Re: [Emu] WG adoption call for draft-arkko-eap-aka-pfs

[Alan DeKok <aland@deployingradius.com>]

On Nov 28, 2018, at 3:32 AM, Jari Arkko <jari.arkko@piuha.net> wrote:
> However, I think it would be useful to understand the situation:

  i.e. No one has gotten sued for this before.  That doesn't mean they won't get sued.

  The typical practice here is that the patent holders ignore the Open Source authors.  They're scattered in many countries, and have shallow pockets.  Instead, the patent holders go after the *users* of the Open Source programs.  They're often in the same jurisdiction, and have deeper pockets.  This is happening today, and has been going on for years.
  
> The proposed specification is an extension of RFC 5448 or EAP-AKA'. That RFC already had a similar IPR declaration from someone else, back 10 years ago when it was being specified. Yet, the declared or other potential IPR constraints do not appear to have slowed the adoption of this RFC in the industry. The phone that I’m writing this on implements EAP-AKA’ for instance. And there are open source implementations.

  If it's an android phone, it doesn't implement EAP-AKA'.  An Open Source tool (wpa_supplicant) implements EAP-AKA', and the phone just uses the library.  So your phone *is* an Open Source implementation of EAP-AKA', and everyone involved (potentially including you) is subject to suit for patent infringement.  If your phone is an iPhone, maybe they licensed the patents.  (Apple has implemented their own supplicant).

> Also, a likely use case for this is in 5G, but in a (say) 5G phone there will be other technologies, not all unencumbered.

  I'm happy to let *other* people agree to whatever they want for using encumbered technologies.  I have concerns with "open standards" using non-open technologies.

  Some standards bodies have a habit of using encumbered technologies.  These standards bodies usually have high cost to entry, complex, obtuse specifications, and often cross-licensing.  Even if the standards bodies don't mandate cross-licensing, the individual companies can do this:

https://www.ipwatchdog.com/2018/08/03/ericsson-lg-global-cross-licensing-agreement-2g-3g-4g-mobile-seps/id=99897/

  The issue for Open Source people is that everything they do is in the open.  So there's usually no patents, not the least because there's no money for patents.  Which means cross-licensing as a defence is impossible.  And the Open Source people find it difficult (in practice) go after companies for license violations.  When the other side has lawyers on retainer, and you're trying to find funding for a new laptop, the sales of justice are massively imbalanced.

> We could do this particular extension in a different way to avoid this particular license, but it wouldn’t necessarily resolve all issues. In addition, new technical issues might arise. For instance, I predict that the ability to perform PFS in the same number of roundtrips for the registration exchange is important for the potential adoption of this. I wouldn’t want to trade that away for instance, if using different technology meant doing that.

  It is a conundrum.

> Finally, I think we really need this for the users.

  I agree completely.

> So from my perspective there’s a clear need for this and I see no evidence that previous situations in this particular case have slowed deployment in any fashion. Also, this particular extension doesn’t change the overall situation with regards to EAP-AKA’. Does that help reduce your concerns?

  It suggests that the risk may be low.  But the risk is there.

  TBH, there's no good solution for this situation.  It's needed, but at the same time anyone using it is opening themselves to lawsuits that they can't afford to defend, much less lose.

  Alan DeKok.