Ben Laurie wrote:
> lcs Mixmaster Remailer wrote:
> > This is powerful writing, but one can't escape the thought that making
> > his advanced technology available on a non-exclusionary basis would be
> > a significant first step in bringing about this desirable outcome.
>
> I wrote to Brands about free implementations last year. His answer was,
> in essence, "forget it".
Maybe now that ZKS has licensed the patents, they would be more amenable
to allowing a free implementation, perhaps with some restrictions.
There could be a BRANDSREF, analogous to the RSAREF library which has
been available for many years for non-commercial implementations of RSA.
Actually there would be good reason for a library such as this.
Unlike with RSA, which is pretty much a no-brainer to implement, Brands'
technology is filled with gotchas, traps and pitfalls.
His four certificate issuing protocols all suffer from the problem
that if the issuer runs them in parallel, the cert recipient can get
certified attributes he is not supposed to have. Brands provides two
"immunization" techniques to address this problem, both of which impose
costs and complexities of their own.
Then there is the "delegation" attack, where someone wants to show a
cert they don't have, and manages to do so by carrying on an interaction
with the cert issuer in parallel with their cert-showing protocol.
Brands shows that although this can happen, it is usually not a problem
and there are simple counter measures that address it.
The point is, you'd better know what you're doing if you want to implement
Brands' certificate technology. Obviously Stefan Brands himself does
understand the issues, probably better than anyone. Unless he was
personally involved with the creation and validation of a library to
implement his technology, it would be very questionable to trust it.
This would argue in favor of a reference implementation, approved by
Brands, which would make sure that things were done properly.
If this could be provided under some kind of open licensing, even if
just for non-commercial use, it would allow the community to begin
experimenting with Brands certificates in various small applications.
This would be similar to approaches like the KeyNote trust management
system where the code is provided and people can begin to work with it
and see where it is most useful. Brands certificates would be a natural
match to KeyNote, SPKI, and the other attribute based certification/trust
management systems people are experimenting with today.
This might well be a superior strategy to that which Chaum attempted with
DigiCash, which was to provide a monolithic software application which
attempted to be a fully functional, all-things-to-all-people payment
system. The startup costs are huge and the difficulty of breaking in
to the established payment infrastructure is formidable.
It would be better to start small, with a set of narrowly defined
applications and vertical markets, and hope to build from there into a
more widely used system. Free licensing could be an important component
of such a strategy.
ZKS no doubt paid a lot of money for Brands' patents, but they should
think of this as an investment which brought them Brands himself.
The man, with his intelligence and creativity, is worth far more than
the work. Given ZKS' background and philosophy, it would be absurd for
them to wrap themselves in the cloak of intellectual property protection
in order to stifle competition. Unless they want to join the ranks of
such beloved companies as DigiCash and RSADSI, they will find a way to
make this important technology widely available.
