[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Document Action: 'TLS Elliptic Curve Cipher Suites with

To: Yoav Nir <ynir@xxxxxxxxxxxxxx>
Subject: Re: [TLS] Document Action: 'TLS Elliptic Curve Cipher Suites with
From: Dean Anderson <dean@xxxxxxx>
Date: Tue, 8 Jul 2008 21:50:29 -0400 (EDT)
Cc: iesg@xxxxxxxx, tls mailing list <tls@xxxxxxxx>, Paul Hoffman <paul.hoffman@xxxxxxxx>, rms@xxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <DF4955EF-3850-4F9C-B8E5-BCFDA68F4707@xxxxxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Sender: tls-bounces@xxxxxxxx

On Mon, 7 Jul 2008, Yoav Nir wrote:

> On Jul 7, 2008, at 1:45 AM, Dean Anderson wrote:

> > Uhh, as Sam Hartman demonstrated with TLS-Authz, the IESG are the  
> > "IETF
> > police".
> 
> And again, suppose I manage to get draft-nir-tls-eap to IETF last call  
> as a "proposed standard", make no disclosure, and then somebody (you?)  
> find out that to implement this standard, you need to use "stateful  
> inspection", for which my company holds a patent.
> 
> What would you suggest the "IETF police" do?  Just knocking the  
> standard down to Informational is nice, but what else?  What sanctions  
> would you suggest be taken against me?  Against Check Point?  RFC 3979  
> does not authorize them to do anything.

No one is entitled to an informational designation, either.  Failure to 
comply with RFC3979 is cause to remove the RFC designation. There are 
several consequences for failure to comply with RFC3979 at present.

In the TLS-Authz case, the IETF moniker was removed entirely.  So just
by that move by the IESG in the TLS-Authz case, Brown's company must now
remove the IETF RFC labeling on its product literature and future
marketing plans.  Furthermore, their protocol is now proprietary rather
than standardized. Some people don't want to use proprietary protocols.
Those two things seem (to me) to be significant RFC3979-related
consequences. If those consequences aren't sufficient to motivate
RFC3979 compliance, then I'd advocate stronger measures.

But, the problem we seem to have at present is the failure to uniformly
impose the current consequences of RFC3979 non-compliance.

> This may sound bad, but do you really want to set up a "court of the
> IETF" to depose witnesses and make determinations as to intent?  I
> don't think we really want to go there, and we really don't want to
> create a new category of IPR where companies and individuals that
> violate IETF policy are somehow prohibited from implementing RFCs.

One can't prohibit anyone from implementing RFC's.  But the IETF does
control the contents and approval of RFCs.

> So yes, I believe that an angry post from you (and an Informational  
> designation for the RFC) is the worst we can do to violators.

They are not entitled to Informational designation, either.  

BTW, there is also another consequence imposed on their reputation for
the failure to disclose the patents to a standards body.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Document Action: 'TLS Elliptic Curve Cipher Suites with
  - From: Yoav Nir

Prev by Date: Roswell victims spill beans
Previous by thread: Re: [TLS] Document Action: 'TLS Elliptic Curve Cipher Suites with
Next by thread: Re: [TLS] Document Action: 'TLS Elliptic Curve Cipher Suites with
Index(es):
- Date
- Thread