Send comments opposing TLS-authz "experimental" standard by October 23

[John Sullivan]

Much of the communication on the Internet happens between computers according
to standards that define common languages. If we are going to live in a free
world using free software, our software must be allowed to speak these
languages.

Unfortunately, discussions about possible new standards are tempting
opportunities for people who would prefer to profit by extending proprietary
control over our communities. If someone holds a software patent on a technique
that a programmer has to use in order to implement a standard, then no one is
free to implement that standard without getting permission from and paying the
`patent holder
<http://www.gnu.org/philosophy/fighting-software-patents.html>`_. If we are not
careful, standards can become major barriers to computer users having and
exercising their freedom.

We depend on organizations like the Internet Engineering Task Force (IETF) and
the Internet Engineering Steering Group (IESG) to evaluate new proposals for
standards and make sure that they are not encumbered by patents or any other
sort of restriction that would prevent free software users and programmers from
participating in the world they define.

In February 2006, a standard for `"TLS authorization"
<http://tools.ietf.org/wg/tls/draft-housley-tls-authz-extns-07.txt>`_ was
introduced in the IETF for consideration. Very late in the discussion, a
company called RedPhone Security `disclosed
<https://datatracker.ietf.org/ipr/833/>`_ that they applied for a patent which
would need to be licensed to anyone wanting to practice the standard. After
this disclosure, the proposal was rejected.

However, the proposal is not dead yet. Its authors are trying to push it
through not as an official standard but as an `"experimental" or
"informational" one <https://datatracker.ietf.org/idtracker/ballot/2081/>`_,
where if approved it will still be propagated under the IETF name. While it
wouldn't be an official standard, this amounts to an attempt to sneak the
patent-encumbered rejected standard in through a backdoor.

As Sam Hartman, Security Area Director for the IETF said, `"[O]ften it seems
that we use informational as a way to publish things we cannot build a strong
consensus behind. I think that process is generally problematic and would like
to avoid it in this instance."
<https://datatracker.ietf.org/idtracker/draft-housley-tls-authz-extns/comment/68197/>`_

In the long term, widespread adoption of something published on this track
would put free software in the same bad position as if the document were
approved as a standard. To avoid encouraging public adoption of TLS
authorization, we have deleted the support from the latest version of `GnuTLS
<http://directory.fsf.org/project/gnutls/>`_. If you are a programmer in this
area, please join us in declining to implement these extensions.

IETF is listening to comments on the question until October 23. The Free
Software Foundation `has sent one
<http://www.fsf.org/campaigns/software-patents/draft-housley-tls-authz-extns.html>`_,
but convincing the IETF takes many. Please mail your own comment to
address@hidden, and CC us at address@hidden If our voice is strong enough,
the IETF will not approve this method on any level unless the patent threat is
removed with a royalty-free license for all users.

-- 
John Sullivan
Campaigns Manager            | Phone: (617)542-5942 x23 | http://badvista.org
51 Franklin Street, 5th Fl.  | Fax:   (617)542-2652     | http://www.gnu.org
Boston, MA 02110-1301 USA    | GPG:   AE8600B6          | http://www.fsf.org