You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Eli Marmor <ma...@elmar.co.il> on 1999/05/07 11:13:50 UTC
Legal Inclusion of mod_ssl in the Standard Distribution of 1.3.7
(I am not subscribed to neither mod_ssl list nor new-httpd lists, so
please CC me to any reply. In addition, I'm afraid this message will
be refused by these lists (some lists are closed for external
posters to avoid spamming); In such a case, please forward this
message to the lists).
Following the new rule regarding to inclusion of encryption code in
an Open-Source packages (which you can read about in zillion places
like:
http://www.news.com/News/Item/0,4,36217,00.html?tag=st.cn.1fd1.newstkr.ne
and others), I propose the following:
While Apache rules the web servers field, with about 60% (including
its derivatives), and no rivals (IIS has only 24%, Netscape is close
to zero), its presence is much weaker in the field of secure web
servers, including sites of e-commerce, etc. IMHO, one of the
reasons for this situation is that for newbies it is very hard to
install SSL for Apache, while in the "competitors" it is already
integrated. Contrary to other modules, this module is not part of
the standard distribution of Apache, because of legal issues.
Now, that these legal issues disappear, Apache has a great
opportunity to change the picture. I don't know what is going with
Apache 1.3.7 (where have the STATUS reports gone?), but I think it
may be a real revolution if mod_ssl can be included with the
standard distribution. It will remove one of the two areas where
Apache loses in comparisons (the other is the friendliness), and
will not only help Apache to gain a domination in the secure web
servers field, but also will strengthen its existing domination in
the field non secure web servers.
Thanks for your attention,
--
Eli Marmor
***************************************************************
* ___ _ __ ___ __ _ |__ _ _ marmor@elmar.co.il *
* | | | \ | | \ | / |\/ El-Mar Software Ltd. *
* | | | _) | | _) / | \ Tel.: 972-50-237338 *
* ___________________________ Fax: 972-9-766-1314 *
* \_________________________ \ http://www.elmar.co.il *
* _________ __ ____ \ \____ __ _ *
* \_______ \ \_\| _ \ __ \____ \ \ \ | | *
* \ \ | | \ \ \_\ \ \ \ \ | | *
* \ \ | | _\ \ ) ) \ \ \_\_ *
* \ \ |_| \___) (_/ \_\ \_\ *
* \ \_______________________________ *
* \________________________________\ *
* *
*************************************************
RE: Legal Inclusion of mod_ssl in the Standard Distribution of 1
Posted by Philip Gwyn <li...@artware.qc.ca>.
On 07-May-99 Eli Marmor wrote:
> (I am not subscribed to neither mod_ssl list nor new-httpd lists, so
> please CC me to any reply. In addition, I'm afraid this message will
> be refused by these lists (some lists are closed for external
> posters to avoid spamming); In such a case, please forward this
> message to the lists).
>
> Following the new rule regarding to inclusion of encryption code in
> an Open-Source packages (which you can read about in zillion places
> like:
> http://www.news.com/News/Item/0,4,36217,00.html?tag=st.cn.1fd1.newstkr.ne
> and others), I propose the following:
>
> While Apache rules the web servers field, with about 60% (including
> its derivatives), and no rivals (IIS has only 24%, Netscape is close
> to zero), its presence is much weaker in the field of secure web
> servers, including sites of e-commerce, etc. IMHO, one of the
> reasons for this situation is that for newbies it is very hard to
> install SSL for Apache, while in the "competitors" it is already
> integrated. Contrary to other modules, this module is not part of
> the standard distribution of Apache, because of legal issues.
>
> Now, that these legal issues disappear, Apache has a great
> opportunity to change the picture. I don't know what is going with
> Apache 1.3.7 (where have the STATUS reports gone?), but I think it
> may be a real revolution if mod_ssl can be included with the
> standard distribution. It will remove one of the two areas where
> Apache loses in comparisons (the other is the friendliness), and
> will not only help Apache to gain a domination in the secure web
> servers field, but also will strengthen its existing domination in
> the field non secure web servers.
The legal issues haven't disapeared. Quoting from the article you cite :
"As a practical matter, the government is not enjoined from applying its
regulations--except to Bernstein. [...]" she [Cindy Cohn] added.
What this means : as of now, the US government isn't allowed to prevent
Bernstein from publishing and exporting Snuffle but is allowed to prevent
others from doing so.
If the US government doesn't apeal to the supreme court (and it would
be very suprising if they don't) then the ruling will apply to everyone.
However, if the US government does appeal, the rest of americans have
to wait for that case to be settled (another 2-3 years) before the crypto-laws
are truely done away with.
While the descion is very important, it's not the end of the battle yet. It
will be a very good tool to help the adoption of the SAFE Act and similar
mesures.
And don't forget that the 9th district is the most over turned court in the US.
Don't forget that Apache's market is much larger then the USA. If apache
included mod_ssl in the standard dist, you would not be allowed to use in
France, where they've banned all forms of encryption.
Oh! And IANAL :)
-Philip