ECC considerations

Given the public legal proceedings of Certicom, it has been aggressive
about their patents on ECC technology. At the NSA  there is information
that licenses for 26 patents were purchased but there are certain
constraints, including a signed "PLA" or patent license agreement ( see
http://www.nsa.gov/business/programs/quick_facts.shtml ). I am not sure
that we can use the NSA/Certicom to support 1.1 making ECC mandatory.  I
understand that there are certain IETF protocols that were granted a
license for ECC but I do not know the details.
 
Although I would like to see ECC as mandatory, a fall back position is
to make the stronger of the AES/SHA/RSA suites mandatory and the ECC
ones optional. I also think we are not going as far as is needed for
this standard without ECC being mandatory. 


Gerald Edgar, CISSP
Enterprise Architecture & Information Security

Received on Tuesday, 2 June 2009 14:43:06 UTC