[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec near term work
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,QFfh6/f7DtjdgHI3Gn5DHW33MBNhXZOMkr0XAOd1rBa
KzPthgefgmO2shPB2JRopFQ3k4lgDNMObxHJ1dOZnlwXzyJREWYNp7anoIUX4pqf
UYqsAnPvyqPB9LQqM+Fb/
Phil,
Discussions of the patents and license terms for the public key
patents always seem to have a high emotional content, and it's with
some trepidation that I attempt to respond to your message. I've now
been directly involved in this matter for four years, and I think the
situation is not as awkward as you suggest.
I cannot speak for RSADSI, PKP or others, but here's my perception of
the situation.
o Licenses for public key technology are obtainable. RSADSI and PKP
seem to consummate deals quite regularly, and quite a few major
companies are listed as their licensees. I can't speak about the
specific terms or practices for any other company, but we at TIS
have seen nothing extreme or unreasonable in the terms in our
license(s) from RSADSI.
(RSADSI sells software; that software comes with the right to use
the licensed technology. PKP sells the license only; its licensees
build their own software or hardware.)
o A substantial amount of the criticism in the community comes from
people who believe that software ought not be patentable, that
public key technology should not have been patented, or that the
inventors or original patent holders (MIT, Stanford, etc.) acted
unwisely or improperly in transferring those patents to PKP.
In my view, those are not unreasonable matters for public debate,
but I think it is most unlikely that such discussion will affect the
present situation in the near future. As you say, the patents will
expire in a handful of years. In my view, it's unlikely there'll be
any changes in the legal foundation or government policy that would
affect the situation in the next few years.
o Over the last few years, RSADSI has opened up a path for development
of new applications of public key cryptography by releasing its
RSAREF package. RSAREF is available free of charge, in source form,
for non-commercial user. RSADSI specifically encourages its use for
new applications, experiments, etc. In those cases, in which the
interfaces in RSAREF do not match the needs of the application,
RSADSI entertains requests for modifications to the details of the
license. We have had occasion to explore this avenue in our
development of TIS/PEM, and we did not have any difficulty
interacting with RSADSI.
One might argue that providing RSAREF is merely a good marketing
strategy. Sure, but it serves our community nonetheless. As I said
above, all the evidence I have is that licenses for commercial
applications are available in regular and businesslike way at prices
that seem to work ok in the marketplace. (Discussion of prices is
always controversial. Patents intentionally create monopolies, and
monopolies obviously obey different -- not unconstrained, just
different -- pricing rules than non-monopolies.)
o PGP is a somewhat complicated case. I'll skip over the who did or
didn't do what to whom at what time, and offer that, in my opinion,
it's entirely possible to build applications that are as usable and
popular as PGP and that also live within the current licensing rules.
PEM is a different case. In my view, although some of the delay in
bringing out the PEM specs may be attributable to license issues,
another substantial component of the delay has been the ambition
level of the design. PEM attempts to provide both the mechanism for
protection of mail *and* a general solution to the naming and key
management problem for the Internet. This latter problem is
substantially harder than simply choosing algorithms and formats for
protection of messages, and the solution chosen for PEM has the hard
job of introducing X.500 style names and tools into an
infrastructure built on the domain name system.
The bottom line is that I agree with your assessment "that the only
truly practical way to do an IP key management protocol is with public
key cryptography," but I disagree with your assessment that the
licensing requirements present a serious burden to us.
Quite apart from the issue of patents and their licenses is the matter
of export control and related government policies. You did not speak
to those issues, but I believe those regulations have far more impact
on us than the patent situation. I bring this up only to make sure
the readers of our notes keep two separate markers in their minds, one
related to patents and one related to government regulations. Letting
the patents expire and/or using other unpatented cryptography won't
change the regulatory environment. This is a topic for a different
set of notes.
I believe that if we should define whatever protocol meets our needs.
If we choose standards which use public key cryptography, I anticipate
it will be more or less ordinary to work out the licensing
arrangements. And I hereby pledge to work with whomever is relevant
to make this so.
Steve
Disclaimers, representations, etc: I am the IETF Security AD. I am
also a vice president of Trusted Information Systems, Inc. and have
been directly responsible the development of TIS' PEM implementation.
I have written this primarily as Security AD, but I have drawn on our
experience at TIS. TIS is a licensee of RSADSI. (TIS is not a
licensee of PKP.) This note represents only my own opinion. It has
not been coordinated with anyone at RSADSI, PKP, any other
organization, nor even within TIS. This note is not a commitment by
TIS, and except in so far as I'm obviously involved in the decision
processes at TIS, this note does not necessarily represent TIS'
business position.
+-------------------------------------+-------------------------------+
| Steve Crocker | Voice: 301-854-6889 |
| Trusted Information Systems | FAX: 301-854-5363 |
| 3060 Washington Road (Route 97) |-------------------------------|
| Glenwood, MD 21738 | Internet: crocker@tis.com |
+-------------------------------------+-------------------------------+
> From: Phil Karn <karn@qualcomm.com>
> To: atkinson@itd.nrl.navy.mil
> cc: ipsec@ans.net
> Date: Wed, 2 Feb 1994 00:26:45 -0800
> Subject: Re: IPsec near term work
>
> One of the reasons I've been putting off key management is a (sigh)
> familiar and thorny one to many of us: the public key patents and the
> politics surrounding them. I doubt I'm the only one.
>
> Everybody knows that the only truly practical way to do an IP key
> management protocol is with public key cryptography, but the sorry
> history of PEM isn't much cause for hope. Much of the Internet's
> success comes from its "let a thousand flowers bloom" philosophy, but
> so far those who control RSA haven't seen fit to legitimize this
> approach.
>
> Indeed, what is arguably now the best and most successful Internet
> implementation of RSA (PGP) was done in direct defiance of the patents
> and at considerable personal risk. A level of risk I would rather not
> assume myself, much less force others to assume.
>
> Will we have to wait until 1997 (when Diffie Hellman expires) or 2000
> (when RSA expires) to do anything with IP security beyond manual
> single-key cryptography? Is anyone willing to tackle this issue?
>
> Phil
>
-----END PRIVACY-ENHANCED MESSAGE-----
Follow-Ups:
References: