yet.

But what if NetscAOL were to sell the patent to those bastards at RSADI?

RSA lost their patent on the encryption about a month ago I heard.