Phillip Hallam-Baker wrote: > > So the IETF has done patent deals in the past. We did it for RSA and > DH for example because those were the only ways to do public key > cryptography. It was agree to the patent claims or don't do the work. Weird. That's not how I remeber the situation with RSA. I'm *NOT* aware of any patent deal of the IETF for RSA. IIRC, the DH patent expired in late 1997 and the RSA patent expired in the 2nd half of 2000. (The RSA patent existed only in a few countries, since the technology had been publicly described prior to patent application, excluding it from patentability in several jurisdictions). TLSv1.0 (rfc2246) was published in January 1999 with the "official" mandatory-to-implement TLS cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA https://tools.ietf.org/html/rfc2246#section-9 i.e. *NO* RSA, because there was *NO* IETF patent deal about RSA. Defacto, SSL & TLSv1.0 were pretty much exclusively used with RSA server certificates from 1995 through today, and several vendors simply waited until the RSA patent had expired before shipping crypto with RSA (including SSL/TLS) implementations in their product. What I remember from back then is more closely described/captured in Google search results like these: a Baltimore White Paper, excerpt from page 4: ftp://59.152.90.8/Softwere,%20Music%20&%20Others/EBooks/RSA_patent_expiry_developer_white_paper.pdf Intellectual property The final barrier to using public key cryptography has been a series of patents on the basic techniques -- the Diffie-Hellman algorithm, the RSA algorithm, the idea of public-key cryptography itself. Although patents are a useful way of rewarding inventors for their ideas, the RSA patent in particular has been used in ways that make it hard to develop good cryptographic software. Import RSA Security Inc (formerly known as RSA Data Security Inc, or RSADSI), which claimed exclusive rights to the exploitation of the patent, sells a software toolkit, called BSAFE Crypto-C ("BSAFE" for short), which implements many popular cryptographic algorithms. This is the only software implementation of the RSA algorithm which they are willing to see used in the US. Not only has this given them a monopoly of the market for basic cryptography in the US; it's made it difficult for software companies from other countries to sell to the US. The RSA algorithm is not patented outside North America, so developers there have been free to develop their own public key cryptography applications. But importing them into the US has mean re-engineering them to use BSAFE -- essentially, entirely unnecessary effort Toolkits: Lock-in In both their toolkits and their standards development, RSADSI have attempted to develop lock-in to the RSA algorithm. In BSAFE, Diffie-Hellman is supported differently from any other public key algorithm. BSAFE is deliberately written so that it's impossible to store a long-term Diffie-Hellman keypair, or use a Diffie-Hellman private key for more than one session. The Diffie-Hellman private key in BSAFE is held within an algorithm object, and can't be extracted from it; neither can algorithm objects be cloned, so there is simply no way of preventing the private key from expiring with the algorithm object. What are the effects of this? A developer using BSAFE who was tempted to implement a non-RSA based PKI would, quite simply, find it impossible. There is no straightforward way to publish a Diffie-Hellman public key in a database for future use by a correspondent. IETF standards, like S/MIME v3, cannot be implemented. snippet from a length discussion thread: https://groups.google.com/forum/#!search/Gamal$20el$20Gamal$20can$20we$20resume$20$3F$3F/sci.crypt/M18NGuXQBP4/VFGbWgYsZJkJ RSA[DSI] offered Netscape a deal in which this hungry little startup got an unrestricted license to use RSA's BSAFE code, cash-free, in exchange for a legendary 1 percent of Netscape. What isn't clear in Mr. Schlafly's summary was that that deal merely settled -- on relatively generous terms, I think -- what was always a foregone conclusion. D-H was simply a non-starter in 1994, according to most informed observers. Mr. Shlafly offers a malovalent interpretation of the fact that RSADSI preferred to license its BSAFE toolkit -- to Netscape and everyone else -- as opposed to allowing OEMs a full patent license to roll their own RSApkc (and/or other RSA cryptosystems.) or this: http://marc.info/?l=openssl-users&m=94383534822859 -Martin