On Wed, Dec 22, 1999 at 02:08:43AM -0500, gabriel rosenkoetter wrote:
> On Tue, Dec 21, 1999 at 05:05:54PM -0500, Thor Lancelot Simon wrote:
> > That said, I don't think it's a foregone conclusion that because
> > the OpenSSL people said that their code is safe from the RSAREF hole,
> > which it may well be *if you use it for SSL*, some random program
> > that uses libcrypto, which in turn uses RSAREF, is.  Be very, very
> > careful when confronted with such claims.
> 
> What was said on Bugtraq was that OpenSSH *is* legal in the United
> States, is *not* vulnerable to the RSAREF2 bugs, and *is* being
> distributed as an integral part of OpenBSD 2.6.

Well, at least some of that is true.  I'd think twice before listening
to the OpenSSH promoters' claims that OpenSSH is "legal in the United
States" -- if you're an educational user, doing research, it *may* be
legal to use it with RSAREF, per the RSAREF license.  On the other hand,
you would be within the terms of the F-Secure license to just use plain
old SSH, too.  If you're *not* such a user, you're almost certainly
violating the terms of RSA's license on RSAREF, which is the only
thing that entitles you to use their patented RSA algorithm.

Do I think this sucks?  Of course I do.  Am I so silly as to think that
because I think it sucks, I should just tell people lies about whether
it's the way it is?  No -- I'd consider it unethical to deceive other
people into violating the law.  Some people who rant about OpenSSH
a lot seem to feel otherwise...

-- 
Thor Lancelot Simon	                                      tls@rek.tjls.com
	"And where do all these highways go, now that we are free?"