Re: [Cfrg] ISE seeks help with some crypto drafts

Peter Gutmann <> Mon, 11 March 2019 00:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 709851277CD for <>; Sun, 10 Mar 2019 17:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G1-JGUmpTGM7 for <>; Sun, 10 Mar 2019 17:08:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 99A30126C87 for <>; Sun, 10 Mar 2019 17:08:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1552262882; x=1583798882; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ok0WQIlVtiI8/sXlk+2IXa4N92pryHwEkABBQdxIsQ4=; b=30SiiRQpEddsMsGz6Fn6iSSwT7NPB+IxQydJVrehYzRdfuxgmFExnDMJ qzrfiZrwKTqrGXUsITVHZKpU6WJN6KOIlm9DAoOuERoURdDUY9hX9+qGt UEdxTYTygbpVUjVhqWdTZ6vm0c8hLTq3r+nMKf52J5DhbssAgwlUqjimN Zg5IqYz0xKdZhK9gdWeUBJ6KfjPWPkeuwnbBP+K+9NA9OlfrktLoRfGiG JNcczrjMJGvh4AQpgPNiq7qyHAA0I5O5d/qytc4b8k7tYYzoy567HXxA9 G671Sfw+gX/gLqrE2s/h+7zfrDnpDqP48YImC/VRgfzBPx6llopoX9KuN A==;
X-IronPort-AV: E=Sophos;i="5.58,466,1544439600"; d="scan'208";a="51162501"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 11 Mar 2019 13:07:57 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 11 Mar 2019 13:07:57 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Mon, 11 Mar 2019 13:07:57 +1300
From: Peter Gutmann <>
To: Tony Arcieri <>, Paul Hoffman <>
CC: "" <>, CFRG <>, "RFC ISE (Adrian Farrel)" <>, secdir <>
Thread-Topic: [Cfrg] ISE seeks help with some crypto drafts
Date: Mon, 11 Mar 2019 00:07:57 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] ISE seeks help with some crypto drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 00:08:06 -0000

Tony Arcieri <> writes:

>"Phillip Rogaway offers a royalty-free non-exclusive license to all claims of
>the referenced patents needed to realize a fully compliant implementation of
>any IETF standards-track protocol supporting AES-OCB (RFC 7253)."

That's still not going to work, for two reasons.  This first is that it
misunderstands how an implementation of, say, TLS works.  Virtually all TLS
implementations aren't a monolithic TLS-only code block but are built on top
of a general-purpose crypto library, for Windows CryptoAPI, for everything
else OpenSSL, Crypto++, mbedTLS, PKCS #11, my own cryptlib, etc. Taking the
vendor-neutral PKCS #11 as an example, what the above is requiring is an
implementation of Maxwell's demon in software, that a PKCS #11 library be able
to tell whether the handle from C_CreateObject( &handle, { CKA_KEY_TYPE, key,
CKK_AES_OCB } ) will be used to encrypt TLS data (OK) or non-TLS data (not

The second is legal.  Any commercial user of whatever the crypto library is is
going to get their lawyers to look at that requirement and have a fit, not
even because of the above very technical problem but just from the knowledge
that they'll be running code that, at the slightest glitch, will potentially
expose them to a patent lawsuit.  I've seen companies spend 1-2 years debating
whether using generic permissive BSD-licensed code is safe, and now they'll be
asked to decide whether the risk in the above is worthwhile because blah blah
geekspeak geekspeak, for which the answer will most likely be "no".

I'd love to use OCB, it's a really nice, elegant mode, but unfortunately
unless the usage conditions are "freely available without restrictions" I
can't.  And that's not from rabid freetardism, it's from pragmatism, it's too
risky legally.