[Roger Moser]
Nico Kadel-Garcia wrote:
Using RSA keys gets into various national and international
encryption
regulations. It's a nasty, nasty software booby trap, one
that has been
previously slammed into headlong by the open source
community and the
security community.
Very seriously, beware of forcing servers to RSA
authenticate themselves.
Then Yahoo's Domain Keys will have the same troubles.
The patent on RSA expired in the U.S. in September 2000. Software
patents don't exist in most of the rest of the world; the RSA algorithm
(but not the reference source code) can be used freely for signing
almost anywhere. It is used in the open SSL/TLS, SSH, S/MIME, and other
standards that freely are in use worldwide.
Some countries (notably France) have very strict laws about the use of
strong encryption, but very few countries regulate strong digital
signatures to the same degree.
Basically, if you can legally set up an Apache web server running
OpenSSL in your country, you can use RSA freely. Call your local ISP and
ask them if they use OpenSSL (the free version, not any commercial
alternative) on their web servers; chances are if they do they do not
pay RSA a separate license fee. Assuming you trust your ISP's knowledge
of such things, you can probably use RSA legally in your country.
This is an anecdotal summary, not a legally rigorous one, but I've been
involved in discussions about these issues on the GnuPG mailing list
over the last six or seven years. I'm 95% confident I'm correct about
this.
Regards,
Ryan