In order to promote the widest adoption of Web standards, W3C seeks to issue
Recommendations that can be implemented on a Royalty-Free (RF) basis. Patent
Advisory Groups PAGs
are created when a
patent has been disclosed that may be essential but is not available under W3C
RF licensing requirements, or to help avoid anticipated patent problems.
Following review, pursuant to Section 7.5 of
the Patent Policy, the PAG states its Proposal and reasons in a public W3C
document.
This report constitutes the Proposal of the XML Security PAG.
The XML Security Working Group is producing the XML Signature Syntax and Processing Version 1.1, XML Signature Syntax and Processing Version 2.0 and XML Encryption Syntax and Processing Version 1.1 Specifications. To fit certain requirements, especially in public procurement, elliptic curve cryptographic algorithms were introduced. Some Members raised concerns about the patent situation concerning elliptic curve cryptographic algorithms ("ECC") and noted the statements of Certicom Inc. filed with the IETF regarding RFC 6090. The W3C Team contacted Certicom Inc. to discuss its claims. Attempts to negotiate a Royalty Free license for Certicom's patents were unsuccessful. In its most recent statement to the XML Security mailing-list, Certicom Inc. offered a Royalty Free license with conditions that were viewed by the W3C Team as incompatible with the W3C Patent Policy, principally in light of the scope of RIM's proposed defensive suspension clause. Accordingly, W3C chartered this XML Security PAG.
The W3C Team understands that Certicom Inc. is fully and wholly owned by Research in Motion (RIM), a W3C Member organization. RIM was not a member of the XML Security Working Group and, as of the date of this Report, has not joined that Working Group. Under the W3C Patent Policy, RIM has not incurred direct licensing obligations concerning XML Signature 1.1, XML Signature 2.0 and XML Encryption 1.1 in connection with the XML Security Working Group.
In the discussions with RIM and Certicom Inc., it remained unclear what patents RIM & Certicom had in mind when talking about XML Signature and XML Encryption. The XML Security PAG requested that W3C issue a direct disclosure request to W3C Member Research in Motion (RIM), as it owns and controls Certicom Inc. RIM answered with the following statement:
The current draft specifications XML Signature Syntax and Processing Version 1.1, W3C Candidate Recommendation 03 March 2011, and XML Encryption Syntax and Processing Version 1.1, W3C Candidate Recommendation 03 March 2011, reference IETF draft RFC 6090 to which Certicom Corp. has made an IPR statement citing the following patents: (general formatting and links beyond pure ASCII added by the editor)
Please see https://datatracker.ietf.org/ipr/1337/ for additional details and licensing information.
The text of the relevant disclosure to the IETF is quoted below:
Patent Holder is currently aware of the information disclosed in V., supra*, which may relate to one or more implementations of IV., supra, which may become incorporated in an IETF RFC.
*: draft‐mcgrew‐fundamental‐ecc‐03, now RFC 6090
The XML Security Patent Advisory Group did not issue a call for prior art to the public.
After initial exploration of a royalty-free licensing statement compatible with the W3C patent policy, the PAG was created following the relevant rules. The XML Security PAG found no process violations to report. The PAG discussed questions of scope and deferred them to further discussions in the Patents and Standards Interest Group.
Taking into account the wide variety of information made available to the Patent Advisory Group, the following recommendations are made:
This specification uses algorithm identifiers in the namespace http://www.w3.org/2001/04/xmldsig-more# that were originally coined in [RFC4051]. RFC 4051 associates these identifiers with specific algorithms. Implementations of this specification must be fully interoperable with the algorithms specified in [RFC4051], but may compute the requisite values through any technique that leads to the same output.
This specification REQUIRES implementations to implement an algorithm that leads to the same results as ECDSA over the P-256 prime curve specified in Section D.2.3 of FIPS 186-3 [FIPS-186-3] (and using the SHA-256 hash algorithm), referred to as the ECDSAwithSHA256 signature algorithm [ECC-ALGS]. It is further recommended that implementations also implement algorithms that lead to the same results as ECDSA over the P-384 and P-521 prime curves; these curves are defined in Sections D.2.4 and D.2.5 of FIPS 186-3, respectively [ECC-ALGS].
As described in IETF RFC 6090, the Elliptic Curve DSA (ECDSA) and KT-I signature methods are mathematically and functionally equivalent for fields of characteristic greater than three. See IETF RFC 6090 Section 7.2.
Assuming adoption of these recommendations, the PAG concludes that the initial concern has been resolved, enabling the Working Group to continue.
Certicom's statement covers RFC 6090 entirely, but the XML Encryption Syntax and Processing Version 1.1 Specification uses only ECDH from section 4 of RFC 6090. RFC 6090 says about itself:
Page 20: All of the normative references for ECDH (as defined in Section 4) were published during or before 1989, and those for KT-I were published during or before May 1994. All of the normative text for these algorithms is based solely on their respective references.
