IETF Logo Mail Archive

Re: Fourth Last Call: draft-housley-tls-authz-extns

Simon Josefsson <simon@josefsson.org> Fri, 16 January 2009 10:14 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76E8F3A6A86; Fri, 16 Jan 2009 02:14:29 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5EF7A3A6A86 for <ietf@core3.amsl.com>; Fri, 16 Jan 2009 02:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.593
X-Spam-Level:
X-Spam-Status: No, score=-2.593 tagged_above=-999 required=5 tests=[AWL=0.006, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IxpejKCAT6z for <ietf@core3.amsl.com>; Fri, 16 Jan 2009 02:14:25 -0800 (PST)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 48E2E3A696C for <ietf@ietf.org>; Fri, 16 Jan 2009 02:14:25 -0800 (PST)
Received: from c80-216-29-127.bredband.comhem.se ([80.216.29.127] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from <simon@josefsson.org>) id 1LNliJ-0003C7-3d; Fri, 16 Jan 2009 11:14:07 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Russ Housley <housley@vigilsec.com>
Subject: Re: Fourth Last Call: draft-housley-tls-authz-extns
References: <20090114161820.BFA4228C1BB@core3.amsl.com> <20090115013244.GA20394@redoubt.spodhuis.org> <20090115162240.3DEC23A67F1@core3.amsl.com> <87d4eofqaa.fsf@mocca.josefsson.org> <20090115195434.DE00A3A6A35@core3.amsl.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:090116:housley@vigilsec.com::KSfH+om8oPxLsAso:ip6
X-Hashcash: 1:22:090116:ietf@ietf.org::QnhylEQI+QvwzcJA:5X6V
Date: Fri, 16 Jan 2009 11:14:05 +0100
In-Reply-To: <20090115195434.DE00A3A6A35@core3.amsl.com> (Russ Housley's message of "Thu, 15 Jan 2009 14:54:16 -0500")
Message-ID: <87iqofd0cy.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)
MIME-Version: 1.0
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Russ Housley <housley@vigilsec.com> writes:

> Simon:
>
>> >>For the people who want this draft published (and perhaps have a pending
>> >>implementation), would you please humour me by offering some usage
>> >>scenarios, other than debugging or toys, which would meet security
>> >>review and which are not covered by the four points which the
>> >>patent-holder notes as potentially encumbered?
>> >
>> > I'll offer one based on attribute certificates (see RFC 3281).  If the
>> > attribute certificate policy does not use a critical certificate
>> > policy identifier that is within an arc registered to RedPhone
>> > Security (e.g. iso.org.dod.internet.private.enterprise.23106), then
>> > the most straightforward deployments would not encounter problems with
>> > this IPR Statement.  RFC 3281 specifies ways to carry access
>> > identities, group memberships, roles, and clearances in attribute
>> > certificates.  As long as these are not coupled to signed agreements
>> > such as contracts, as is their normal use, then I cannot see problems
>> > with this IPR statement.
>>
>>What's the point of a certificate if you don't ultimately couple it with
>>a contract?  Identities, group memberships, roles, and clearances are
>>all attributes defined by non-technical, real-world agreements, often
>>documented in the form of a contract.
>
> I can think of many that are not tied to contracts, especially in the
> manner described in the paragraph numbered 2 in the IPR statement.
> The authorization data needs to be used to "locate" the agreement.
> I've worked with many identification and authorization systems, and
> this is not a traditional aspect of any of them.

I can't think of any realistic complete scenario using RFC 3281, can you
describe it?  All attribute certificate system I've worked with uses
identities that ultimately can be chained back to a legal entity, which
will be bound to certain conditions through agreements.  The
authorization data can thus be used to "locate" this agreement.

Generally, I don't think we should standardize protocols that are known
to be encumbered by patents for some applications.

I've forwarded the patent disclaimer 1026 to the FSF/SFLC for review by
lawyers.  I would have felt more comfortable if the patent disclaimer
only contained its first paragraph.  Right now, it feels like it is
saying one (good) thing in the first paragraph.  The next paragraphs
appears to take away most of the substance by limiting the scope, and
using terms that are likely intended to be narrowly scoped but can be
read more broadly.

/Simon
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.29.0 | Report a Bug | By Email | System Status