I’m sure Rich could shine more light on this, but OpenSSL has already received
a specific OCB license from Prof. Rogaway that allows users of OpenSSL to use
OCB freely, including when linked against proprietary code (It’s on the OpenSSL
website). Note that the OpenSSL license is more broad than License 1 and 2 on
the OCB FAQ page.
As mentioned, Prof. Rogaway is willing to file an IPR statement allowing the
use of OCB for all OpenPGP implementations, so I think the patent issue can
probably be put to rest here.
Ron
_____________________________________
Ronald Tse
Ribose Inc.
On Oct 31, 2017, at 3:03 PM, Paul Wouters
<paul(_at_)nohats(_dot_)ca<mailto:paul(_at_)nohats(_dot_)ca>> wrote:
On Tue, 31 Oct 2017, Gregory Maxwell wrote:
As the signaling of support for algorithms is better then I realised,
I'll let myself be convinced that adding a new algorithm isn't too
bad. While I still think there is an increased risk of non-interoperability
or non-adoption, I guess it is not a deal breaker for new algorithms.
The lesson here is, don't put arbitrary restrictions on your algorithm if
you want to see widespread adoption.
This seems rather moralistic rather than a practical consideration.
IETF protocols routinely register encodings and codepoints for highly
restricted techniques: OCB in OpenPGP would only get used when there
is mutual support on both ends.
I don't think the laudable effort of avoiding restricted techniques as
mandatory in standardized protocols is aided by a total war on them
that covers optional use of less restrictively licensed things.
The standards process question should primarily be will it get use if
it exists? If not, don't bother. The licensing of OCB appears to be
very permissive for more than a few very broad classes (including Free
Software implementations). Input from implementers on if they'd
implement it if specified should be the primary metric.
This is still a potential issue. As long as the algorithm has restrictions
on it that are discriminatory, their inclusion in a free software library
poses a risk for those companies shipping the software that have money
in the bank to attract lawsuits.
I'm worried about OCB support in openssl and/or other libraries as
part of the OS, because when a vendor's customers will use it for some
"unauthorised use", the vendor might get involved in a lawsuit.
I'm also confused about these restrictions. If opensource is allowed to
use it, anyone could use openssl under the newly minted (still minting?)
license to link against properietary code, meaning that there are in
practise, no restrictions left. So why doesn't Rogaway just release an
IPR statement to the IETF allowing its free and unrestrictive use?
Rich, do you know anything about the OCB code in openssl and how the
relicensing of openssl would mean the OCB code can remain or has to go?
Paul
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp