Subject: Re: pkg: crypto question
To: Jaromir Dolecek <>
From: Todd Vierling <tv@NetBSD.ORG>
List: current-users
Date: 03/16/1998 12:53:16
On Mon, 16 Mar 1998, Jaromir Dolecek wrote:

: >From what I've heard it seems to be okay to _import_ crypto
: software to USA, so it would be okay to add pgpi or SSLeay to packages.
: Am I right ?

Yes and no.

It's okay to make pgpi, version 5, a pkg.  The RSA routines in PGP 5.0 are
licensed with RSA Data Security, Inc., in the USA, so they can be used
without worrying about license problems.

On the other hand, PGP version *2* (2.6.3, most likely) cannot be used
inside the USA without using RSA's own brand of crypto code, named "rsaref".
I have a PGP 2.6.3a pkg, which chooses rsaref or the built-in routines
automatically, waiting to be integrated as soon as I can test it with the
new <> rules for my rsaref pkg.

For the most part, it is legal to import crypto into the USA--if it wasn't
illegally exported from there in the first place or patented by some company
inside the USA.

Bloody ITAR.

-- Todd Vierling (Personal; Bus.