Phillip Hallam-Baker wrote:
So the IETF has done patent deals in the past. We did it for RSA and
DH for example because those were the only ways to do public key
cryptography. It was agree to the patent claims or don't do the work.
Weird. That's not how I remeber the situation with RSA. I'm *NOT* aware
of any patent deal of the IETF for RSA. IIRC, the DH patent expired in
late 1997 and the RSA patent expired in the 2nd half of 2000.
(The RSA patent existed only in a few countries, since the technology
had been publicly described prior to patent application, excluding it
from patentability in several jurisdictions).
TLSv1.0 (rfc2246) was published in January 1999 with the "official"
mandatory-to-implement TLS cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
https://tools.ietf.org/html/rfc2246#section-9
i.e. *NO* RSA, because there was *NO* IETF patent deal about RSA.
Defacto, SSL & TLSv1.0 were pretty much exclusively used with RSA
server certificates from 1995 through today, and several vendors simply
waited until the RSA patent had expired before shipping crypto with
RSA (including SSL/TLS) implementations in their product.
What I remember from back then is more closely described/captured in
Google search results like these:
a Baltimore White Paper, excerpt from page 4:
ftp://59.152.90.8/Softwere,%20Music%20&%20Others/EBooks/RSA_patent_expiry_developer_white_paper.pdf
Intellectual property
The final barrier to using public key cryptography has been a series
of patents on the basic techniques -- the Diffie-Hellman algorithm,
the RSA algorithm, the idea of public-key cryptography itself.
Although patents are a useful way of rewarding inventors for their
ideas, the RSA patent in particular has been used in ways that make
it hard to develop good cryptographic software.
Import
RSA Security Inc (formerly known as RSA Data Security Inc, or RSADSI),
which claimed exclusive rights to the exploitation of the patent,
sells a software toolkit, called BSAFE Crypto-C ("BSAFE" for short),
which implements many popular cryptographic algorithms. This is the
only software implementation of the RSA algorithm which they are willing
to see used in the US.
Not only has this given them a monopoly of the market for basic
cryptography in the US; it's made it difficult for software companies
from other countries to sell to the US. The RSA algorithm is not
patented outside North America, so developers there have been free
to develop their own public key cryptography applications.
But importing them into the US has mean re-engineering them to use
BSAFE -- essentially, entirely unnecessary effort
Toolkits: Lock-in
In both their toolkits and their standards development, RSADSI have
attempted to develop lock-in to the RSA algorithm. In BSAFE,
Diffie-Hellman is supported differently from any other public key
algorithm. BSAFE is deliberately written so that it's impossible
to store a long-term Diffie-Hellman keypair, or use a Diffie-Hellman
private key for more than one session. The Diffie-Hellman private key
in BSAFE is held within an algorithm object, and can't be extracted
from it; neither can algorithm objects be cloned, so there is simply
no way of preventing the private key from expiring with the
algorithm object.
What are the effects of this? A developer using BSAFE who was tempted
to implement a non-RSA based PKI would, quite simply, find it impossible.
There is no straightforward way to publish a Diffie-Hellman public key
in a database for future use by a correspondent. IETF standards, like
S/MIME v3, cannot be implemented.
snippet from a length discussion thread:
https://groups.google.com/forum/#!search/Gamal$20el$20Gamal$20can$20we$20resume$20$3F$3F/sci.crypt/M18NGuXQBP4/VFGbWgYsZJkJ
RSA[DSI] offered Netscape a deal in which this hungry little startup got
an unrestricted license to use RSA's BSAFE code, cash-free, in exchange for
a legendary 1 percent of Netscape. What isn't clear in Mr. Schlafly's
summary was that that deal merely settled -- on relatively generous
terms, I think -- what was always a foregone conclusion. D-H was simply
a non-starter in 1994, according to most informed observers.
Mr. Shlafly offers a malovalent interpretation of the fact that RSADSI
preferred to license its BSAFE toolkit -- to Netscape and everyone else
-- as opposed to allowing OEMs a full patent license to roll their own
RSApkc (and/or other RSA cryptosystems.)
or this:
http://marc.info/?l=openssl-users&m=94383534822859
-Martin