RE: [TLS] Comments on draft-housley-tls-authz-extns-07

[Dean Anderson <dean at av8.com>]

On Mon, 4 Jun 2007, Mark Brown wrote:


> all methods documented prior to the RedPhone Security patent filing, and
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> those discussed early in our consensus-building process
> (http://tinyurl.com/2pvwgo ) -- are all available royalty-free under the
> GUL.  

Those would be the __prior_art__. Of course they are free. They are
available royalty free __without__ the GUL, and without a tls-authz
patent license.  Did you make some mistake? To me, your statement here
is FUD, since there is no need to obtain a GUL to use prior-art.



> To put your comment in perspective, SSL was born as a patent (See USPTO
> 5,657,390, filed August 1995, issued August 1997 http://tinyurl.com/2cnuwv),

Yes, indeed, there are a slew of software patents. These resulted in
Richard Stallman founding the LPF, and ultimately, in RFC3979.  We made
the IETF policy to put an end to the practice of submarine-patented
standards. You seem to have found a unique way around that.

> What I think this history amounts to is that OpenSSL and its users can
> stomach a handful of "off-limits" algorithms.  It's like a tradition
> for OpenSSL.. ;-)

A tradition many people want to end.  But I think we can stomach much
_less_ when we are deceived about the existance of patents by the very
IETF officials in whom we place our trust in their integrity and
honesty.

> There are now implementations of tls-authz in GNUTLS, on OpenSSL and NSS.

I don't want to seem to speak for either GNUTLS, or OpenSSL, but it
seems to me like they are against this standard, and that all
implemented it without knowing of the patent application; so I wonder if
there might be fewer implemenations of tls-authz shortly.

> Free software carrying tls-authz is growing up around us whether we like it
> or not.  Because it's free (libre) no one asked me and apparently they
> didn't ask OpenSSL developers either.  

Huh?????  Perhaps they didn't ask because they didn't know about the
patent because it was improperly concealed by an IETF official who
really should be fired for his bad faith.

But, I think it is not too late to stop tls-authz, if that's your point.

> Personally, I think that's great -- I think sending SAML over TLS
> should be free (libre), and that's why I started down the standards
> track in the first place.  No FUD: The GUL is just saying that
> tls-authz should not be used to facilitate violations of a patent
> pending access control method that I am confident is new.

Are you telling us that the PAS functions are subject to a patent
application?

> Isn't a satisfactory resolution of "the patent issue" one where all people
> get to use tls-authz royalty free for any purpose and using any non-patented
> method?  

Yes, that would be satisfactory. To do that, you have to grant a royalty
free license to the public, and drop the nonsense about an "offer of a
free GUL on request".  And drop the restrictions on PAS functions from
the GUL, too. I note that you've seen the Netscape license, and I don't
know why anyone would agree to less.

> With the exception of one method that I expect will become patented,
> that's what's offered for tls-authz under the GUL.

Umm.  Actually, No, that isn't what's offered by your cereal-box offer
to give a free GUL on request.  You haven't offered any license to the
public, and RPS can't be compelled to complete the GUL in the future by
your "offer".

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   




_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls