[Fedora-legal-list] Re: Legal Problem: md5 implementation
Tom "spot" Callaway
tcallawa at redhat.com
Wed Jan 2 22:13:33 UTC 2008
On 09/18/2007 Enrico Scholz wrote:
> * 2000, RSA changed license to allow usage of "the reference C code
> ...
> without license from RSA for any purpose"
A blast from the past on this one:
I've been giving some thought to this RSA license issue, and rereading
all of the relevant documentation.
A couple of points:
The original RFC1321 reference code is here:
http://www.faqs.org/rfcs/rfc1321.html
That code is under BSD with advertising (which is GPL incompatible). The
contents of the RFC are explicitly stated to be freely redistributable
(not public domain).
In 2000, RSA clarified some of the legal issues:
http://www.ietf.org/ietf/IPR/RSA-MD-all
What they said was that:
Implementations of these message-digest algorithms, including
implementations derived from the reference C code in RFC-1319, RFC-1320,
and RFC-1321, may be made, used, and sold without license from RSA for
any purpose.
This means that the RFC1321 reference implementation can be used without
the license, and it effectively becomes Copyright only.
Accordingly, I'm going to have Fedora deal with this issue by implenting
a policy that whenever we come across C code that implements RFC-1319,
RFC-1320, and RFC-1321 (MD2, MD4, MD5) under the troublesome BSD with
advertising clause, we will be using it without license from RSA.
In English, it means that we don't need to worry about resolving these
conflicts, but we should advise upstream of the situation, and recommend
that they "use" this code without RSA's license as well, and reflect
that usage in the source code by removing RSA's license (but not RSA's
copyright).
~spot
More information about the Fedora-legal-list
mailing list