Paul Hoffman wrote:
I have a few objections to this draft that I would like to see cleared up
before any further discussion happens on the draft.
The draft does not have the mandatory notice about whether or not it
complies with RFC 2026. Without this notice, the authors could claim that
they do not release copyright on the draft to the IETF, and therefore we
may not be able to use the discussions of the draft in the future.
The draft seems more like a marketing effort than a technical
specification. All the talk about integration with S/MIME, the history of
IDEA, and so on is pretty useless. A simple document saying "here's the
OID, here are the parameters, here's our patent statement" would suffice.
(I find it particularly galling that the sentence "S/MIME is constructed
as
an open system." is used near the beginning of the draft as a way to make
nice before proposing an algorithm that is heavily protected by patents.)
The draft restates some of the MUSTs and SHOULDs from the -msg draft,
which
is completely inappropriate. All such restatements should be removed,
leaving just the changes that this draft would make to the
hopefully-soon-to-be-standard.
There is no Security Considerations section; I think one would be
appropriate, given that this is proposing an algorithm that is not widely
known.
The statement "Commercial licenses can be obtained by contacting
idea(_at_)ascom(_dot_)ch" is interesting, if true. I was told a few years ago
that a
company that applied for an IDEA license for PGP was flatly rejected
without any talk of the cost (I have no verification of this). Perhaps the
authors of this draft should reword the sentence, or spell out what they
mean in terms similar to those used in RFC 2026 and RFC 2028.
======================================================
We will definitely include the mandatory notice about the compliance
of our draft with
RFC 2026. Of course, it is our intention to release copyright on the
draft to the IETF!
Ascom Systec's policy about IDEA licensing has changed already some
years ago.
Today, everybody can easily obtain IDEA licenses at low costs for
instance by using our online lincence order service at
http://www.ascom.ch/infosec/ . We would also like to emphasize that IDEA is
free for non-commercial use.
The attached reference list of IDEA users should be proof enough
that IDEA is
not only widely known but also widely accepted !
We have written our draft with the intention to support developers
with important implementation and application information. Since not every
SW developer in IT-security is an expert in S/MIME, we believe it is
required to give more than just the OID and licensing information. However,
we are thankful for every helpful comment to make the draft clearer for a
better understanding.
<<referencesIDEA.doc>>
----------------------------------------------------------------------------
| Dr. Stephan Teiwes
| Ascom Systec AG, CH-5506 Maegenwil
| Phone: +41 (0)62 / 889 59 36
| Fax: +41 (0)62 / 889 59 99
| EMail: stephan(_dot_)teiwes(_at_)ascom(_dot_)ch
|
| Information Security with IDEA(_at_)corporate products
| http://www.ascom.com/infosec
----------------------------------------------------------------------------
referencesIDEA.doc
Description: MS-Word document