Using GPG in the US

Mon Nov 30 14:10:10 CET 1998

I hope this doesn't get into a long discussion, but my opinion is that
M. Taylor's intepretation of the RSAREF license is incorrect:

On Nov 24,  2:28pm, M Taylor wrote:
> From RSAREF 2.0 doc/license.txt
> ...
>     b.   The Program may not be used directly for revenue-generating
>           purposes. You may not:
> 
>           (i)  use the Program to provide services to others for which
>                you are compensated in any manner;
> ...
> IANAL but it would prevent the usage of GPG w/RSA from being use "on the
> job" for services such as USENET newsfeed (a service for paying customers),
> or encrypting business email (your work is the service you are compensated
> for). You could use it for your office hockey pool. :)

I do not think b. (i) applies to individuals being compensated for their
services to their employers, but only to companies being compensated for
services they supply.  This opinion is based on the statement at the end
of section b. that says:

          Nothing in this paragraph prohibits you from using the
          Program or any Application Program solely for internal
          purposes on the premises of a business which is engaged in
          revenue-generating activities.

I don't think they would say that if they intended to exclude any use
for which one is paid by his or her employer.

> From RSAREF 1.0 README
>  "You can't use RSAREF in any commercial (moneymaking) manner of any type,
>  nor can you use it to provide services of any kind to any other party."

So don't use RSAREF 1.0.  The RSAREF 2.0 license was deliberately made
to be more lenient so it could be used by corporations as long as they
didn't sell software that includes it or sell services that directly use it.

> Thus RSA support with or without using RSAREF cannot be official supported
> as part of a GNU package since the license and patant restrictions prevent
> it from meeting the requirements of the GNU Public License 2.0.
>
> Since all this goes against the GNU ideology, those who need PGP w/RSA
> support should consider licensing PGP 2.6.x or PGP 6.x from Network
> Associates or Network Associates International BV. Then just let the rest
> of us get on with GnuPG and its development.

I completely agree that RSAREF is against the GNU ideology and cannot be
officially supported by GnuPG; RSAREF is not open source software and the
patent excludes other free implementations.  However, the RSAREF 2.0
license is liberal enough for those of us who work for corporations to use
if we aren't Open Source purists.  Personally, I wholeheartedly support
open source software when I can, and I would love to switch completely to
GnuPG, but I can't because I still need compatibility with older PGP
signatures at least for a while.  I would glady use an RSAREF 2.0 interface
to GnuPG to ease the transition.  I took a quick look at it one day and
it didn't look trivial, so it hasn't made it to the top of my priority list
yet to do it myself.  I'll have to stick with my licensed software from
Network Associates for now.

- Dave Dykstra <dwd at bell-labs.com>