[228] in WWW Security List Archive
Re: Secure HTTP mailing list
daemon@ATHENA.MIT.EDU (Allan M Schiffman)
Wed Nov 16 04:33:46 1994
Date: Tue, 15 Nov 94 23:11:49 PST
From: ams@eit.com (Allan M Schiffman)
To: cmcmanis@scndprsn.Eng.Sun.COM
Cc: treese@openmarket.com, www-security@ns1.rutgers.edu
Reply-To: ams@eit.com (Allan M Schiffman)
> Unfortunately you can't compare s-http to TCP or DNS or any other standard.
> In those cases, the specs were "public domain" and anyone could build a
> TCP stack and take it to the TCP bake off to see if it worked. In the case
> of any secure protocol there is the very good chance (and SHTTP is no
> exception) that the protocol or specification will want to use the
> _patented_ RSA algorithims (Public Key Partners effectively has a what
> appears to be a patent on any public key scheme).
Largely correct, but what that means, I suppose (at least in this
regard), is that you might compare such protcols to PEM rather than TCP
or DNS.
> What that means is
> that there is _no way_ for anyone to develop a license free version of
> S-HTTP because they would always infringe the patent.
That was essentially true in the first version of the spec. The
upcoming version of the spec, in response to popular demand, supports
shared-secret authentication and key exchange (e.g., password-like
secrets and Kerberos KDCs). This provides all of S-HTTP's security
mechanisms except non-repudiability, without PKC. You could say that
this is reduction to a previously unsolved problem, I suppose. :-)
We hope to have the revised spec out by the end of the month. Now, if I
can only keep up with my email...
> Since public key
> technology appears at this stage to be essential to any useful secure
> protocol, RSADSI, PKP, and EIT have the rest of the net by their
> cyber short hairs.
RSADSI/PKP, maybe, but EIT disclaims intent to patent any of the
techniques embodied in the protocol. In fact, we understand that the
Patent Office has a "public disclosure" mechanism for non-patented work
to be incorporated into their prior-art database, and if we can just
figure out how to use it, we'll file such disclosures to prevent others
from obstructing S-HTTP implementations via patent.
-Allan
