XML Security PAG Report 2012-06 (original) (raw)

Published on 15 October 2012

Table of contents

  1. Introduction
  2. Procedure
  3. Conclusions

Introduction

In order to promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented on a Royalty-Free (RF) basis. Patent Advisory Groups PAGs are created when a patent has been disclosed that may be essential but is not available under W3C RF licensing requirements, or to help avoid anticipated patent problems. Following review, pursuant to Section 7.5 of the Patent Policy, the PAG states its Proposal and reasons in a public W3C document.

This report constitutes the Proposal of the XML Security PAG.

The XML Security Working Groupis producing the XML Signature Syntax and Processing Version 1.1, XML Signature Syntax and Processing Version 2.0 and XML Encryption Syntax and Processing Version 1.1 Specifications. To fit certain requirements, especially in public procurement, elliptic curve cryptographic algorithms were introduced. Some Members raised concerns about the patent situation concerning elliptic curve cryptographic algorithms ("ECC") and noted the statements of Certicom Inc. filed with the IETF regarding RFC 6090. The W3C Team contacted Certicom Inc. to discuss its claims. Attempts to negotiate a Royalty Free license for Certicom's patents were unsuccessful. In its most recent statement to the XML Security mailing-list, Certicom Inc. offered a Royalty Free license with conditions that were viewed by the W3C Team as incompatible with the W3C Patent Policy, principally in light of the scope of RIM's proposed defensive suspension clause. Accordingly, W3C chartered this XML Security PAG.

Procedure

The W3C Team understands that Certicom Inc. is fully and wholly owned by Research in Motion (RIM), a W3C Member organization. RIM was not a member of the XML Security Working Group and, as of the date of this Report, has not joined that Working Group. Under the W3C Patent Policy, RIM has not incurred direct licensing obligations concerning XML Signature 1.1, XML Signature 2.0 and XML Encryption 1.1 in connection with the XML Security Working Group.

In the discussions with RIM and Certicom Inc., it remained unclear what patents RIM & Certicom had in mind when talking about XML Signature and XML Encryption. The XML Security PAG requested that W3C issue a direct disclosure request to W3C Member Research in Motion (RIM), as it owns and controls Certicom Inc. RIM answered with the following statement:

The current draft specifications XML Signature Syntax and Processing Version 1.1, W3C Candidate Recommendation 03 March 2011, and XML Encryption Syntax and Processing Version 1.1, W3C Candidate Recommendation 03 March 2011,reference IETF draft RFC 6090 to which Certicom Corp. has made an IPR statement citing the following patents: (general formatting and links beyond pure ASCII added by the editor)

Please see https://datatracker.ietf.org/ipr/1337/for additional details and licensing information.

The text of the relevant disclosure to the IETF is quoted below:

Patent Holder is currently aware of the information disclosed in V., supra*, which may relate to one or more implementations of IV., supra, which may become incorporated in an IETF RFC.

*: draft‐mcgrew‐fundamental‐ecc‐03, now RFC 6090

The XML Security Patent Advisory Group did not issue a call for prior art to the public.

After initial exploration of a royalty-free licensing statement compatible with the W3C patent policy, the PAG was created following the relevant rules. The XML Security PAG found no process violations to report. The PAG discussed questions of scope and deferred them to further discussions in the Patents and Standards Interest Group.

Conclusions

PAG Recommendations

Taking into account the wide variety of information made available to the Patent Advisory Group, the following recommendations are made:

  1. Work on XML Encryption Syntax and Processing Version 1.1 should continue without changes.
  2. For the avoidance of doubt and in order to be helpful to implementers, the PAG recommends to include wording into the XML Signature Syntax and Processing Version 1.1 Candidate Recommendation and the XML Signature 2.0 specification that is similar to the following:
    1. Add to "Versions, Namespaces and Identifiers" section:
      This specification uses algorithm identifiers in the namespace http://www.w3.org/2001/04/xmldsig-more# that were originally coined in [RFC4051]. RFC 4051 associates these identifiers with specific algorithms. Implementations of this specification must be fully interoperable with the algorithms specified in [RFC4051], but may compute the requisite values through any technique that leads to the same output.
    2. Update Section 6.4.3 in XML Signature 1.1 (and the equivalent section in XML Signature 2.0) to clarify that implementation must implement equivalent functionality, add ECC-ALGS references:
      This specification REQUIRES implementations to implement an algorithm that leads to the same results as ECDSA over the P-256 prime curve specified in Section D.2.3 of FIPS 186-3 [FIPS-186-3] (and using the SHA-256 hash algorithm), referred to as the ECDSAwithSHA256 signature algorithm [ECC-ALGS]. It is further recommended that implementations also implement algorithms that lead to the same results as ECDSA over the P-384 and P-521 prime curves; these curves are defined in Sections D.2.4 and D.2.5 of FIPS 186-3, respectively [ECC-ALGS].
    3. Add a footnote to Section 6.4.3 in XML Signature 1.1 (and the equivalent section in XML Signature 2.0), and to the first reference toRFC 6090:
      As described in IETF RFC 6090, the Elliptic Curve DSA (ECDSA) and KT-I signature methods are mathematically and functionally equivalent for fields of characteristic greater than three. See IETF RFC 6090 Section 7.2.
  3. This PAG does not draw any conclusions concerning RFC 6090.

Assuming adoption of these recommendations, the PAG concludes that the initial concern has been resolved, enabling the Working Group to continue.

