apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: MD4/MD5 implementation is non-free
Date Sun, 07 Jan 2007 21:35:39 GMT
On Jan 7, 2007, at 9:44 AM, Garrett Rooney wrote:
> Uhh, anyone?  It'd be really great if someone with more clue in this
> are (Cliff, Roy, one of our lawyers, etc) could take a look at this
> and let me know if it resolves our problem or not.  If not, I'll look
> into an alternate solution (either asking RSA for an explicit
> clarification or replacing the code somehow).

I thought we did.  The "clarification" is completely vague

   Implementations of these message-digest algorithms, including
   implementations derived from the reference C code in RFC-1319,
   RFC-1320, and RFC-1321, may be made, used, and sold without
   license from RSA for any purpose.

   No rights other than the ones explicitly set forth above are
   granted.  Further, although RSA grants rights to implement certain
   algorithms as defined by identified RFCs, including implementations
   derived from the reference C code in those RFCs, no right to use,
   copy, sell, or distribute any other implementations of the MD2, MD4,
   or MD5 message-digest algorithms created, implemented, or distributed
   by RSA is hereby granted by implication, estoppel, or otherwise.

So we can implement them, make them, use them, and even sell them,
but no permission to distribute them to third parties?

When I did a search the last time, I found at least three other
implementations based on public domain code and three more that
were probably derived from the RFC with further optimizations.

The best two independent ones are by L. Peter Deutsch (new BSD
license) and Colin Plumb (public domain).  The latter was apparently
extended by "Solar Designer" and included in dovecot-1.0.  The
non-independent implementations are inside the RFC, distributed
with bug fixes by Jim Ellis, and an optimized version of the RFC code
by Joe Touch.  The one in OpenSSL is by Eric Young, and though he
claims copyright and demands advertising, he also has comments saying
the code is derived from the RFC (okay if the code merely implements
the MD5 algorithm in the RFC without using the appendix).

That's how far I got before running out of time.  We should just
compare the speed of each of these and use whichever is best.

....Roy

Mime
View raw message