RE: [TLS] Comments on draft-housley-tls-authz-extns-07

["Mark Brown" <mark at redphonesecurity.com>]

A few points I think are relevant:

1) The RedPhone Security (RPS) patent application and its General Use
License (GUL) protect a *new* method of verifying authorizations.

2) If it's been published or in use prior to RPS's patent filing, then *any*
such method of verifying authorizations is "prior art", and can be used with
tls-authz under the GUL.  There are a lot of prior specs in this area...
And of course you're free to invent new verification methods, etc.  Only one
method is reserved by RPS under the GUL.

3) tls-authz doesn't specify any method for verifying authorizations  

The GUL provides a way to be sure that RPS won't raise any claims of
infringement against you (except obviously the PAS functions).  Since nobody
knows precisely which RPS patent claims will issue, executing a GUL may help
to alleviate concerns right now.  The RedPhone Security GUL amounts to a way
to guarantee for yourself that Sending any "prior art" SAML / AC assertions
over TLS will be royalty-free.  On the whole it's your choice to use the GUL
or not.

I'm glossing over some details, but these are the main issues.  I think we
all would benefit from agreeing there is value in authorizing TLS sessions
using assertions, that the tls-authz mechanics are straightforward (and
don't favor RPS IPR), and that using all prior art authorization methods
should be -- and can easily be -- royalty-free under tls-authz and the
RedPhone Security GUL.

--mark


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls