Re: Remove SHOULD for elliptic curve groups in IKEv2

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Eric" == Eric Rescorla <ekr@rtfm.com> writes:
 Eric> What I think would be very helpful here would be if someone
 Eric> (you?) wrote a draft describing a single algorithm with:

 Eric> (1) A description of its patent status (hopefully, with some
 Eric> reference to the techniques having been published prior to
 Eric> patents being filed).  (2) Some estimate of its security
 Eric> properties (e.g. an estimate of strength.)  (3) Some
 Eric> description of (unencumbered) implementation techniques along
 Eric> with performance numbers for those techniques, perhaps with
 Eric> comparisons to RSA.

Yes, such a thing would be useful.  Unfortunately, (1) and (3) involve
opinions about patents (their existence, scope, validity, etc.).
Since patents are legal documents and those questions are legal
questions, any writings about (1) and (3) by engineers or
mathematicians should be viewed with extreme scepticism.

The reason I say this about (3) is that "unencumbered" is not a
property you can easily test.  I remember situations where some
company at some point years after a technique came into use decided
that it could use some more revenue, and tried to stretch some of its
existing patents to cover new ground.  And even if you have a
statement from the inventor of X that he/she will not be filing for
any patents on X (as is true for Rijndael), such a statement isn't an
absolute guarantee that there won't be patent claims against X from
third parties -- now, or perhaps quite a while later -- who say that
their patent has claims that cover implementations of X...

      paul