[Top] [All Lists]

Re: The RC2 debate

1997-04-23 09:45:13
And it is totally irrelevant anyway. The stated position of RSA here,
which has in fact been posted to this list by RSA representatives, is
that they believe this algorithm is still covered by trade secret rules.

I for one don't really care whether RSA thinks that RC2 is a trade secret.
(or for that matter, what RSA's reasoning is)
Just because RSA has an opinion doesn't mean IETF is bound by it.

What IETF cares about is that the algorithm is a published standard
(either de facto or de jure), and that the technology is available
under reasonable and nondiscriminatory terms.
Keith, I'm afraid I must disagree with you on this. Again I cite the
IETF rules published in RFC2026, specifically section 10.2:

  10.2  Confidentiality Obligations

     No contribution that is subject to any requirement of confidentiality
     or any restriction on its dissemination may be considered in any part
     of the Internet Standards Process, and there must be no assumption of
     any confidentiality obligation with respect to any such contribution.

A claim of a trade secret is at its core a claim of confidentiality, and
RC2 is claimed to be a trade secret. As such, 10.2 applies and we cannot
use RC2 in an Internet standard unless its status changes.

If RSA publishes the algorithm, fine; if the algorithm is published by
somebody else, fine.  But it does have to be published.  If this WG
can't find a RC2 specification to reference, it needs to use some
other symmetric encryption algorithm.   (And IMHO it shouldn't waste any
more time waiting for RSA to make up its mind...RSA has had plenty of time
to publish RC2 if it wants to do that.)

Again I have to disagree. Publication is not the issue here, the issue is RSA's
claim to a confidentiality requirement that covers RC2. As long as such a claim
exists we cannot use RC2, period.

This means that confidentiality restrictions may still apply, a zillion
postings to various newsgroups notwithstanding.  And this in turn means
that it is a nonstarter as far as the IETF is concerned. Again, the
IETF rules concerning this could not be any clearer.

IETF rules are very clear: we don't take any position as to the validity
of anybody else's intellectual property claims.

Exactly, and this is the entire point. Since the IETF isn't in the business of
assessing the validity of IP claims it has no choice but to treat the RSA
claims as potentially valid.

The underlying problem here seems to be that you think this rule means we can
ignore IP issues entirely. It doesn't say this at all. The validity rule is
there to keep us out of IP disputes and to keep IP issues out of our technical
decision-making process to the greatest extent possible. And when it comes to
patents this works quite well, since most patents carry with them no
confidentiality restrictions (NSA patents are an exception, BTW.) and by being
able to ignore patent status we get to pick the best technology to solve a
given problem.

But in the case of trade secrets confidentiality restrictions exist as well,
and the existance of such absolutely does cause interference in the technical
decision-making process. As this has been dealt with by saying that such
restrictions cannnot exist for standardized technology.

I'd like to expand on the last point a bit because it happens to provide a
sound technical basis for rejecting RC2 as well as the more obvious rule-based
one. Specifically, the ongoing efforts of RSA to keep the details of RC2 (and
to a lesser extent RC4) secret have had a chilling effort on analysis of these
algorithms in the cryptographic community. Simply put, I know of the existance
of no cryptographic results for RC2 (and precious few for RC4). Now, when it
comes to cryptographic algorithms, it is almost axiomatic that trust only comes
after careful scrutiny. And while Ron Rivest is a highly competent
cryptographer with excellent credentials, he nevertheless could have made some
mistake in the design of RC2. And if I put on my mathematician hat for a
moment, I'm also uncomfortable with some of the design elements in RC2; the
S-box seems a bit small given that it is initialized more or less at random.

Others have pointed out that there isn't exactly a shortage of unencumbered
symmetric key algorithms, algorithms that have been cryptanalyzed extensively
and have withstood the best efforts of the community for many years. It
will years before RC2 attains this status, assuming it ever does. As such,
there is also a sound technical reason for rejecting RC2 as the algorithm
for use in S/MIME.


<Prev in Thread] Current Thread [Next in Thread>