The XML Encryption Syntax and Processing Version 1.1 Specification only requires an implementation of ECDH that conforms to RFC 6090. RFC 6090 states that the specified implementation is based solely on references that were published during or before 1989, which is more than one year prior to the apparent effective filing dates of the RIM patents disclosed to this PAG.
To achieve interoperability, XML Signature 1.1 and 2.0 select ECDSA as one of the mandatory to implement algorithms. For further information, a reference is given to FIPS 186-3 [PDF]. The Patent Advisory Group did not consider it useful to enter into the exploration whether the specific algorithms as specified in ANSI X9.62 or with the additional requirements of FIPS 186-3 and the specific selection of a curve by the XML Signature Specification would fall within the scope of application of one of the disclosed patents.
In its response to the W3C request for disclosure, RIM cited the '773 and '870 patents. The '773 patent bears a filing date of October 1998 and lists no related patents. The '870 patent is a continuation of an earlier patent application (now issued as US Patent Nr. 5,999,626) and claims priority from the '626 patent, which was filed on 16 April 1996. In the material quoted above, RFC 6090 cites references for KT-I dating to May 1994. It appears, accordingly, that the earliest filing date for the disclosed patents and related patents identified by RIM is 16 April 1996, which post-dates by more than one year the references for KT-I given in RFC 6090. The patents disclosed by RIM to W3C do not, therefore, appear to be necessary to implement the KT-I algorithm, since publications describing the KT-I algorithm pre-date, by more than a year, the respective priority dates of the '870 and '773 patents cited in RIM's response to the disclosure request issued by W3C.
RFC 6090 states in section 7.2:
KT-I is mathematically and functionally equivalent to ECDSA, and can interoperate with the IEEE P1363 and ANSI X9.62 standards for Elliptic Curve DSA (ECDSA) based on fields of characteristic greater than three. KT-I signatures can be verified using the ECDSA verification algorithm, and ECDSA signatures can be verified using the KT-I verification algorithm.
As the core interest of selecting a certain algorithm is to achieve a certain level of security, but prominently also to achieve interoperability, there is no reason to require that people implement only and strictly the ECDSA algorithm. Implementing KT-I yields the same results for the curves required in the XML Signature 1.1 and 2.0 Specifications. The PAG was of the opinion that by relaxing the wording in the Specifications so that implementers are free to implement either of ECDSA or KT-I, the above statement from RFC 6090 would also apply to XML Signature 1.1 and XML Signature 2.0.
To achieve that, the PAG encourages the XML Security Working Group to find a wording that focuses on interoperability requirements and results, rather than on the implementation of a specific algorithm. This will allow implementers to select the algorithm that fits best their needs, while conforming with the necessary security and interoperability requirements.
As noted, the Patent Advisory Group is not in a position to determine whether the patents read on FIPS 186-3 [PDF] as referenced from the XML Signature Specification. The PAG understands its statement only as a recommendation on the W3C Specifications and the way they reference and/or select certain algorithms.
Consequently the PAG believes that the approach of permitting a fully compliant implementation of the XML Signature 1.1 and XML Signature 2.0 specifications to only use the KT-I algorithm (or another interoperable algorithm) helps to clarify the opportunities for implementers to mitigate risks. If one or more of the claims from the disclosed RIM patents properly construed would cover the KT-I algorithm then such claims might be invalid given the existence of references describing KT-I that are dated more than one year prior to the apparent effective filing dates of the patents disclosed by RIM.
The PAG recommends to clarify the wording in the Specifications as specified above and to continue the work.
THESE RECOMMENDATIONS OF THE PATENT ADVISORY GROUP ARE NOT LEGAL ADVICE. NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THE XML SECURITY PATENT ADVISORY GROUP OR THEIR RESPECTIVE EMPLOYERS TAKES ANY RESPONSIBILITY FOR THE ACCURACY, LEGAL CORRECTNESS OR OTHER FITNESS FOR ANY PURPOSE OF THE INFORMATION PROVIDED IN THIS REPORT. ESPECIALLY, NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THE XML SECURITY PATENT ADVISORY GROUP OR ANY OF THEIR RESPECTIVE EMPLOYERS MAKE ANY REPRESENTATION THAT FOLLOWING THE RECOMMENDATIONS HERE WILL AVOID AN INFRINGEMENT OF THE US PATENT NR. 7,215,773 OR US PATENT NR. 6,704,870, OR ANY OTHER PATENT MENTIONED IN THE REPORT OR IN ANY DOCUMENTATION LINKED FROM THEREIN.
Design inspired by the CSS Working Group