RE: [TLS] Comments on draft-housley-tls-authz-extns-07

["Mark Brown" <mark at redphonesecurity.com>]

Richard,

I see that despite efforts to identify, bracket, and set aside the FUD
concerning the RedPhone Security patent application, uncertainty and doubt
remain.  I'd really like to cut through the FUD.  As I mentioned earlier,
the royalty free GUL only protects a single method of computing a Boolean
authorization result -- a method that I think is new.  Let's put aside fear,
uncertainty and doubt concerning one new method, when every other method --
all methods documented prior to the RedPhone Security patent filing, and
those discussed early in our consensus-building process
(http://tinyurl.com/2pvwgo ) -- are all available royalty-free under the
GUL.  

To put your comment in perspective, SSL was born as a patent (See USPTO
5,657,390, filed August 1995, issued August 1997 http://tinyurl.com/2cnuwv),
has dealt with patent issues throughout its lifecycle (see for example
http://tinyurl.com/26vjnh ), and thrived after Netscape's conditional but
royalty free license grant (see archives like http://tinyurl.com/24olgv ).
FAQ #1 on the OpenSSL website is still, "Do I need patent licenses to use
OpenSSL?" (http://www.openssl.org/support/faq.html#LEGAL1)  Even before the
Netscape SSL patent issued, EAY in 1996 made a list of cryptographic
algorithms that required special attention to IPR issues (
http://tinyurl.com/2ayy7d ).  And since 1997 there have been other patents
that apply to SSL/TLS - for example elliptic curve crypto (Certicom) which
has already been added to several TLS standards-track drafts and RFCs.  What
I think this history amounts to is that OpenSSL and its users can stomach a
handful of "off-limits" algorithms.  It's like a tradition for OpenSSL.. ;-)

There are now implementations of tls-authz in GNUTLS, on OpenSSL and NSS.
Free software carrying tls-authz is growing up around us whether we like it
or not.  Because it's free (libre) no one asked me and apparently they
didn't ask OpenSSL developers either.  Personally, I think that's great -- I
think sending SAML over TLS should be free (libre), and that's why I started
down the standards track in the first place.  No FUD: The GUL is just saying
that tls-authz should not be used to facilitate violations of a patent
pending access control method that I am confident is new.

Isn't a satisfactory resolution of "the patent issue" one where all people
get to use tls-authz royalty free for any purpose and using any non-patented
method?  Isn't that the best possible case?  With the exception of one
method that I expect will become patented, that's what's offered for
tls-authz under the GUL.  

--mark

> -----Original Message-----
> From: Richard Levitte [mailto:richard at levitte.org]
> Sent: Sunday, June 03, 2007 6:37 AM
> To: tls at ietf.org
> Subject: Re: [TLS] Comments on draft-housley-tls-authz-extns-07
> 
> There's already been enough arguments that I agree with about the
> patent issue with this draft from Pasi, Simon and Dean.  I agree with
> them all, and just want to add another voice against putting this
> draft, as it currently stands with the patent claim, on the Standard
> Track, and am in favor of putting it on the Experimental or
> Informational tracks.
> 
> As a OpenSSL developer, I will oppose implementing authz in it unless
> the patent issue is resolved in a satisfactory manner.
> 
> Cheers,
> Richard
> 
> --
> Richard Levitte                         richard at levitte.org
>                                         http://richard.levitte.org/
> 
> "When I became a man I put away childish things, including
>  the fear of childishness and the desire to be very grown up."
> 						-- C.S. Lewis
> 
> _______________________________________________
> TLS mailing list
> TLS at lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls