Received: March 6, 2002 From: David Jablon via David Black To: Internet Engineering Task Force Date: March 18, 2002 This is to advise the IETF that Phoenix Technologies Ltd. ("Phoenix") has U.S. Patent Number 6,226,383 that may relate to the IETF document RFC 2945 titled "The SRP Authentication and Key Exchange System". To the extent that this patent assigned to Phoenix is necessary for implementation of RFC 2945 or any related IETF standard, Phoenix will provide, upon written request, to implementers of the relevant standard, a non-exclusive license under reasonable and non-discriminatory terms. Phoenix has licensed this technology to companies, and accepts inquiries regarding licensing or evaluating the SPEKE technology. For these inquiries, please contact our security products department at: Katherine_Stolz@phoenix.com Vice President, Security Products Phoenix Technologies Any questions or issues regarding this communication should be directed to the Phoenix Technologies Legal Department. Scott_Taylor@phoenix.com Associate General Counsel Phoenix Technologies Ltd 411 E. Plumeria Drive San Jose, CA 95134 ======================================================= Received February 12, 2002 From: David Jablon via David Black To: IETF IP Storage Working Group Subject: Phoenix Patents and RFC 2945 February 6, 2002 Dear working group members, Regarding the inquiry by working group co-chair David Black into the nature of U.S. patent 6,226,383 and its relation to SRP and RFC 2945, this letter presents a status update on Phoenix's plans to provide an appropriate response for the working group. This letter also presents a general summary of our licensing practices and products in the field of password-based cryptography, which I hope will assist you in the planning process. Phoenix owns patent 6,226,383 which describes the SPEKE methods for zero-knowledge password authentication. An investigation into exactly how this patent relates to RFC 2945 is now underway within the company. While providing guarantees and assurances for use of technology developed by other organizations has not been a traditional priority for Phoenix, there is now recognition of the need for this working group and others to have clarity in this matter, and a position statement will be provided very soon. Phoenix Technologies, in part through the acquisition of Integrity Sciences, has developed the SPEKE family of zero-knowledge password methods, providing both licenses and implementations. These protocols have been cited and studied in numerous research papers over the past several years. In particular, the BSPEKE protocol can provide a plug-and-play upgrade for SRP. An Internet Draft discussing these issues is also being prepared. These methods are comparable to the best of any similar methods, and they are easily shown to be unencumbered by the other patents in this field. It would seem a shame for a new standards effort to avoid zero-knowledge password techniques as a purely cost-savings measure, given the choices available. The need for convenient, strong, and inexpensive security built-in to the infrastructure of Internet applications is as great today as ever. The SPEKE techniques represent a generational improvement in personal authentication, providing strong security with minimal effort. These methods provide the best choices in this field, with the cleanest implementations, optimal security, best alignment with standards, and easiest license agreements for commercial deployment of zero-knowledge password techniques. A statement regarding licensing of the SPEKE patent in the context of the IEEE 1363 standard is on file with the IEEE, and Phoenix is also committed to providing an updated statement in this same time frame that conforms to both IEEE and IETF policies assuring reasonable and non-discriminatory terms. But more importantly, as a leading provider to the PC industry, Phoenix will stand behind its technology. Phoenix has a 20-year history of broadly licensing products to this industry, and has helped to pioneer many widely used standards and technologies that are built-in to the systems that we all take for granted. Our history of cooperation with many of the leading companies in the industry makes Phoenix naturally suited to gently encouraging the adoption of this new class of strong and convenient security techniques. Sincerely, David Jablon CTO, Phoenix Technologies 508.898.9024 direct david_jablon@phoenix.com Phoenix Technologies Ltd. 320 Norwood Park South Norwood, MA 02062 781.551.5000 main www.phoenix.com