In message <[EMAIL PROTECTED]>, "Axel H Horns" writes:
>
>1. The first striking item (page 3, section 3.1) is that despite
>relaxation of crypto regulations, a clause is provided according to
>which "an industrial property Office or recognized Certification
>Authority may decide to offer Key Recovery for the confidentiality
>key pair when allowed (or required) under national laws". It seems
>not to be clear whether this "service" is offered to the Offices
>aimed at the applicants.
The U.S. Patent and Trademark Office pulled a similar stunt a couple of
years ago. This is preposterous.
>
>2. According to the WIPO paper, acceptable digital signatures in the
>context of any PKI are to be bound to PKCS#7 (page 4, section 3.4):
>
> ftp://ftp.rsasecurity.com/pub/pkcs/doc/pkcs-7.doc
>
>What I don't know is whether PKCS Standards are under the control of
>any public standards body or they are simply a de-facto industry
>standard made by RSA Labs. Can this standard (at least theoretically)
>be changed without notice by RSA Labs? Is there any corresponding
>"official Standard" which might be used instead of referencing
>PKCS#7? Would it have been a better idea from a technical point of
>view to use the emerging OpenPGP standard instead? Are there modular
>implementations of software packages for dealing with PKCS#7 formats
>available under the GNU GPL License?
The PKCS standards are regularly reviewed by an open group.
>
>3. Under section 3.5, the WIPO paper recommends a symmetric
>encryption algorithm called "dES-EDE3-CBC". I have never heard of
>that. What is the meaning thereof?
That's triple DES in encrypt-decrypt-encrypt fashion, using cipher
block chaining. It's common, secure, and conservative. Expect it to
be changed to AES-CBC in a couple of years.
>
>4. Under section 3.7, SHA-1 is selected as Message Digest Algorithm.
>Would you say that this algorithm is a proper state-of-the-art choice
>for an upcoming new business standard?
Yes.
>
>5. Obviously due to political considerations, a least common
>denominator has been implemented regarding to the requirement that
>the applicant has to provide an electronic signature when filing a
>PCT patent application with the respective Receiving Office: In
>section 4 ("Signatures Mechanisms") the Receiving Offices are allowed
>to require/allow
>
> (a) Basic Electronic Signatures
> (i) Facsimile image of the users signature
> (ii) Text string, e.g. "/John Doe/"
> (ii) "Click Wrap" signature; a text string simply indication
> that the applicant has pressed the "OK" button on his
> electronic filing software;
> (b) Enhanced Electronic Signature
> (i) PKCS#7 Signature
>
>With other words: Receiving Offices are free at their discretion to
>choose snake oil or virtually nothing instead of cryptographical
>signatures.
It's not snake oil, in that no one is being deceived, nor is the
primary meaning depending on the cryptography. A patent application
(as you well know) is not a one-shot transaction where you toss
something over the fence, and where it is uncertain who the other party
is. The point of the signature is to state that you are attesting,
under penalty of law, to the truth of certain statements; in that
sense, the signature is more "solemnification", a word that I believe
has been used in court cases on the validity of computer-printed
signatures.
>
>6. Regarding text formatting, the WIPO paper starts with XML which
>seems to be a well done choice. However, the text of patent
>applications can also be filed in .PDF format (page 8, section 5.1.2)
>"Acrobat V3 compatible" whatever that means. I would be happy to know
>whether or not the .PDF data format is proprietary to ADOBE, Inc. or
>a public standard managed by a proper standards body. Has it been
>publicly disclosed at all? Or is the available knowledge on .PDF
>based on some kind or reverse engineering?
I'd rather see something else; however, PDF is a de facto standard that
is necessary to deal well with diagrams. XML alone wouldn't cut it.
>
>7. All data constituting the PCT application are packaged into a
>single container file using the ZIP format:
>
> http://www.pkware.com/appnote.html
>
>Again, this looks rather proprietary. Is it really a good idea to
>rely on ZIP instead e.g. on MIME? Is there software avalilable under
>the GNU GPL License for dealing with .ZIP formats?
Yes, there's the 'zip' and 'unzip' commands. I don't know of
corresponding MIME-based commands for most platforms, except for
mailers.
--Steve Bellovin
