Re: [openpgp] DRAFT minutes for OpenPGP at IETF 94

"brian m. carlson" <> Wed, 04 November 2015 02:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6D0F01A8990 for <>; Tue, 3 Nov 2015 18:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.411
X-Spam-Status: No, score=-1.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CTTST0O0UBoq for <>; Tue, 3 Nov 2015 18:07:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E715B1A8989 for <>; Tue, 3 Nov 2015 18:07:57 -0800 (PST)
Received: from (unknown [IPv6:2001:470:1f05:79:f2de:f1ff:feb8:36fd]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 12EB628094; Wed, 4 Nov 2015 02:07:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1446602876; bh=kv08C0We2RrNtNQIhM1Pl5YXYgvF/b3+vLwPPDHYPjE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ztj1bY+nSb+cDLL+IHcQSZVx5j2OLF5bMXgKZSKIvlGeopgpmYecJkzDIpku3pTd+ 38h3n+GgV5VMnmn5Mhk7QUwWYYHKPDz1tSIE4yVShNSz2Y7NoT5d0xmlaW2FkRbDx+ kySh7XcWk72tDbYZktyi5toifPKOtOyNmnT26YmoCeHLEjrMgQU2mIDH25R74g2o0P RCrwigRkMeyrYo0/6/gKif9fLppnCMQvzuGOz3G3/cXHqgXAxYivTzwPk499xErC03 TClpTf+XQ23v3kRvJaJe852WalirLRW+60nLC6pqHDuTeY718ERsGrfvqEnnmivuiA uSrnU6BnjQdb2Q5UEPMPk3HUkoQJzbsbYUezFTttzsV9Pi5/PuCsshcVEZy2XSL9cz CsDakvuD4LIzFsIOUKPsywtb9hbd9wvbQfDm+2A/dNvDSF8D6GRBlFed/zw/buI0Hk Ek6NTsDhyrYq7ZjGtKSdULX90QXRTu+DsL3fbIzVdTU/jVBNbT5
Date: Wed, 4 Nov 2015 02:07:52 +0000
From: "brian m. carlson" <>
To: Aaron Zauner <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="O5XBE6gyVG5Rl6Rj"
Content-Disposition: inline
In-Reply-To: <>
X-Machine: Running on vauxhall using GNU/Linux on x86_64 (Linux kernel 4.2.0-1-amd64)
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [openpgp] DRAFT minutes for OpenPGP at IETF 94
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Nov 2015 02:07:59 -0000

On Wed, Nov 04, 2015 at 02:27:54AM +0100, Aaron Zauner wrote:
> brian m. carlson wrote:
> > A note on using patented algorithms: Some organizations, such as Debian,
> > require that parts of software be able to be extracted and otherwise
> > used under the terms of the license.  Even if the OCB patent is waived
> > for OpenPGP, that would not be sufficient to allow parts of an OpenPGP
> > implementation that use OCB to be used in non-OpenPGP software.  That
> > might prevent such OpenPGP implementations from entering the main Debian
> > archive.  Other organizations may have similar restrictions.
> > 
> > This is just something to consider when discussing the use of patented
> > algorithms.
> So in this case is non open-source software relevant at all? I don't
> think so. For open-source initiative licenses, public domain and CC
> there's a patent exemption anyway (since 2013):

I suspect this is probably sufficient for Debian's purposes, although I
of course can't speak on their behalf.  Whether it is suitable for Red
Hat or other organizations with strict patent policies, I don't know.

My personal view is that using patented algorithms[0] will prevent at
least some adoption of the OpenPGP standard, even if that's overly
cautious and defensive, and that there are sufficient secure
alternatives such that we don't have to use patented algorithms.  The
less we can make implementers get lawyers involved, the better.

> Another one exists for non-military software implementations:

Clearly this is not suitable for Debian's purposes, as they prohibit
restrictions on fields of endeavor.

[0] By "patented algorithms," I mean those that don't grant a flat
royalty-free license.  SHA-2 is patented, but available under such a
royalty-free license.
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187