Re: [TLS] DSS with other than SHA-1 algorithms
Rob Stradling <rob.stradling@comodo.com> Thu, 12 May 2011 10:11 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A23FE076D for <tls@ietfa.amsl.com>; Thu, 12 May 2011 03:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.677
X-Spam-Level:
X-Spam-Status: No, score=-5.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6m6MO3R3ir7Z for <tls@ietfa.amsl.com>; Thu, 12 May 2011 03:11:19 -0700 (PDT)
Received: from mcmail1.mcr.colo.comodo.net (mail1.comodogroup.com [91.199.212.133]) by ietfa.amsl.com (Postfix) with ESMTP id 25DBDE0754 for <tls@ietf.org>; Thu, 12 May 2011 03:11:18 -0700 (PDT)
Received: (qmail 27355 invoked by uid 1008); 12 May 2011 10:11:17 -0000
Received: from mail.india.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mcmail1.mcr.colo.comodo.net (qpsmtpd/0.40) with ESMTP; Thu, 12 May 2011 11:11:17 +0100
Received: (qmail 28461 invoked by uid 1000); 12 May 2011 10:11:17 -0000
Received: from nigel.brad.office.comodo.net (HELO nigel.localnet) (192.168.0.58) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES256-SHA encrypted) ESMTPS; Thu, 12 May 2011 11:11:17 +0100
From: Rob Stradling <rob.stradling@comodo.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Thu, 12 May 2011 11:10:50 +0100
User-Agent: KMail/1.13.7 (Linux/2.6.37-gentoo-r4; KDE/4.6.2; i686; ; )
References: <E1QK4wD-0007QV-Qp@login01.fos.auckland.ac.nz> <201105111149.12286.rob.stradling@comodo.com> <92D2BDAA-D76F-410E-80B7-EEEB9CD81ADC@vpnc.org>
In-Reply-To: <92D2BDAA-D76F-410E-80B7-EEEB9CD81ADC@vpnc.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201105121110.50586.rob.stradling@comodo.com>
Cc: tls@ietf.org
Subject: Re: [TLS] DSS with other than SHA-1 algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 10:11:20 -0000
On Wednesday 11 May 2011 15:14:10 Paul Hoffman wrote: > On May 11, 2011, at 3:49 AM, Rob Stradling wrote: > > On Wednesday 11 May 2011 09:38:33 Peter Gutmann wrote: > >> Martin Rex <mrex@sap.com> writes: > >>> There are probably a number of reasons why we are seeing very few (if > >>> any) ECDSA certs issued by commercial CAs. EC algorithms are still > >>> patent encumbered, and the licensing scheme by the patent holder was a > >>> pay-per- issued-certificate targetting commercial CAs. > >> > >> Are the CAs impeded by patents? > > > > The first commercial CA to answer "No" and proceed to issue ECC certs > > will almost certainly end up in court with an expensive legal bill. > > Even if the correct answer really is "No". > > > > So yes, the CAs are impeded by patents. > > This makes it sound like there are patents are issuing ECC certs. However, > that statement seems to fly in the face of RFC 6090. Can you clarify? Hi Paul. Thanks for pointing me at RFC 6090. I'd not seen it before. I agree that it appears to claim that issuing ECC certs is unencumbered by patents. I wonder if Certicom are aware of this RFC, and if so, what their opinion of it is. > This seems particularly odd because Comodo has issued itself an ECC > certificate that is now widely distributed. Certicom are aware of our ECC root certificate and they have not raised any objections. Several other CAs are now distributing ECC Roots too. I think Certicom see this activity as increasing the likelihood that CAs will pay to license their patents. However, AIUI, we've been led to believe that Certicom would object if a CA started to issue ECDSA-signed end-entity certs without some kind of license from Certicom. > --Paul Hoffman Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Dr Stephen Henson
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Hovav Shacham
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Simon Josefsson
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Geoffrey Keating
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Eric Rescorla
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Daniel Kahn Gillmor
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Jack Lloyd
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Nikos Mavrogiannopoulos
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Juho Vähä-Herttua
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Paul Hoffman
- Re: [TLS] DSS with other than SHA-1 algorithms Martin Rex
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Rob Stradling
- Re: [TLS] DSS with other than SHA-1 algorithms Peter Gutmann