RE: [TLS] Comments on draft-housley-tls-authz-extns-07

[Dean Anderson <dean at av8.com>]

On Tue, 29 May 2007, Mark Brown wrote:

> A few points I think are relevant:
> 
> 1) The RedPhone Security (RPS) patent application and its General Use
> License (GUL) protect a *new* method of verifying authorizations.

Please clarify this "GUL". The last proposal you presented on the IETF
list was not a license at all, but instructions on how to request a
license which was to be given for free upon request.  As was noted at
the time, this offer is not a license. As was also noted at the time,
this offer of a free license on request can end at any time.  Your offer
is no different from the free offers on a box of cereal----when the
gizmos run out, the offer is no longer valid, no matter how box tops you
have.  There is nothing that compels RedPhone Security to issue a
license.  There is nothing that prevents RedPhone Security from changing
the terms in the future; after the standard is well entrenched, widely
implemented and used in many products.  There is nothing to compels
successors of RedPhone Security to continue to offer free licenses. 21
years is a long time, in 184 WIPO countries.

If you have changed the terms since last discussed, it would be helpful
to post the new terms.

If you have not changed these terms, then it seems inappropriate to
describe this offer as a licence, since no license is obtained until
__after__ RedPhoneSecurity issues a license in response to a request.  

As I said, 21 years is a long time, and you've already deceived the IETF
at least __7__ times on this issue. I count each time you submitted a
draft that asserted to have no undisclosed patents. There are probably
more times if we count the IESG discussion approving the draft; but
there are at least 7.


> 2) If it's been published or in use prior to RPS's patent filing, then *any*
> such method of verifying authorizations is "prior art", and can be used with
> tls-authz under the GUL.  There are a lot of prior specs in this area...
> And of course you're free to invent new verification methods, etc.  Only one
> method is reserved by RPS under the GUL.

This is true of any patent, but it is always expensive to litigate.  My
view (as you already know) is that your patent is entirely covered by
prior art, is not novel, and therefore should not be issued by the PTO.  
The PTO issues many such patents, however, despite efforts to identify
prior art and obvious claims.

> 3) tls-authz doesn't specify any method for verifying authorizations  
> 
> The GUL provides a way to be sure that RPS won't raise any claims of
> infringement against you (except obviously the PAS functions).  

This is FUD.  Obviously, a licensed use can't be objected to as an
infringement;  the use is ___licensed___.  But why the hurry? 

Some background: 

A frequently cited drawback to the patent law of most countries is that
the patent is valid as of the filing date (January 2005 if I recall).  
Unlicensed use of authz-extns between 1/2005 and now is infringement, if
the patent issues.  While RPS __can__ assert a patent infringement claim
for this period, usually halting use is sufficient for most attorney's
to agree not to press the issue.  But there are also criminal penalties
for intentional infringement; these usually only come into play when you
willfully ignore the law and the patent.  You can't bury your head in
the sand and just use authz-extns.  Anyone using authz-extns should stop
immediately or get a license from RPS. But maybe the license isn't a
'good thing'.

Another problem with the GUL is that you must agree to not implement PAS
functions.  Why is this bad? Why the FUD to scare people into licensing
quickly?  Here's why:

Even if you later stop using authz-extns (say because we design a
non-patented alternative), this agreement may still be valid, and it may
be difficult to get out of it---And then you won't be able to implement
PAS functions (well, not without paying RPS or its successors).  So,
executing the agreement may worse even than the patent.  So, it is
probably better to stop using the patented protocol immediately, and pay
cash damages _if_ RPS presses for reparation for the (short) unlicensed
use.

What to do?

It can't be ignored that a patent may issue on the authz-extns draft.  
Implementers who have already implemented authz-extns should remove the
implementation from distribution immediately.  They now have notice of
possible infringement. They should even remove old versions containing
implmentations, and they should notify their users of the likely
infringement and inform their users they should stop using the (likely)  
patented code. You should look closely at the PAS functions and the
license agreement and think about at least the next 21 years, and
possibly forever, before you sign the agreement.

Don't forget to tell the IESG that you don't want this protocol
standardized.


> Since nobody knows precisely which RPS patent claims will issue,
> executing a GUL may help to alleviate concerns right now.  The
> RedPhone Security GUL amounts to a way to guarantee for yourself that
> Sending any "prior art" SAML / AC assertions over TLS will be
> royalty-free.  On the whole it's your choice to use the GUL or not.

Using prior art to create an alternative to authz-extns ensures that no
patents will issue that encumber the standard.  I favor a new draft,
based entirely on prior art.

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   



_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls