Folks, while it has been very interesting and I've learned some new stuff, I'm
afraid the discussion of whether or not the licensing terms for RC2 and it's
brethren are adequate is what is moot here. The simple fact of the matter is
that as the owner of the intellectual property in question, RSA has five and
only five options to chose from:
(1) Drop any trade secret claims for the algorithms used in S/MIME.
(2) Completely remove them from the S/MIME standard-to-be. It isn't a question
of whether or not it can be required -- in point of fact you cannot mention
these algorithms at all.
(3) Abandon the effort to get S/MIME blessed as an Internet standard.
(4) Get the IETF to treat this as an exception to the current rules concerning
intellectual property in Internet standards (very unlikely).
(5) Get the IETF to change the current rules concerning intellectual property
in Internet standards (also very unlikely).
To see why this is so, I cite section 10.2 of RFC2026, which is the document
describing the requirements of the current Internet Standards Process:
10.2 Confidentiality Obligations
No contribution that is subject to any requirement of confidentiality
or any restriction on its dissemination may be considered in any part
of the Internet Standards Process, and there must be no assumption of
any confidentiality obligation with respect to any such contribution.
Now, it is my understanding that in order to maintain something's trade secret
status the owner of that trade secret must keep it confidential and cannot
under any circumstances whatsoever agree to its publication. (I'm confident
that I can find citations to back up this point if necessary -- unfortunately
someone has "borrowed" my patent and trade secret textbook so I cannot do so
right now.) If so, this is in direct contradction to the IETF's requirement
that material with confidentially emcumberances cannot be used in any part of
the Internet Standards Process.
In addition, please note that this requirement happens to be one which is
unusually clear, unambiguous, and ineluctable -- there are no weasel-words
about "only if there's no unencumbered alternative" or "must have reasonable
licensing terms", etc. And for my part I think the absence of such words in
this case is entirely defensible: Please recall that the standards process
contains mandatory review steps, and I find it unacceptable for the review
process to involve a need to sign a nondisclosure agreement and quite possibly
pay $$$. As such, I will actively oppose any attempts to either change the
rules or make an exception in this case.
FWIW, I ran this message by the apps area directorate list prior to posting it
here. I only received two comments, one from each of the apps area directors.
Specifically, Keith Moore replied and said he agrees with my analysis. Harald
Alvestrand also replied and says that while he doesn't see a problem with
having a simple reference pointing to RC2 and its OID in the document, what is
there now is clearly unacceptable. So that's the word from two of the ADs who
will have to approve this document before it can enter the IETF standards
track.
Ned