- From: Jeffrey Walton <noloader@gmail.com>
- Date: Mon, 1 Apr 2013 05:55:27 -0400
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On Mon, Apr 1, 2013 at 4:49 AM, Anders Rundgren <anders.rundgren@telia.com> wrote: > On 2013-04-01 10:29, Jeffrey Walton wrote: >> On Mon, Apr 1, 2013 at 3:50 AM, Anders Rundgren >> <anders.rundgren@telia.com> wrote: >>> On 2013-03-31 23:44, GALINDO Virginie wrote: >>>> I am here, but I am not representing GP but gemalto :) >>> ... >>> The following _might_ be of some interest. As you know I have been working >>> with a web-based security object [*] provisioning and management system >>> for quite some time. As I have been told, it probably violates a bunch >>> of mainly US patents. That US patents represent a major inhibitor to >>> progress is verified by the fact that Mozilla doesn't dare adding ECC >>> support to Firefox. >> Has Mozilla considered sublicensing ECC algorithms from the NSA? From >> http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml >> >> <quote> >> A key aspect of Suite B Cryptography is its use of elliptic curve >> technology instead of classic public key technology. In order to >> facilitate adoption of Suite B by industry, NSA has licensed the >> rights to 26 patents held by Certicom, Inc. covering a variety of >> elliptic curve technology. Under the license, NSA has the right to >> grant a sublicense to vendors building certain types of products or >> components that can be used for protecting national security >> information. Click here to view a sample license. >> >> Click for more information www.nsa.gov/ia/contacts/index.shtml >> </quote> >> >> WebCryto might consider attempting to license if needed. > > There seems to be two lawyers for every engineer in the US: > http://www.strikeforcetech.com/pdf/SFOR-OOB-Patent-Litigation-032713.pdf Yes, the US has a number of problems related to politics and the oligarchy. I've been visited more than once for criticizing politicians, judges, and lawyers. My most recent visits was last year by the US Marshals. > My guess is that the US will remain at its current position regarding > strong authentication for consumers, i, e, at the _absolute_bottom_. Client certificates are a good choice for client authentication, but they suffer provisioning hardships and a number of UI issues. As for cell phones and second factors, that channel was breached in 2011 (http://financialcryptography.com/mt/archives/001349.html). A client certificate means the consumer could be applying his/her secret for an insecure/unknown server. It seems to me if the consumer uses a non-hardened PKI with internet profiles, then all consumers suffer - both US and abroad. Surely you have not forgotten the Dutch CA Diginotar's failure affected all users, and Iranian users in particular. Jeff
Received on Monday, 1 April 2013 09:55:56 UTC