Re: New License Request: RSA-MD


Philippe Ombredanne
 

On Wed, Jan 28, 2015 at 9:10 AM, Sam Ellis <Sam.Ellis@...> wrote:
I'd like to request the addition of RSA's Message-Digest license to the SPDX License List.
I have seen two variants of this license for MD4 and MD5 algorithms, with the difference
between these being only the copyright line and the name of the algorithm, and thus
it may be possible to represent both of these with a single license template.
Details of the proposed addition is as follows:

Full Name: RSA Message-Digest License
Short identifier: RSA-MD
URL: Can be seen in Appendix A of the published MD5 standard:
http://www.faqs.org/rfcs/rfc1321.html
OSI Approved: No
Specimens: Plain text copies of MD4 and MD5 license are attached to this email.
Evidence of use:

An example of both MD4 and MD5 can be found here, by searching for
"Message-Digest": http://www.zimbra.com/license/open_source_licenses_8.5.0.txt

A quick search on the internet shows that the license can be easily found in other
software too, for example:

http://dev.mysql.com/doc/refman/4.1/en/license-md5-41.html
http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/libkern/crypto/md5.c
Sam:
I agree with you, both licenses are common enough in the wild.

Both the MD4 and MD5 notices are found in RFCs, which is a good
reference URL IMHO as they were crafted and submitted there by Ron
Rivest from RSA.

MD4: page 6/7: https://www.ietf.org/rfc/rfc1320.txt
MD5: page 7: https://www.ietf.org/rfc/rfc1321.txt

Another common occurence for these is in the cURL codebase:
https://github.com/bagder/curl/blob/master/lib/md4.c
https://github.com/bagder/curl/blob/master/lib/md5.c#L163

Note: the same license can be found in the PKCS-11 / Cryptoki code at:
http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-11-cryptographic-token-interface-standard.htm
such as in: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11f.h
or ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs11t.h

Since the MD4, MD5 and Cryptoki licenses variations are limited to the
algorithm names it could be great if someone from RSA/EMC legal could
chime in on the templating... that would make things much simpler for
everyone!

Finally there is also the less common MD2: See page 6:
https://www.ietf.org/rfc/rfc1319.txt
It has a similar but different text so is another one altogether and
may not yet warrant an SPDX inclusion.
It is restricted to email: "License to copy and use this software is
granted for non-commercial Internet Privacy-Enhanced Mail"
You can find it in original BSD distributions such as Freebsd:
https://svnweb.freebsd.org/base/stable/2.1/lib/libmd/ (NB: together
with the md4 and md5 code and licenses)


--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode : What's in your code?! at http://www.dejacode.com
nexB Inc. at http://www.nexb.com

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.