> > Please note that any implementation of SSLeay with in the United States is
> > strictly illegal.
This communication you received is a dramatic oversimplification and I
hope it won't mislead any casual readers of this list.
A short rehash of the U.S. situation for those reading, just because I
haven't seen one here in a while, and Ben very sensibly smirks at the
whole U.S. patent scene -- <grin>
A U.S. patent provides a legal right to "exclude others from making,
using, offering for sale, or selling the invention in the United States or
importing the invention into the United States." RSADSI holds valid
patents on specific algorithms; they may legally prohibit the use of those
algorithms within the U.S., and they do so.
SSLeay contains implementations of algorithms patented by RSADSI. It also
contains a lot of valuable software that has nothing to do with the
RSADSI patents. A number of U.S. companies, with advice of counsel,
believe that when using SSLeay (or other crypto software, e.g. ssh)
"glued" to appropriately licensed RSADSI software providing the patented
components, the resultant compiled software does not infringe upon any
patents held by that company. I personally subscribe to this view. C2Net
also apparently takes this view, since Stronghold contains SSLeay
components plus licensed RSA code (plus, read Sameer's comments on old
SSL-users archives). Certainly RSADSI has never brought a challenge over
such a matter to open trial, which may bolster the idea that this view is
the most correct. (There _have_ been legal actions brought by RSADSI that
resulted in settlements, we hear.)
RSADSI has asserted broader patent rights over the whole notion of
public-key cryptography, but these issues are also somewhat murky and rest
on dubious foundation.
In any case, U.S. companies should make their crypto software decisions
with the input of well-informed counsel.
The sensitivity of the choice obviously has direct relation to the size
and impact of the crypto application being discussed. Even if a valid
patent is infringed by a small noncommercial application, the
patentholder's rights of action are fairly limited. According to USPTO:
"If a patent is infringed, the patentee may sue for relief in the
appropriate Federal court. The patentee may ask the court for an
injunction to prevent the continuation of the infringement and may also
ask the court for an award of damages because of the infringement." The
risks associated with being found on the wrong side of an infringement
case escalate with the importance of the project and the amount
of damages that can be claimed by the patentholder.
As an example, if you field a single server using a patented technology
which the patentee sells openly for US$1000 per instance, but implement it
with a private version of the technology and do not pay the patentee, your
potential liability is fairly low, as it is fairly difficult for the
patentee to show much in the way of damages. However, if you develop
commercial server software along similar lines, and sell hundreds of
thousands of copies for US$100 each, your potential liability is extremely
high -- the patentee can claim millions of dollars of damages.
Anyway, "strictly illegal" is marketese -- there is nothing strict or
well-defined anywhere in U.S. patent law. It's a very subjective
discipline. So if you are in the U.S. and wish to field SSL servers with
experimental, developmental, or international crypto technology, and have
legal concerns, talk to a well-informed intellectual property lawyer and
decide what to do -- based on your legal assessment of the patent
situation with regard to _your_ particular implementation, and your
position with regard to potential liability.
Sigh. Can we all move to Australia now?
- Rob