IETF Logo Mail Archive

Re: [TLS] Last Call: draft-ietf-tls-extractor (Keying Material Exporters for Transport Layer Security (TLS)) to Proposed Standard

Dean Anderson <dean@av8.com> Wed, 22 July 2009 19:29 UTC

Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F4813A68A6; Wed, 22 Jul 2009 12:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDmAsCeB+gFl; Wed, 22 Jul 2009 12:29:29 -0700 (PDT)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id 2A2C13A6B3D; Wed, 22 Jul 2009 12:28:52 -0700 (PDT)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id n6MJQsZr012514 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 22 Jul 2009 15:26:57 -0400
Date: Wed, 22 Jul 2009 15:26:54 -0400
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20090722014050.9D9381D0F2E@kilo.networkresonance.com>
Message-ID: <Pine.LNX.4.44.0907221443400.6325-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: ietf-honest@lists.iadl.org, ietf@ietf.org, rms@gnu.org, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-extractor (Keying Material Exporters for Transport Layer Security (TLS)) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2009 19:29:30 -0000

Hi Eric,

On Tue, 21 Jul 2009, Eric Rescorla wrote:

> As others have stated, Certicom's has a variety of patents that
> apply to ECC technology. When TLS Extractor (or indeed any other
> IETF technology) is used with the TLS ECC cipher suites, then
> there is a potential issue with regard to Certicom's patents,
> but that issue is produced not by Extractor, but by the use
> of ECC. After Certicom's disclosure (1004), there were
> questions about whether Certicom's IPR also applied to Extractor
> with non-ECC cipher suites.

Err, no. See the message on the misuse of patents.  IF* there is no
patent claim to cover extractor, adding extractor would raise the issue
of misuse for trying to cover extractor with its patent licence.  IF*
there is a claim or claims covering extractor, we cannot be sure they
are limited to use with ECC.  The test for infringement is when the use
performs "substantially the same function" as claimed.  It would seem
that anything that is similar to ECC, (but not ECC) probably performs
substantially the same function with respect to extractor claims.

[* Again, more exact statements cannot be made because Certicom has been
unhelpful in identifying the precise patent(s) and claims that cover
extractor.]

>     It is our intention to foster broad adoption of ECC technology.  The
>     grant is meant to cover any necessary Certicom patents and patent
>     applications to implement RFC 4492, RFC 5289 or the
>     draft-rescorla-tls-suiteb when used with draft-ietf-tls-extractor.  It
>     is not making any statement to the draft-ietf-tls-extractor when used
>     absent of these three cipher suites.
> 
> You can find the new disclosure at: https://datatracker.ietf.org/ipr/1153/.

Then they updated that with IPR 1154. While necessary updates of
details, I find no differences that significantly alter the key facts:

1. The Certicom disclosures state that Extractor is covered by a patent.

2. There is no universal free license. There is only the offer to 
request a free license. Certicom can refuse requests at anytime.

3. Certificate Authorities are already denied any free licence.

The statement you quote above doesn't alter anything, and I am mystified
why people continue to cite that statement as evidence of "good intent"
or that this is free software. It is not free software. Obviously,
_every_ proprietary software vendor's intention is to 'foster broad
adoption' of their technology. They often give out free samples to do
that.  And of course, they then extract as much money for that software
as they can;  the software doesn't remain free.  Certicom's stated
intent is to foster broad adoption, not produce free software.

But the Certicom statement is still slightly misleading because there is
no actual grant made in the document, even though the document refers to
"the grant".  The document states only that one may _request_ a free
license. But one doesn't need a 'grant' to request free licence. Anyone
can _ask_ Oracle, MS, etc for a free license too---Maybe that request
will be granted.  And BTW, I have no doubt that Certicom will give out
_some_ free licenses to encourage adoption---I'm not accusing them of
outright deception.  But proprietary vendors like Oracle also give out
free samples.  The difference is that free software is inherently free,
and proprietary software is free for a limited time.  Don't be fooled by
the limited offer.

>    Section V of the form, "Disclosure of Patent Information (i.e.,
>    patents or patent applications required to be disclosed by Section 6
>    of RFC 3979)," has been updated.  Subsection C highlights the specific
>    RFCs and I-Ds that are believed to be covered by the patents and
>    patent applications listed in Schedule A of the linked IPR
>    contribution
>    (http://www.certicom.com/images/pdfs/certicom%20-ipr-contribution-to-ietfsept08.pdf).
>    Please note that no version of the draft_ietf_tls_extractor appears in
>    this section.
> 
> I consider this pair of statements combined with the IPR statement quite
> satisfactory. You of course are free to feel differently.

The Certicom statements are satisfactory only in the sense that Certicom
has met the minimum requirements for disclosure.  Once the disclosure
content is analyzed for their terms, I find the terms offered
unacceptable and recommend against approving the document.

But I think the process is not satisfactory because the Working Group
didn't discuss non-patented alternatives to extractor as mandated by RFC
3979.  If the WG did discuss non-patented alternatives, I missed that
discussion, and I would appreciate a pointer to the record.

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

v2.23.0 | Report a Bug | By Email