Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:53 ADT
Vin McLellan (vin@shore.net)
Fri, 24 Jul 1998 19:41:27 -0400
Bob Baldwin <baldwin@rsa.com> wrote:
>> For my part, in my comments to NIST, I have urged that
>> the new AES be defined in to broadest possible way, so as to encompass
>> the greatest possible array of implementation modes. Specifically, I have
>> encouraged NIST to define PRNG, Digest and key derivation modes that an
>> implementor can use for free.
Bob Baldwin's concern -- what he tried to suggest here, and what he
has been preaching for some time to NIST and anyone else who would listen
-- is that what developers use is not the standardized algorithm, per se,
but implementations of it that fall into a score of modes.
Baldwin argues that some 20-odd modes -- some of which are already
patented by IBM, Certicom, and others -- should be part of the
(free-for-all-users) AES when it is issued. He's suggesting a broader
definition of the royalty-free AES, not a more narrow one!
DES, of course, had its basic implementation modes as part of the
standard too. Baldwin's point is that these are not sufficient, and the AES
should be expanded to encompass an array of known and trusted modes for all
the algorithm-dependant functions we now know that developers need and use.
Not only a block cipher and a stream cipher, but also key
derivation functions, a PRNG, one-way hash functions, and message
authentication codes. (Bob has a list of a couple dozen that he reels off,
but I think those are the basic classes. I suppose that we could also
expect a key-escrow mode as well. <sigh>)
Baldwin has been urging NIST to consider providing -- after
obtaining releases from their patent owners, when necessary -- a vastly
more expanded arsenal of "standardized" implementation modes as part of the
AES. He suggests that offering multiple companies or inventors partial
credit for the AES -- for modes as opposed to the algorithm, per se --
might make it possible to obtain those licenses today.
True, as Perry pointed out:
> [...] people will continue to come up with newer modes of operation
> that had not previously been thought of.
But patentable "new modes" for the AES will be, by definition,
novel and non-obvious. No one can do much to control that. Nor do I think
any thoughtful person would want to try. Baldwin's focus is on those which
can be identified now as useful and valuable to implementors and developers.
This teapot furor about whether a patented algorithm -- if one were
eventually chosen to be the AES -- will be made available by the inventor
free of patent encumberances is absurd. Of course it will be! NIST
requires it and the US Congress demands it. Any contract transferring
control of an algorithm to the US government so that it can become the AES
will explicitly declare the algorithm, in all formats, to be royalty-free
worldwide. That was part of initial call for AES candidates two years ago.
We all _know_ this, don't we?
This is not a one-company issue. This is not a matter of intent,
whim, or policy at RSA, or at IBM, NTT, Cylink, Entrust, or any other
sponsoring vendor or institution with a patented or patent-pending AES
candidate. It is (and should be) a matter of law and contract and federal
policy.
Baldwin's comments, to this audience, presumed this common knowledge.
(Most of us also know that corporate crypto vendors make their
money selling trusted implementation code for their own or other people's
algorithms -- not licensing their algorithms, myth to the contrary. This is
certainly the case at IBM, where I did a stint as corporate historian, and
at RSA, for whom I am now a consultant. Any vendor who provides the winning
AES candidate will not suffer for it, even after giving up patent rights.)
Perry -- as an aside in the middle of an extended and doubtless
catharic epiphany -- asked Bob:
>(Please DO NOT cloud the issue by bringing up utterly unrelated things like
>the fact that IBM enforced other crypto patents like the CDMF that almost
>incidently happened to involve DES -- all you will succeed in doing by
>mentioning that is increasing suspicion that you are planning something.)
Highlighting those oh-so-incidental and interrelated patents on
modes -- and suggesting that the best of them be made part of the AES
standard -- is exactly, of course, what Bob Baldwin has been repeatedly
suggesting over the past two years within the "crypto community" of
corporate software developers he works with.
The idea of making those modes freely available to all as part of
the AES _is_ Baldwin's issue.
I thought this List would be a great forum in which his idea could
be further discussed and useful components of such an AES Toolkit
considered and identified. I regret that his initiative was so
misunderstood.
Suerte,
_Vin
-----
Vin McLellan + The Privacy Guild + <vin@shore.net>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:53 ADT