On Tue, 31 Oct 2017, Gregory Maxwell wrote:
As the signaling of support for algorithms is better then I realised,
I'll let myself be convinced that adding a new algorithm isn't too
bad. While I still think there is an increased risk of non-interoperability
or non-adoption, I guess it is not a deal breaker for new algorithms.
The lesson here is, don't put arbitrary restrictions on your algorithm if
you want to see widespread adoption.
This seems rather moralistic rather than a practical consideration.
IETF protocols routinely register encodings and codepoints for highly
restricted techniques: OCB in OpenPGP would only get used when there
is mutual support on both ends.
I don't think the laudable effort of avoiding restricted techniques as
mandatory in standardized protocols is aided by a total war on them
that covers optional use of less restrictively licensed things.
The standards process question should primarily be will it get use if
it exists? If not, don't bother. The licensing of OCB appears to be
very permissive for more than a few very broad classes (including Free
Software implementations). Input from implementers on if they'd
implement it if specified should be the primary metric.
This is still a potential issue. As long as the algorithm has restrictions
on it that are discriminatory, their inclusion in a free software library
poses a risk for those companies shipping the software that have money
in the bank to attract lawsuits.
I'm worried about OCB support in openssl and/or other libraries as
part of the OS, because when a vendor's customers will use it for some
"unauthorised use", the vendor might get involved in a lawsuit.
I'm also confused about these restrictions. If opensource is allowed to
use it, anyone could use openssl under the newly minted (still minting?)
license to link against properietary code, meaning that there are in
practise, no restrictions left. So why doesn't Rogaway just release an
IPR statement to the IETF allowing its free and unrestrictive use?
Rich, do you know anything about the OCB code in openssl and how the
relicensing of openssl would mean the OCB code can remain or has to go?
Paul
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp