Re: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

To: Simon Josefsson <simon at josefsson.org>
Subject: Re: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
From: Russ Housley <housley at vigilsec.com>
Date: Tue, 29 May 2007 15:01:05 -0400
Cc: tls at ietf.org
In-reply-to: <87tztvap2h.fsf@mocca.josefsson.org>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070528183851.2E07E33C1A@delta.rtfm.com> <87tztvap2h.fsf@mocca.josefsson.org>

Simon:

> We have a request from the IESG re draft-housley-tls-authz-extns-07.

I see many places where authorization will be useful. I would like to see this document get published as a standards track RFC.

I will also reply to Simon's comments.

> The IESG is considering publication of this document as a Proposed
> Standard. The IESG has requested that the TLS WG provide input
> (positive or negative) on this proposal. Please post comments to the
> list before Monday June 11.

I implemented tls-authz in gnutls some time ago and sent two technical
comments in <http://thread.gmane.org/gmane.ietf.tls/2365>.  I believe
one of them is still relevant:

- The size of authorization data, i.e., X.509 attribute certs and SAML
  assertions, are limited to 64kb.  Is it certain that we won't need
  more?

I recall responding to this the first time around. I said that I could not imagine needing 64KB for X.509 Attribute Certificates, but I do not have experience with SAML Assertions. I know they are bigger, but I do not have any way to gauge the likelihood that 64KB will not be enough.

Further, as many of you are certainly aware, there are patent claims on
the technology, see the IPR disclosure page at:

https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=833

The disclosure mentions a patent license.  I see two problems with the
license:

1) You need to explicitly request license from RPS.  This approach has
   worked poorly in the past.  Some companies goes away and never
   replies to such requests, leaving implementers in a legally unclear
   situation.  There are even examples of big companies not responding
   to license requests (ObExample: IBM's Unicode BOCU patent license).
   I believe this is sufficient to defer significant wide use of the
   protocol.

   This problem could be addressed by granting the rights in the license
   directly to everyone, without a need to request the license.

2) The license you get restrict use of the protocol to SAML attributes
   and X.509 attribute certificates that do not refer to legal
   contracts.  This is what I have understood 'PAS functions' in the
   license to refer to.  Whether the references must be explicit in the
   authorization data is probably not easy to decide.

   I believe there is a considerable amount of prior art for having
   implicit references to legal contracts in authorization data.  For
   example, a Kerberos ticket with a principal that refer to an
   employee's account can be seen as an implicit reference to the
   employee's contract with the company, which may include a security
   policy that needs to be followed.  Still, existence of prior art
   doesn't mean implementers can ignore a patent.

   For one project I'm involved in which is considering to use
   TLS-AUTHZ, we've informally realized that this situation is a
   non-starter, and that if we have to, we'll look into other technical
   solutions to achieve the same goal as tls-authz.

While I am quite aware of efforts to improve the patent situation -- I
have talked to Mark about the license -- I believe that until there is
consensus in the IETF community that the (possibly revised) license
terms are acceptable for wide deployment on the Internet, this document
should not be published as a Proposed Standard.

I see many places where authorization will be useful, and in many, if not most, of these places the RedPhone Security IPR does not seem to apply. This is my assessment, and I am not a lawyer. I know that the most recent IPR statement from RedPhone Security does not satisfy Simon, and I hope that will be resolved in the near future. Even if that turns out to take a long time, the protocol extensions will be useful in the contexts where the RedPhone Security IPR does not apply., Of course, the applicability must be judged by the implementors and users, not by me.

Russ


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Comments on draft-housley-tls-authz-extns-07
  - From: Eric Rescorla
- [TLS] Re: Comments on draft-housley-tls-authz-extns-07
  - From: Simon Josefsson

Prev by Date: Re: [TLS] Straw poll on TLS SRP status
Next by Date: Re: [TLS] Comments on draft-housley-tls-authz-extns-07
Previous by thread: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
Next by thread: RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
Index(es):
- Date
- Thread

Re: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.