Subject: Re: quickly find what applications are affected by RSA
To: None <>
From: Thor Lancelot Simon <>
List: current-users
Date: 09/08/2000 02:50:02
On Fri, Sep 08, 2000 at 02:09:44PM +0900, wrote:
> >> >How can I quickly find (or create) a list of BSD-related applications that
> >> >use the RSA algorithm?
> >> >(Not exactly, NetBSD related: OpenBSD says "A clever trick allows us to
> >> >distribute the same CD-ROM (USA and the rest of the world) and maintain
> >> >full strength crypto without violating the RSA patent in the USA." Does
> >The "clever trick" is ignoring the entire body of statute, regulation, and
> >precedent relating to contributory patent infringement.  Quite a trick,
> >huh?
> 	if you could, could you elaborate/give more background of the above
> 	statement?  pleaes give me an URL or whatever...

If you want to learn about U.S. patent law I can recommend the excellent
book "Patent It Yourself!" published by Nolo Press.  It's a bit thin on
this kind of detail, however.  If you really want to get advice about
contributory patent infringement, I suggest you ask a lawyer; I am not
a lawyer and I cannot give you legal advice.

However, a brief summary of what I have learned over the course of many
years of discussion with the numerous patent attorneys advising my
sundry employers (as well as one I consulted myself on this _exact_
issue, at my own expense):

If I have a patent, I can prevent you from infringing my patent.  The
simplest explanation of how you might infringe my patent would be that
you infringe if you make, use, or sell a device which is described by
at least one of my patent's claims.

However, it's a bit more complex than that.  The doctrine of 
contributory infringement is designed to prevent unethical manufacturers
from, in essence, tricking their customers into violating the "use" part
of the prohibition above while themselves avoiding liability with regard
to the "make" or "sell" parts.  Taking that into consideration, the
rule is about what you'd expect it to be: if you make or sell a device
which is specifically designed so that use _must_ infringe my patent,
though it is not sold in a condition in which it infringes, though the user 
of your product is liable for violating my patent you are _also_ liable,
for contributing to his infringement, even if you did not supply the
device in a condition in which it infringed.

For a simple example, let's say I get a patent on a tubeless automobile
tire using a valve with a flanged stem.  If you build a tire which will
only accept a valve with a flanged stem, or which will leak if any other
kind of valve is used, but do not sell it with the valve, you still 
probably infringe my patent under the doctrine of contributory infringement.
In ruling on this kind of issue, a court is particularly likely to find
that you infringe if, for example, you sell your tire with an 
advertisement loudly proclaiming that it is "designed to accept flanged-
stem valves available from many suppliers!".

In particular, if you're obviously inducing the people who use your
product to infringe a patent by modifying it, and especially if you
*give them instructions* for modifying it in such a manner that it
infringes, the courts are likely to take a very dim view of your

Another way to state much of the above is that if you sell a product
which is specifically designed to infringe a patent if it is used in
a way in which it is likely to be used, even if you do not sell it for
that use, you're probably liable.  Duh.

> 	(especially when you send a message to public, with some text which can
> 	be considered an attack to other project...)

You can consider my text to be whatever you care to consider it to be.  It
really doesn't matter to me -- I am quite well aware of the law relating to
this particular issue and the statement to which I was responding is quite
a load of crap.  The "simple trick" is playing with fire and that's why the
NetBSD Project didn't do it.  Furthermore, the people involved with the
"other project" you're referring to are certainly aware of this because after
I had my patent lawyer explain it to me (the most recent time) I shared the
results of that inquiry with them.  Even though I don't like them very much.
If you want to give me crap about "an attack to other project" go ahead, but
frankly I think given my history on this issue you're way off base.

> 	netbsd have been shipping openssl pkgsrc, which include RSA.  why
> 	netbsd pkgsrc is not considered a contributory patent infringement and
> 	openbsd (RSA-only) binary package is?

As I said above, I'm not a lawyer and I'm certainly not a judge.  I didn't
have anything to do with importing OpenSSL into NetBSD's pkgsrc so I can't
say anything about the reasoning of the people who did so.  However, it is
quite noteworthy that NetBSD's pkgsrc is not a distribution of usable 
software; it is a system for automatically patching other people's software
to work on NetBSD.  We do *not* build nor do we supply binary packages of
OpenSSL; the OpenSSL in our source tree had every vestige of RSA removed
after I raised the exact issue described above.  The fact that someone's
made OpenSSL work on NetBSD, and that we recorded what he did and ship
that set of instructions, is *very* different from my point of view than
shipping a "modular cryptosystem" where the only module is RSA and you
make no effort to keep people in the U.S. from using it -- in fact, you
basically encourage them to do so, with a big wink and nudge.

We don't maintain the software that's in pkgsrc, we don't hold copyright, 
and we don't even distribute the source code -- the user has to fetch it
and build it himself.  There's stuff "in pkgsrc"  with all kinds of
intellectual property restrictions on it that make it inappropriate for
inclusion in NetBSD proper, but you've got to remember that when we say 
"in pkgsrc" what we really mean is "pkgsrc has some patches that will
make it easier for you to build and install this", not "pkgsrc has the
source code to this in it, we maintain and distribute it, let us know
if you have any trouble".

That's a pretty substantial distinction from my point of view.  Where
it falls with regard to the law is a judgement call that I'm not
comfortable making -- and no, I didn't ever ask a lawyer about it,
because this is the first time it's really been brought to my 
attention -- and considering that RSA prematurely stopped the clock
ticking on their patent, I guess it doesn't matter any more.

Whew.  If you want to know more, get a lawyer and ask him.  There are
probably mistakes in the above, both in statements of fact and in
both my expression of and my understanding of the relevant law; I am
*not* a lawyer and this is *not* legal advice -- take it for what it's
worth, the personal understanding of someone who's spent a lot of time
trying to get his head around this (complex and ugly) issue.

Thor Lancelot Simon	                            
	"And where do all these highways go, now that we are free?"