Subject: Re: OpenSSL import
To: Michael C. Richardson <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 06/29/1999 21:35:05
On Tue, Jun 29, 1999 at 08:41:31PM -0400, Michael C. Richardson wrote:
>   What else should I remove? From comments on the list, I take it that
> rc2, rc4, rc5, rsa has to go. Anything else?

That is certainly not my position.

I would personally be quite happy if you left the current structure, minus
code that has patent or other IP issues.  I personally think that leaving
the RSA code in cryptosrc-intl is a good idea, so long as building it can
be disabled.  I see no problem with having an OpenSSL distribution, minus
the code that has known intellectual property issues, in cryptosrc-intl/dist,
with reach-across makefiles.  Clearly nothing has to reach into the MD5 or 
SHA1 subdirectories and duplicate what's already in libc in the built

To my knowledge, the code that has intellectual property problems is:

	* IDEA (Ascom patents)
	* MD2 (license does not permit use except with a certain mail package)
	* RC4 (fine *if you don't call it RC4*; a trademark issue)
	* RC5 (U.S. patent issued, int'l patents pending AFAICT)
	* RC2 (trademark issue, as with RC4)

I would love to be wrong about any of these but I'm pretty sure I'm not.