[Fwd: Encryption and Algorithms]

[Berin Lautenbach <be...@ozemail.com.au>]

Peoples,

Cancel #2.  If I'd just done 5 minutes more research I would have picked 
the obvious.  RSA the algorithm is fine (came out of patent in 2000 - 
which I knew if I'd bothered to think) - the patents relate to other 
technologies/features with SAML.

Scott - if you're on the list I'd be very interested to know what the 
actual patent issues are.  Where did the OpenSAML Apache proposal get 
to?  It seems to have petered out in March?

Apologies - and consider many rude words to have just been said in the 
southern hemisphere.  *blush*

#1 is still an issue :>.

Cheers,
	Berin

-------- Original Message --------
Subject: Encryption and Algorithms
Date: Wed, 11 Jun 2003 20:53:52 +1000
From: Berin Lautenbach <be...@ozemail.com.au>
To: Apache XML DSIG <se...@xml.apache.org>

Peoples,

Following on from Axl's comments RE encryption the other day, I'd like
to put a note into general@xml (and possibly board@) asking for guidance
on two fronts.

1.  Encryption.  Until now everything has been signatures, which is
fairly benign.  Is there anything we need to be doing from a legal front
to cover Apache when we get into encryption?

2.  RSA.  In my digging around last night I unearthed the patent issues
around RSA that were discussed in incubator-general when OpenSAML was
proposed.  Both C++ and Java libraries provide support for RSA
signatures (although neither implements RSA directly).

On 1 - I don't believe the Java library actually implements any crypto
code, and the C++ library definately doesn't.  Both use hooks into
existing libraries.  However, there can still be issues with hooks so it
would be good to cover off.

On 2 - I'm hoping this is not a _big_ can of worms, but I'd prefer to
raise it and sort it out (even if it potentialy means disabling RSA
support) than leave it and get caught out later.

See :

http://marc.theaimsgroup.com/?l=incubator-general&w=2&r=1&s=OpenSAML&q=b

for the thread on OpenSAML and RSA.  I saw some of this on the periphery
a few months back, but never put two and two together.

Thoughts?  Maybe this has all been discussed and sorted out pre my time?

Cheers,
     Berin

RE: [Fwd: Encryption and Algorithms]

[Davanum Srinivas <di...@yahoo.com>]

Thanks for the nudge. Updated http://ws.apache.org/ (deleted xml-security from ws.apache.org main
page). 

FYI, you will see a bit more activity next week in ws.apache.org. If you want to get involved,
please subscribe to general@ws.apache.org

-- dims

--- Scott Cantor <ca...@osu.edu> wrote:
> > Cancel #2.  If I'd just done 5 minutes more research I would have picked 
> > the obvious.  RSA the algorithm is fine (came out of patent in 2000 - 
> > which I knew if I'd bothered to think) - the patents relate to other 
> > technologies/features with SAML.
> 
> Saved me posting exactly that.
> 
> > Scott - if you're on the list I'd be very interested to know what the 
> > actual patent issues are.  Where did the OpenSAML Apache proposal get 
> > to?  It seems to have petered out in March?
> 
> The RSA web site is fairly self-explanatory, I think.
> http://www.rsasecurity.com/solutions/standards/saml/
> 
> I'm not in a position to know whether the patents are valid. I tried to read the two that they
> publically referenced, and got
> nowhere. I prefer to focus on the language of the license, which is fairly clear. Internet2
> applied for and signed the license so
> that we can distribute Shibboleth as a SAML application. That covers any users of Shibboleth,
> but not OpenSAML, which is a toolkit.
> 
> Anyone else using OpenSAML has to obtain the license from RSA at no cost, but it's a legal
> document, so most companies would have to
> have a VP sign it. Unfortunate, but that's the way it is.
> 
> The subtle (and very nice) thing about the license is that it's perpetual. RSA can't
> unilaterally terminate it, so they can't try
> and start collecting money from people who signed the agreement later, only newbies. This was
> pretty important to me.
> 
> As far as Apache goes, they (the board) believe that these terms make SAML unacceptable, so I
> think unless RSA agrees on a different
> set of terms, it's a dead issue at this point. Nothing I can really do, as I have no pull with
> any of the parties involved. I don't
> think Internet2 is inclined to push it, but that might change in the future.
> 
> I believe there is no way for any real web services work to happen in Apache, as these terms are
> clear and benign in comparison to
> what some of the other specs look like, IMHO.
> 
> I note the ws.apache.org site appears to be frozen these days. It's still referencing
> XML-Security, even.
> 
> -- Scott
> 


=====
Davanum Srinivas - http://webservices.apache.org/~dims/

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

RE: [Fwd: Encryption and Algorithms]

[Davanum Srinivas <di...@yahoo.com>]

Thanks for the nudge. Updated http://ws.apache.org/ (deleted xml-security from ws.apache.org main
page). 