Rationale & Observations

On XML Encryption

Certicom's statement covers RFC 6090entirely, but the XML Encryption Syntax and Processing Version 1.1 Specification uses only ECDH from section 4 of RFC 6090. RFC 6090 says about itself:

Page 20: All of the normative references for ECDH (as defined in Section 4) were published during or before 1989, and those for KT-I were published during or before May 1994. All of the normative text for these algorithms is based solely on their respective references.

The XML Encryption Syntax and Processing Version 1.1 Specification only requires an implementation of ECDH that conforms to RFC 6090. RFC 6090 states that the specified implementation is based solely on references that were published during or before 1989, which is more than one year prior to the apparent effective filing dates of the RIM patents disclosed to this PAG.

On XML Signature

To achieve interoperability, XML Signature 1.1 and 2.0 select ECDSA as one of the mandatory to implement algorithms. For further information, a reference is given to FIPS 186-3 [PDF]. The Patent Advisory Group did not consider it useful to enter into the exploration whether the specific algorithms as specified in ANSI X9.62 or with the additional requirements of FIPS 186-3 and the specific selection of a curve by the XML Signature Specification would fall within the scope of application of one of the disclosed patents.

In its response to the W3C request for disclosure, RIM cited the '773 and '870 patents. The '773 patent bears a filing date of October 1998 and lists no related patents. The '870 patent is a continuation of an earlier patent application (now issued as US Patent Nr. 5,999,626) and claims priority from the '626 patent, which was filed on 16 April 1996. In the material quoted above, RFC 6090 cites references for KT-I dating to May 1994. It appears, accordingly, that the earliest filing date for the disclosed patents and related patents identified by RIM is 16 April 1996, which post-dates by more than one year the references for KT-I given in RFC 6090. The patents disclosed by RIM to W3C do not, therefore, appear to be necessary to implement the KT-I algorithm, since publications describing the KT-I algorithm pre-date, by more than a year, the respective priority dates of the '870 and '773 patents cited in RIM's response to the disclosure request issued by W3C.

RFC 6090 states in section 7.2:

KT-I is mathematically and functionally equivalent to ECDSA, and can interoperate with the IEEE P1363 and ANSI X9.62 standards for Elliptic Curve DSA (ECDSA) based on fields of characteristic greater than three. KT-I signatures can be verified using the ECDSA verification algorithm, and ECDSA signatures can be verified using the KT-I verification algorithm.

As the core interest of selecting a certain algorithm is to achieve a certain level of security, but prominently also to achieve interoperability, there is no reason to require that people implement only and strictly the ECDSA algorithm. Implementing KT-I yields the same results for the curves required in the XML Signature 1.1 and 2.0 Specifications. The PAG was of the opinion that by relaxing the wording in the Specifications so that implementers are free to implement either of ECDSA or KT-I, the above statement from RFC 6090 would also apply to XML Signature 1.1 and XML Signature 2.0.

To achieve that, the PAG encourages the XML Security Working Group to find a wording that focuses on interoperability requirements and results, rather than on the implementation of a specific algorithm. This will allow implementers to select the algorithm that fits best their needs, while conforming with the necessary security and interoperability requirements.

As noted, the Patent Advisory Group is not in a position to determine whether the patents read on FIPS 186-3 [PDF] as referenced from the XML Signature Specification. The PAG understands its statement only as a recommendation on the W3C Specifications and the way they reference and/or select certain algorithms.

Consequently the PAG believes that the approach of permitting a fully compliant implementation of the XML Signature 1.1 and XML Signature 2.0 specifications to only use the KT-I algorithm (or another interoperable algorithm) helps to clarify the opportunities for implementers to mitigate risks. If one or more of the claims from the disclosed RIM patents properly construed would cover the KT-I algorithm then such claims might be invalid given the existence of references describing KT-I that are dated more than one year prior to the apparent effective filing dates of the patents disclosed by RIM.

The PAG recommends to clarify the wording in the Specifications as specified above and to continue the work.

Disclaimer

THESE RECOMMENDATIONS OF THE PATENT ADVISORY GROUP ARE NOT LEGAL ADVICE. NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THE XML SECURITY PATENT ADVISORY GROUP OR THEIR RESPECTIVE EMPLOYERS TAKES ANY RESPONSIBILITY FOR THE ACCURACY, LEGAL CORRECTNESS OR OTHER FITNESS FOR ANY PURPOSE OF THE INFORMATION PROVIDED IN THIS REPORT. ESPECIALLY, NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THE XML SECURITY PATENT ADVISORY GROUP OR ANY OF THEIR RESPECTIVE EMPLOYERS MAKE ANY REPRESENTATION THAT FOLLOWING THE RECOMMENDATIONS HERE WILL AVOID AN INFRINGEMENT OF THE US PATENT NR. 7,215,773 OR US PATENT NR. 6,704,870, OR ANY OTHER PATENT MENTIONED IN THE REPORT OR IN ANY DOCUMENTATION LINKED FROM THEREIN.


Created by Rigo Wenning, PAG Chair, March 2012, last updated Id:pagreport.html,v1.412012/10/1520:59:04ijacobsExpId: pagreport.html,v 1.41 2012/10/15 20:59:04 ijacobs Exp Id:pagreport.html,v1.412012/10/1520:59:04ijacobsExp

Design inspired by the CSS Working Group