Firewall Wizards mailing list archives

Re: CA/RA packages for SSL and IPSEC

From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 21 Aug 1999 21:15:36 -0400 (EDT)

On Fri, 20 Aug 1999, Wozz wrote:

Greetings,

  I'm curious as to people's experience with the various Certificate Authority
  packages available.  One thing I've noticed is that most of these packages
  require you to buy a license which includes a certain number of certs, and 
  then you have to pay-per-cert after that number.  This strikes me as kind of 
  silly.  Does anyone know of any good commercial packages that don't structure
  their licensing in this way, or a public domain package (not openssl by 
  itself please, need some sort of web interface) which can issue SSL cert's
  and IPSEC certs and supports CEP for Cisco IPSEC.


In reading the RSA crypto for certificates literature, it seemed to me 
that the patent issues were clearly waived for using SSL and 
certificates, but it wasn't clear if they were for creating 
certificates.  I never followed-up enough to ask (should I deploy x.509 
certificates this or early next year, I'll have to do that, because I'd 
rather use open source toolkits.)  Building an HTTP interface to any of the 
command-line packages is fairly simple.  The RSA patent issue becomes moot in 
about 13 months, at which point, US Government not withstanding, there should 
be a great number more products available.  Given the current patent issue, 
you're possibly seeing an artifact of licensing the RSA code.  The terms on 
the RSA development toolkits aren't the most attractive I've ever seen.  Buy 
the development toolkit, write an application, and still pay per-server 
licensing.

D-H and H-M have already expired, so RSA is as far as I can tell, the 
last of the significant public key patents to expire (I don't know if El 
Gamal falls under any, it isn't very widely used as far as I can tell.) 

If I can hold the tide for another 16-18 months, that's my current plan.  
I expect that we'll have a much better negotiating position on 
certificate licensing after next September.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

CA/RA packages for SSL and IPSEC Wozz (Aug 21)
- Re: CA/RA packages for SSL and IPSEC Paul D. Robertson (Aug 22)
- Re: CA/RA packages for SSL and IPSEC Joseph S D Yao (Aug 23)
- <Possible follow-ups>
- Re: CA/RA packages for SSL and IPSEC Vin McLellan (Aug 22)