FYI, you will see a bit more activity next week in ws.apache.org. If you want to get involved,
please subscribe to general@ws.apache.org

-- dims

--- Scott Cantor <ca...@osu.edu> wrote:
> > Cancel #2.  If I'd just done 5 minutes more research I would have picked 
> > the obvious.  RSA the algorithm is fine (came out of patent in 2000 - 
> > which I knew if I'd bothered to think) - the patents relate to other 
> > technologies/features with SAML.
> 
> Saved me posting exactly that.
> 
> > Scott - if you're on the list I'd be very interested to know what the 
> > actual patent issues are.  Where did the OpenSAML Apache proposal get 
> > to?  It seems to have petered out in March?
> 
> The RSA web site is fairly self-explanatory, I think.
> http://www.rsasecurity.com/solutions/standards/saml/
> 
> I'm not in a position to know whether the patents are valid. I tried to read the two that they
> publically referenced, and got
> nowhere. I prefer to focus on the language of the license, which is fairly clear. Internet2
> applied for and signed the license so
> that we can distribute Shibboleth as a SAML application. That covers any users of Shibboleth,
> but not OpenSAML, which is a toolkit.
> 
> Anyone else using OpenSAML has to obtain the license from RSA at no cost, but it's a legal
> document, so most companies would have to
> have a VP sign it. Unfortunate, but that's the way it is.
> 
> The subtle (and very nice) thing about the license is that it's perpetual. RSA can't
> unilaterally terminate it, so they can't try
> and start collecting money from people who signed the agreement later, only newbies. This was
> pretty important to me.
> 
> As far as Apache goes, they (the board) believe that these terms make SAML unacceptable, so I
> think unless RSA agrees on a different
> set of terms, it's a dead issue at this point. Nothing I can really do, as I have no pull with
> any of the parties involved. I don't
> think Internet2 is inclined to push it, but that might change in the future.
> 
> I believe there is no way for any real web services work to happen in Apache, as these terms are
> clear and benign in comparison to
> what some of the other specs look like, IMHO.
> 
> I note the ws.apache.org site appears to be frozen these days. It's still referencing
> XML-Security, even.
> 
> -- Scott
> 


=====
Davanum Srinivas - http://webservices.apache.org/~dims/

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

RE: [Fwd: Encryption and Algorithms]

[Scott Cantor <ca...@osu.edu>]

> Cancel #2.  If I'd just done 5 minutes more research I would have picked 
> the obvious.  RSA the algorithm is fine (came out of patent in 2000 - 
> which I knew if I'd bothered to think) - the patents relate to other 
> technologies/features with SAML.

Saved me posting exactly that.

> Scott - if you're on the list I'd be very interested to know what the 
> actual patent issues are.  Where did the OpenSAML Apache proposal get 
> to?  It seems to have petered out in March?

The RSA web site is fairly self-explanatory, I think.
http://www.rsasecurity.com/solutions/standards/saml/

I'm not in a position to know whether the patents are valid. I tried to read the two that they publically referenced, and got
nowhere. I prefer to focus on the language of the license, which is fairly clear. Internet2 applied for and signed the license so
that we can distribute Shibboleth as a SAML application. That covers any users of Shibboleth, but not OpenSAML, which is a toolkit.

Anyone else using OpenSAML has to obtain the license from RSA at no cost, but it's a legal document, so most companies would have to
have a VP sign it. Unfortunate, but that's the way it is.

The subtle (and very nice) thing about the license is that it's perpetual. RSA can't unilaterally terminate it, so they can't try
and start collecting money from people who signed the agreement later, only newbies. This was pretty important to me.

As far as Apache goes, they (the board) believe that these terms make SAML unacceptable, so I think unless RSA agrees on a different
set of terms, it's a dead issue at this point. Nothing I can really do, as I have no pull with any of the parties involved. I don't
think Internet2 is inclined to push it, but that might change in the future.

I believe there is no way for any real web services work to happen in Apache, as these terms are clear and benign in comparison to
what some of the other specs look like, IMHO.

I note the ws.apache.org site appears to be frozen these days. It's still referencing XML-Security, even.

-- Scott