Following up to my own mail: Martin Rex wrote: > Phillip Hallam-Baker wrote: > > > > So the IETF has done patent deals in the past. We did it for RSA and > > DH for example because those were the only ways to do public key > > cryptography. It was agree to the patent claims or don't do the work. > > Weird. That's not how I remeber the situation with RSA. I'm *NOT* aware > of any patent deal of the IETF for RSA. IIRC, the DH patent expired in > late 1997 and the RSA patent expired in the 2nd half of 2000. I should have read through the end of the Baltimore Whitepaper, here's more from its last page. -Martin Baltimore White Paper, excerpt from page 5: ftp://59.152.90.8/Softwere,%20Music%20&%20Others/EBooks/RSA_patent_expiry_developer_white_paper.pdf Standards To take one well-known example, consider the development of the SSL and TLS protocols, which originally used the RSA algorithm. Netscape decided to use the RSA algorithm to secure SSL in their browsers for good reasons. It was twice as fast as equivalent-strength Diffie-Hellman for decryption, and two hundred times as fast for encryption. Using RSA meant that a single algorithm could support both authentication (signing/verifying) and confidentiality (encryption/decryption). But this choice, made for good technical reasons, would cause great political difficulty in years to come. SSL was a proprietary technology, invented and implemented by Netscape. As Netscape became more committed to open Web standards, they turned stewardship of SSL over to the Internet Engineering Task Force (IETF), the voluntary organization which has defined and managed all the fundamental protocols that run the Internet today. One of the IETF's core values is to avoid the use of proprietary technology when at all possible. TCP, UDP, IP are non-patented and freely available for use, and the IETF is careful to ensure that new protocols can be implemented in a patent-free way. The presence of the RSA algorithm in SSL (and in S/MIME, the secure email protocol, developed by RSADSI in the mid-90s as an alternative to PGP and adopted by both Microsoft and Netscape) was a considerable headache for the standards bodies. In fact, before 1997 the presence of any public key cryptography at all would have been an obstacle, because of the Diffie-Hellman patent on the concept of public key cryptography. Once that patent expired, though, there was a clear course of action for the IETF. In all cryptographic protocols which had used RSA, they mandated Diffie-Hellman for encryption and DSA for signing. There was no other decision that could have been made, given the IETF's strict guidelines. But the effect was to sow confusion among developers who were committed to supporting the Internet standards work of the IETF. RSA was the de-facto standard: it was in all the browsers and all the secure mailers. But the standards mandated DSA and Diffie-Hellman. An implementation of TLS or S/MIME could be fully compliant with the standard, but unable to talk to the browsers that everyone was using. And RSADSI's patent licensing policy and litigiousness meant there was no chance that the IETF could bend the rules; if the standards had mandated the RSA algorithm, or even put it on an equal footing with the non-patented algorithms, anyone who naively read and implemented the standard would end up getting sued. With the expiry of the RSA patent, the official standard and the de facto standard can move back into alignment with each other.