On Wed, 7 Apr 1999 13:30:25 -0500 (CDT), Dave Huang wrote:
> On Wed, 7 Apr 1999, Greg Evans wrote:
> > So by adding in the RSAREF stuff does that provide for bett encryption or 
> > ??? I don't really even understand exactly what RSAREF does/is...sorry 
> > for sounding ignorant here, but in this case I truly am
> 
> >From what I understand (and I could be wrong :), there's no difference
> in the strength of the encryption. RSAREF is legal to use in the US, but
> can't be exported. The non-RSAREF code was developed outside the US and
> can be used anywhere except the US, due to patents.
> 
> So basically, if you're in the US and want to be legal, you must use
> RSAREF. If you think patenting math is silly and don't care about the
> legalities, and can't get RSAREF even if you wanted to use it, well...
> :)

But technically, you could disable RC4 encryption when building ssh,
which would eliminate the necessity of either code (RSAREF or
otherwise), I think.  But the ssh pkgsrc does not provide a mechanism
to specify those compile-time options, I guess...?

According to a nutshell book _Virtual Private Networks_ (O'Reilly,
authors' names slipped my head), Blowfish algorithm is the way to go
if your number one concern is the encryption/decryption overhead.

Ken