[Previous] [Next] [Index]
[Thread]
Re: Secure HTTP mailing list
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
> To: allyn@dblv001.ca.boeing.com, andrieu@presence.COM, hungvu@milkyway.com
> Subject: Re: Secure HTTP mailing list
> Cc: treese@openmarket.com, www-security@ns1.rutgers.edu
> Content-Length: 864
> Sender: owner-www-security@ns1.Rutgers.EDU
> Precedence: bulk
> Reply-To: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
> Status: R
>
> Unfortunately you can't compare s-http to TCP or DNS or any other standard.
> In those cases, the specs were "public domain" and anyone could build a
> TCP stack and take it to the TCP bake off to see if it worked. In the case
> of any secure protocol there is the very good chance (and SHTTP is no
> exception) that the protocol or specification will want to use the
> _patented_ RSA algorithims (Public Key Partners effectively has a what
> appears to be a patent on any public key scheme). What that means is
> that there is _no way_ for anyone to develop a license free version of
> S-HTTP because they would always infringe the patent. Since public key
> technology appears at this stage to be essential to any useful secure
> protocol, RSADSI, PKP, and EIT have the rest of the net by their
> cyber short hairs.
This is not quite true. RSADSI has released a library for free non-
commercial use of the RSA algorithm, called RSAREF. I haven't studied
the shttp standard closely but probably RSAREF would be adequate for
an implementation. Of course this would have to be a public-domain or
GPL type of program. If your interest is commercial rather than civic
you would need to make license arrangements with RSA just as with any other
patented technology.
Hal Finney
hfinney@shell.portal.com