Using GPG in the US

Caskey L. Dickson caskey at
Mon Nov 23 20:46:31 CET 1998

On 23 Nov 1998, Paul D. Smith wrote:

> %% "Caskey L. Dickson" <caskey at> writes:
>   cld> This is very true, however I do not believe that the RSA plugin
>   cld> was built with RSAREF and therefore does not apply to the
>   cld> discussion as to what the legal aspects of using the GnuPG RSA
>   cld> and IDEA plugins in the US are.
> Certainly, but as you point out (and as I assumed but didn't state)
> someone could rework the plugin to use rsaref.  The code that _uses_
> rsaref is distributable, it's just the rsaref code itself that isn't.
> If someone developed an rsaref "shim" for the existing plugin, that
> would be cool and distributable.  Then the docs would just have to say
> "in the US, go get rsaref from RSA, compile it, and point it out to
> configure with --enable-rsaref."  Or something :).

This may sound rude, but I'm not trying to be, I'm just tired:  What
you've concluded is what is already known.  If you want to make the shim,
do it and we'll benefit and be thankful when we can use it, otherwise
we've simply spent all this time and energy to established facts that we
all knew beforehand. (I don't know about you but that makes me feel like
I've not only wasted my time but also the time of everyone else on this
list--I don't like to feel that way.) 

One of my favorite things about OSS is that nobody ever has a (valid) 
reason to complain about how something works.  If you don't like the way
something works, modify it or get off the bus. 

>   cld> It doesn't get around the usage issue for me personally because
>   cld> almost everything I do is related to my job.
> I'm not so sure; go take another look at the details of the license.  As
> I read them, they're pretty liberal.  It looks to me like as long as you
> don't make money _directly_ from your use of RSA (like selling a program
> or a service that uses RSA) you're fine.
> For example, as I read it, there would be no problem signing email
> messages associated with your job via an RSA algorithm.

As far as signing messages: "plausable deniability".  Anything I sign
would be commercial in nature, or a bit of GnuWare, in which case I'd just
use GnuPG and RSA is moot. 

Communiating with clients and staff using messages encrypted via RSAREF in
the course of pursuing my business clearly violates the license and places
my business in the very ugly position of violating the rights of a much,
much bigger company.  Nobody in their right mind who has everything
invested in their business would do such a thing.  At least not for very
long. :-) 

As for your determination that so long as you are not directly profiting
from it you are not violating the license--you said it yourself: YANAL. 
Neither am I but I do have a business that I'd like to keep and so the
benefits are essentially nonexistent to use RSAREF.


    "Premature optimization is the root of all evil" -Donald Knuth
Caskey <caskey*>       ///                pager.818.698.2306
TechnoCage Inc.                     ///|               gpg: aiiieeeeeee!!!
If you want to build a ship, don't drum up people together to collect wood
 and don't assign them tasks and work, but rather teach them to long for
     the endless immensity of the sea. -- Antoine de Saint Exupery

More information about the Gnupg-devel mailing list