OpenPGP Card

David Picon Alvarez eleuteri at
Tue Sep 6 13:18:49 CEST 2005

> NOTICE: Since the application does not know which cryptographic token is
> used by the user, the usage of the library MUST be done at runtime. There
> stick interface for these libraries which is described in PKCS#11

In such a case the DLL or .so or whatever MUST be GPL-compatible (GPL or
less restrictive) per the meaning of FSF in order to be GPL-linkable, or be
covered by the "standard OS component" exception.

> We need a definite answer here... So the licensing argument will be out of
> the way...

If a library runs on a shared addressable space, FSF (which is GnuPG's
Copyright holder, I assume?) considers the combined result a derived work in
the meaning of copyright law. This is the whole point of the LGPL, to have a
licence that allows linking libraries into non-free software, but which
ensures distribution of the library will always be on free terms and so on.

> A standard is a standard... And it is not matter if it describers an API,
> protocol, a command-line, a format or any other interface.
> As long as there is no intellectual rights claims for the implementation
> the standard, it can be used by GPL.

You are wrong. The GPL does not talk of standards in the meaning you
propose. If a work links to a shared library and invokes its functions it is
making use of the library in a manner similar to copying pages from another
book into your own book. This process creates a derived work of the library.
Whether the library implements a patent-protected standard, a Trade Secret
or an open, non-patent-encumbered standard is for the purposes of the
linking issue, irrelevant. Linking creates derivation.

> Hence... HTTP is a standard (RFCXXX, protocol), PKCS#11 is a standard
> API), S/MIME is a standard (RFC, format) etc... There is not difference
> between them in term of implementing a compliance software.

The difference is that when I write onto a socket to talk to an HTTP server
I do not copy its code onto my memory segment, I am making use of the server
but not copying anything from its internals, which is why HTTP does not lead
to a derived work being created. Whereas when I link in a library I copy its
code onto my memory segment, and I invoke its functions in a manner
equivalent to writing those functions onto my own code, which makes a
derived work.

IANAL (yet), but a gifted amateur :-)

More information about the Gnupg-users mailing list