Re: [Cfrg] RG Last Call - draft-irtf-cfrg-ocb-00

Phillip Rogaway <> Wed, 13 February 2013 07:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B56E21F886A for <>; Tue, 12 Feb 2013 23:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ViOjrUYciIJ for <>; Tue, 12 Feb 2013 23:28:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5873A21F855D for <>; Tue, 12 Feb 2013 23:28:08 -0800 (PST)
X-ASG-Debug-ID: 1360740487-04dbe80de2131c40001-UHwLLG
Received: from ( []) by with ESMTP id Zohu5YplxXHwmEAs; Tue, 12 Feb 2013 23:28:07 -0800 (PST)
Received: from localhost ( []) by (8.14.3/8.14.1/Debian-8ubuntu1) with ESMTP id r1D7S5Ve030759; Tue, 12 Feb 2013 23:28:07 -0800
Date: Tue, 12 Feb 2013 23:27:36 -0800 (Pacific Standard Time)
From: Phillip Rogaway <>
In-Reply-To: <>
X-ASG-Orig-Subj: Re: RG Last Call - draft-irtf-cfrg-ocb-00
Message-ID: <alpine.WNT.2.00.1302122323110.82652@rogaway-toshiba>
References: <>
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: rogaway@rogaway-toshiba
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="6993433-26260-1360740458=:82652"
X-Barracuda-Start-Time: 1360740487
X-Virus-Scanned: by bsmtpd at
X-Barracuda-Spam-Score: 3.38
X-Barracuda-Spam-Status: No, SCORE=3.38 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=6.0 tests=BSF_SC0_MISMATCH_TO, FH_DATE_PAST_20XX
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 3.38 FH_DATE_PAST_20XX The date is grossly in the future. 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header
Subject: Re: [Cfrg] RG Last Call - draft-irtf-cfrg-ocb-00
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Feb 2013 07:28:12 -0000

Thanks everyone for comments already made on the OCB Internet Draft.

Ted asked me to answer some questions on the free licenses.  I’m not so sure that the CFRG is the ideal place for that (I’m happier when posts deal with more technical matters), but there’s been so much talk about this that I felt I better say something.

At the Real World Cryptography Workshop at Stanford last month I announced during a survey talk on authenticated encryption (AE) that my own IP in this domain would be freely licensed under broad circumstances: basically, (1) all open-source software, and (2)  any commercial, non-open-source software too, as long as it’s not for military use. See for the text of these two licenses. They were drafted by volunteer legal aid kindly provided by Harvard’s Cyberlaw Clinic.  We did try to make these licenses as simple and clear as possible, but the number of reasonable questions and scenarios that can arise is enormous, I now see.

Uri asked about the situation where an entity A adds OCB to OpenSSL, and a company X comes along and drops this into their non-open-source system, which they proceed to sell to the DoD.   My answer is that company X has infringed, but OpenSSL has not, nor has company A, assuming they weren’t trying to “specifically induce” the infringing use by X.  Company X should buy a license (which is not half as big a deal as people seem to assume).

Ted mentioned to me scenarios (I think this was from a different mailing list) where Adobe adds OCB to their Reader, or where Google adds OCB to their search engine (and of course, the military use the Reader or the search engine). An attorney tells me that whether or not the vendor has infringed depends on whether or not the software or service is “in cooperation with” or “on behalf of” the military.  Allowing military use for free code or services (here, ‘free’ as in beer) is certainly possible, but I would need to explicitly expand things in that direction.

Next I heard a concern that the non-military restriction runs afoul with OSI’s “no discrimination against fields of endeavor” requirement.  This concern would seem to be misplaced for a couple of reasons. First, the license for open-source software doesn’t have the non-military language. Second, the licenses at operate in the realm of copyright, not patents. As I understand it, the two things are independent.

Someone else on this list asked: why open-source SW but not open-source HW. The answer is that I know nothing about the latter domain. If needed, please make a specific request (by private email) and I’ll try to make sure you’re covered.

I know that some open-source projects won’t be comfortable with the IP situation surrounding AE regardless of anything I say or do.  Some other open-source projects -- eg, Mosh -- have already made the opposite decision and are using OCB (which I think is great).  Similarly, some companies will be satisfied with license 2; some may want a paid license; and some will want to avoid anything with patents.

That last thing can be hard to achieve with anything approaching certainty. Consider that, just a few weeks ago, Intel was granted a US patent (#8,340,280) for the tricks that enable their carryless multiply NI to efficiently realize GCM.  Where’s the guarantee that Intel won’t go after someone with a PCLMULDQ-based GCM implementation? Now I’m definitely not suggesting that OpenSSL rollback to a dumber GCM implementation. But troubling patent issues have become a part of our landscape. Somehow we get by.

Ted and I have worked hard to evolve the ID on OCB, this following a sequence of papers about the algorithm and its performance. We’ve made the required IP disclosures to the IETF, urged other parties to do so, and, for my part, I’ve arranged for free licenses within a large domain of practice. I do hope that all this is enough for OCB to get more widely standardized and used (and preferably without having to wait for every possible patent to expire).

Phillip Rogaway