Send comments opposing TLS-authz "experimental" standard by October 23
Update 2009-02-09: Your comments during this round helped to prevent passage, but now the patented standard is back again -- please see our update and submit another comment.
Much of the communication on the Internet happens between computers according to standards that define common languages. If we are going to live in a free world using free software, our software must be allowed to speak these languages.
Unfortunately, discussions about possible new standards are tempting opportunities for people who would prefer to profit by extending proprietary control over our communities. If someone holds a software patent on a technique that a programmer has to use in order to implement a standard, then no one is free to implement that standard without getting permission from and paying the patent holder. If we are not careful, standards can become major barriers to computer users having and exercising their freedom.
We depend on organizations like the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG) to evaluate new proposals for standards and make sure that they are not encumbered by patents or any other sort of restriction that would prevent free software users and programmers from participating in the world they define.
In February 2006, a standard for "TLS authorization" was introduced in the IETF for consideration. Very late in the discussion, a company called RedPhone Security disclosed that they applied for a patent which would need to be licensed to anyone wanting to practice the standard. After this disclosure, the proposal was rejected.
However, the proposal is not dead yet. Its authors are trying to push it through not as an official standard but as an "experimental" or "informational" one, where if approved it will still be propagated under the IETF name. While it wouldn't be an official standard, this amounts to an attempt to sneak the patent-encumbered rejected standard in through a backdoor.
As Sam Hartman, Security Area Director for the IETF said, "[O]ften it seems that we use informational as a way to publish things we cannot build a strong consensus behind. I think that process is generally problematic and would like to avoid it in this instance."
In the long term, widespread adoption of something published on this track would put free software in the same bad position as if the document were approved as a standard. To avoid encouraging public adoption of TLS authorization, we have deleted the support from the latest version of GnuTLS. If you are a programmer in this area, please join us in declining to implement these extensions.
IETF is listening to comments on the question until October 23. The Free Software Foundation has sent one, but convincing the IETF takes many. Please mail your own comment to firstname.lastname@example.org, and CC us at email@example.com. If our voice is strong enough, the IETF will not approve this method on any level unless the patent threat is removed with a royalty-free license for all users.