ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

2017-10-26 19:18:55
from [brian m. carlson] [Permanent Link] 
On Thu, Oct 26, 2017 at 02:03:02AM +0000, Ronald Tse wrote:

Perhaps I could clarify that the OCB patent is limited in regional
scope and does not apply outside of the US. For example, the NZ
military could order a pizza using OCB.


Unfortunately, a patent anywhere is an impediment everywhere in the age
of the Internet.


The OCB licenses provided on Rogaway’s page is very clear that open
source usage, such as in OpenSSL and any products based on OpenSSL, is
strictly allowed — which means that military and hardware usage of OCB
through OpenSSL is already allowed.


It's my reading of Rogaway's license that linking an open-source library
against closed source software violates the patent license, even though
it might not violate the library license.  If a distro ships an
OCB-enabled crypto library, it can't be used for any closed-source
software shipped on that system (Chrome, Slack) or any non-open-source
custom-built apps (say, an internal Rails app).

Since crypto libraries like OpenSSL are very frequently linked against
other software on the system, this is a terrible idea.

The fact that it's this hard to understand the patent issues makes it
really obvious why OCB is a bad idea.


I think we are slightly confusing an optional algorithm, which OCB is
proposed to be, with a mandatory one. A user should be able to specify
in their preferences that they don’t accept OCB. A .mil email address
will probably specify they do not want OCB in this case.


I'm generally opposed to including algorithms, even optional ones, which
are patent-encumbered.  The fact that an IPR declaration exists for an
RFC is enough to scare off many companies from implementing it.

I personally hate having to meet with company lawyers, even extremely
knowledgable ones, about the type of crypto we use and the legal impacts
of it.  Adding OCB to the spec is going to cause a lot of those
conversations that don't need to happen.


Given OpenPGP is supposed to be “open”, people should be able to state
their preferences as well as do what they want with it.

For example, Chinese cryptography law strictly forbids AES usage in
hardware. Does that mean Intel needs to drop AES-NI for chips sold in
China? The answer is no. People simply don’t use it because of these
regulations.

This is the same with OCB — if you don’t like it, don’t want it, just
don't use it. It only enables people who want it to use it.


Practically, a patent-encumbered algorithm is not likely to be
implemented.  The patent problems with OCB make it unlikely that it will
be suitable for inclusion into the Red Hat or Debian archives.  That
means that most open-source implementations will not include it, and
those that do will not interoperate with those that don't.

Why should we add an algorithm which is likely to get little practical
usage?  OCB doesn't provide useful crypto agility, but it does provide
yet another option, which we've tried to avoid in the specification.
Additional algorithms are hard to deprecate and are a source of
potential security bugs in implementations.

I'm not saying OCB isn't a great block cipher mode, just that it's going
to be practically unused because of the patent situation.


+=========================================================+
This message may contain confidential and/or privileged
information.  If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein.  If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.
+=========================================================+


If your mails are confidential, you probably want to stop sending them
to a public mailing list.  If not, you'll want to omit this message.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis, Ronald Tse
Next by Date:  Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis, Paul Wouters
Previous by Thread:  Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis, Ronald Tse
Next by Thread:  Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis, Paul Wouters
Indexes:  [Date] [Thread] [Top] [All Lists]