On 20-jul-2006, at 13:56, marcelo bagnulo braun wrote: [big snip]
fwiw i don't expect patent problems
HBA technology is not one where the inventor of the technology is trying to push this technology in the standards so he can make profit out of it. Instead is the case where the HBA technology happens to fall inside a very broad patent claim made by other company. BEsides, the patent holder of this broad claim is claiming that it will not charge for the patent in case of HBA implementations.
Although I still think TLS can be useful, it does look like an uphill battle. So we should probably go back to the original question: are we comfortable moving forward with HBA even though there is a patent claim?
At this point, my answer would be: let's move forward with HBA as the only security mechanism or HBA as the primary security mechanism and CGA as an additional, optional one, but reserve the right to define new security mechanisms in the future, either in addition to HBA or as a replacement as the primary mechanism.
I.e., put the community on warning that even though we're comfortable with HBA _now_, we're recognizing that bad stuff can happen in the future.
It would be good to define how a new security mechanism would interact with the shim protocol, but I think this would be time consuming and difficult in the absence of additional security mechanisms, so it's not really realistic to expect to do this work now.