- From: Edgar, Gerald <gerald.edgar@boeing.com>
- Date: Tue, 2 Jun 2009 07:42:11 -0700
- To: "XMLSec WG Public List" <public-xmlsec@w3.org>
Given the public legal proceedings of Certicom, it has been aggressive about their patents on ECC technology. At the NSA there is information that licenses for 26 patents were purchased but there are certain constraints, including a signed "PLA" or patent license agreement ( see http://www.nsa.gov/business/programs/quick_facts.shtml ). I am not sure that we can use the NSA/Certicom to support 1.1 making ECC mandatory. I understand that there are certain IETF protocols that were granted a license for ECC but I do not know the details. Although I would like to see ECC as mandatory, a fall back position is to make the stronger of the AES/SHA/RSA suites mandatory and the ECC ones optional. I also think we are not going as far as is needed for this standard without ECC being mandatory. Gerald Edgar, CISSP Enterprise Architecture & Information Security
Received on Tuesday, 2 June 2009 14:43:06 UTC