Re: http-digest-aa-rev-00.txt from Ross Patterson on 1997-08-07 (ietf-http-wg@w3.org from July to September 1997)

From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
Date: Wed, 6 Aug 97 21:27:24 EDT
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199708070131.AA14755@reston.vmd.sterling.com>

David Jablon <dpj@world.std.com> writes:

>At 09:12 AM 8/6/97 -0500, John Franks wrote:
>>The necessity to avoid any patent and export restrictions is
>>fundamental.  In particular, protocols which make any use of
>>public-key techniques are not acceptable.
>...
>
>I can only presume that the vendors behind this proposal
>would rather support a weak password method than a strong
>one, in line with an unwritten agenda.

Assume what you like, but please note that the draft is the product of
this working group, not an individual, and that the first two authors
listed are from non-commercial organizations.  This working group
certainly has no unwritten agenda - we have enough trouble trying to
define the written one!

>To be specific, I can name EKE, SPEKE, "secret public-key"
>techniques, OKE, SRP-2, and several others.  In the spirit of
>honesty and openness, I'll do my part.  My motivation
>is in part due to the fact that I'm the author of one
>of these methods.

Are you asserting, as an author of one of the above, that it is free of
patent and other intellectual-property restrictions?  That's the
criterion that's been offered as to the rejection of public-key
techniques, not concerns about US export laws.

I'm not a patent attorney, just a programmer whose interests lie partly
in this area, but from what I've read it's essentially impossible to
work in public-key cryptography without running into a patent belonging
to either RSA or Diffie.  If you've come up with something so
fundamentally different that it doesn't infringe on them, and have
chosen to share that technique with the rest of us without restriction,
I thank you, and I expect that the working group would listen calmly and
reasonably to whatever proposals you might have to offer.  Those of us
who've been following and participating in the debates to date have
certainly never maintained that Digest Authentication was the be-all and
end-all, rather simply that it is better than Basic Authentication and
freely implementable and distributable.

Ross Patterson
Sterling Software, Inc.
VM Software Division

Received on Wednesday, 6 August 1997 18:30:34 UTC