Using GPG in the US

brian moore bem at cmc.net
Mon Nov 23 15:38:36 CET 1998 

On Mon, Nov 23, 1998 at 02:56:01PM -0800, Caskey L. Dickson wrote:
> On Mon, 23 Nov 1998, Jimmy Kaplowitz wrote:
> 
> > Thanks, Brian, and everyone else who responded to my questions. (I guess
> > that would be you, Casey :) The replies were very helpful. One further
> > question, though. What are the RSA and IDEA plugins, why can't I legally
> > use them in the US, and is there some legal way to get that
> > functionality with GPG in the US?
> 
> I can't speak about IDEA, but RSA is patented in the US.  That means that
> to use it you must have a license from the patent holders.  Without that
> license, under US intellectual propertly laws you would be infringing upon
> the creator's (patent holder's) rights of sole exploitation of something
> they devised.  In a short while (2 years?) the RSA patents will expire as
> well and then there will be no restriction upon use.

IDEA is likewise patented (and, worse, it's worldwide: it's really not
usable in any commercial setting without paying royalties, though
Ascom hints that they may license it for 'freeware' it's still not
proper in a GPL'd work, since it's unclear if Linux is 'freeware' if
you buy it on CD).  You can use it 'for private purposes' freely
though.  But since some of us effectively have no life (who, me?) and
most of their life is their job, it's not very useful to me.

> With software, the whole scheme gets screwed up.  It effectively becomes a
> license to use software, without which you are infringing upon the owners
> right to decide who gets to use his ideas.

And the lifetime is insane for software.  17 years is 8-10 generations
of computer hardware.  (Of course, copyrights on software are silly,
too, since author-lifetime+75/50 years is effectively forever.
You can't run Wordstar on your CP/M-80 emulator without a license...)

> As luck would have it, patents do expire (17years?) and cannot be renewed.

And as double luck would have it, RSA was patented too early.  In less
than two years the RSA patents expire, which makes the choice of RSA or
ElGamal one of taste not legality. :)  Of course, RSADSI has managed to
stymie a lot of electronic commerce in the meantime.

That said: you can use the IDEA plugin fine if you're not doing it for
work.  The RSA plugin you normally could use for non-commercial
purposes.. but... the good folks at RSADSI insist that the only
implementation of RSA is in their 'RSAREF' and that's the only version
that gets the free license in the US.

So, it's technically a violation of patent law to use the RSA plugin
in the US, whether for commercial purposes or not.

The good news is that this legal mess has been a problem for PGP, too,
so the 'freeware' versions of PGP don't do RSA anymore and the newer
keys are quite happy getting along with GPG.

-- 
Brian Moore                       | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker     |  a cockroach, except that the cockroach
      Usenet Vandal               |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster

More information about the Gnupg-devel mailing list