Slashdot Log In
SSH Claims Trademark Infringement by OpenSSH
from the pissing-into-the-wind dept.
==================================================
From: Tatu Ylonen
To: openssh-unix-dev@mindrot.org
Subject: SSH trademarks and the OpenSSH product name
Organization: SSH Communications Security, Finland
Sender: owner-openssh-unix-dev@mindrot.org
Friends,
Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.
As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.
In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.
To protect the SSH trademark I (or SSH Communications Security Corp.,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.
The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH® name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.
We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.
Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.
I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.
The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthening the life cycle of the fundamentally broken SSH1
protocols.
The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.
I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.
Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.
Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.
Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.
Regards,
Tatu Ylonen
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
"
Update: 02/14 02:44 PM by CT : I just wanted to insert my 2 bits into this story. This is a problem close to my heart: I hate getting tech support for PHPSlash. I don't care that it exists, in fact, I'm happy that it does, it fills a need and a lot of people like it. But there is no doubt that this is confusing to people, I get the bug reports to prove it. (My other peeve examples are Linux Mandrake taking a certain Linux developer's name even though they knew better, and the K5 guys naming their project 'Scoop' even tho another major Web site was created by a guy with the same name). I have no problem with any of these projects: I think all 3 of them are great projects, but if they were just a little more original there would be no confusion. Now I'd personally never go so far as to call copyright infringement, I shouldn't have to. We're all nice people here. Maybe I'm just a bit idealistic on this one.
Public base/modulus *NOT* broken. (Score:3)
The kind of "probably prime" number generators that can operate in real time are pretty lousy, in my opinion, and I'd much rather trust a known good modulus and base pair.
-E
Take a look at these IETF documents... (Score:5)
SSH Transport Layer Protocol [ietf.org] (53476 bytes)
SSH Authentication Protocol [ietf.org] (26537 bytes)
SSH Protocol Architecture [ietf.org] (27345 bytes)
All of these documents are published on the IETF website. All of these documents cite Mr. Ylonen as an author. And all of these documents describe the SSH protocol. Not the "secsh" protocol - they consistantly refer to the discussed protocol as "SSH."
It's clear that "SSH" is the common name for the protocol that OpenSSH uses. Furthermore, by putting his name on a standards document that doesn't refer to the protocol by another name, surely he's endorsing this common use of "SSH"? And surely by publishing an open standard that in itself makes no claim to the name (I don't see the documents referring to the "SSH (R)" protocol), he should be relinquishing all exclusive rights to the name as a means of describing the protocol?
I don't see how OpenSSH could be construed to be deceptive in any way. It's derived from the original SSH in accordance with it's license, and interoperates with other computers using the SSH protocol. To turn around now and claim it's trademark violation which deceives the consumer, is analogous to Microsoft saying that "Word Viewer" is a trademark violation. Actually, it's closer to the Regents of the University of California accusing FreeBSD of trademark violation.
At best, it doesn't make sense. At worse, it's a deliberate and deceitful attempt to stab the people that are using the protocol (whose name he gave his blessing!) in the back.
So what _is_ it supposed to be called, then? (Score:5)
Well then, Mr. Secure Shell, what should we call it? Trademark law essentially prohibits trademarking nouns (and, in fact, you can lose the trademark if it's commonly used as a noun). Thus you have Tylenol-brand pain reliever, Rollerblade-brand inline skates, and so on. If there's no common noun to describe your product other than its trade name, then you don't get to keep the trademark. A quick search will turn up [ladas.com] lots of tidbits like this:
In the letter, he repeatedly uses both SSH and Secure Shell as nouns. He called it a "secure remote login product" a couple of times, but that's inadequately descriptive. "Tylenol-brand pain reliever" is OK; "Aspirin-brand pills" is not.It seems to me this guy wants to erase, or at least obscure, the excellent free replacement that's made his product irrelevant.
Going forward, and in the interests of bringing closure to this pressing issue, I'd suggest Mr. Ylonen piss up a Rope(TM)-brand rope.
cheers,
mike
I second the motion of FRESH (Score:4)
I'd also like to comment about the other postings in this thread. There seems to be about 90% of the 2+ posters talking about how he didn't defend his trademark initially, so screw him. OpenSSH should stay. May I ask these posters what the reaction would've been had he done so initially? Exactly. Same negative reaction.
There are also a few who have noted that this isn't a letter from lawyers. It is written by a person who understands and even has contributed to the very open source community he is appealing to. I suggest that these facts are taken into consideration.
My observations are these:
1) This guy isn't a lawyer.
2) This guy helped create openSSH.
3) This guy didn't care about the use of the name OpenSSH until his customers started getting confused.
4) Free projects change their name fairly regularly without losing a users.
5) He wrote a reasonable and non-lawyer request to a group asking not for them to cease and desist design and implementation of their program, but for a name change.
It seems like a reasonable thing to do to change the name.
OpenSSH does not infringe! (Score:5)
There's a live claim on an SSH logo [uspto.gov]. This one is valid. It prevents others from using the logo. It doesn't prevent others from using the word "SSH".
There are a few other SSHs of no significance to this issue. His claim that OpenSSH infringes on his trademark is BS.
Re:A SSH by any other name... (Score:4)
"I have started receiving a significant amount of e-mail where people are confusing OpenSSH as either my product or my company's product, or are confusing or misrepresenting the meaning of the SSH and Secure Shell trademarks. I have also been informed of several recent press articles and outright advertisements that are further confusing the origin and meaning of the trademark."
As you can see here he's loosing business to a group who have implemented the ssh2 protocol, with a much better nicer and less restrictive license than theirs.
As others have said, if you don't protect your trademark then you loose the ability to enforce it. He's published the protocol under the name of ssh. Now that word just also happens to be the word that they patented. My question is if the word is now used to label something that is implemented in public domain and is avaiable from a standards comittee such as IETF, how the hell can you still use it in a trademark?
"we have offered certain licenses to use the SSH mark to refer to the protocol and to indicate that a product complies with the standard."
It seems to me that his company has allowed the use of the name and if I'm not mistaken, the OpenSSH group got their name from the protocol and not from the originating company. It was not explicitly stated that the name of the protocol couldn't be used in the name itself. If this is the case, then they should be allowed to keep their name as it stands.
Is the IETF to blame? (Score:5)
As far as I know the IETF doesn't like people publishing RFCs for technology that is patented, but they don't seem to have a similar policy for RFCs for protocalls that have a trademark infringing name, and no useful open use of the mark. Or do they and it was violated with SSH?
SMTP is the protocall, sendmail is the program and trademark. DNS is the protocall, bind is the program, and if there is a service mark it is bind, not DNS.
Why should SSH1/SSH2 be accepted as an open standard if nothing can be named that (or the very similar OpenSSH)?
I do think there are acceptable uses of a trademark on protocall names. If the trademark were used to make sure nothing was called "RADIUS" unless it implmented all the MUST parts of the RFC, none of the MUST NOT, and provided a argment on why SHOULD/SHOULD NOT wasn't followed, then I'm all for it. In that case the mark is actually protecting the word. For SSH the mark is being used after the fact to un-level the playing field.
Re:Hmmm... (Score:4)
2) The OpenSSH team doesn't need your approval; you in effect gave them your approval when you licensed it as you did (see 1).
It's pretty clear from the whole text that this is not his gripe. He doesn't care that they are hacking the systema and he knows he gave them that right with the license. What he cares about is that it "is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product". The paragraph you quited talks about how the cofusion is worse. This all related to the same thing. They are using the SSH trademark, and there are actualy damages in the confusion because customers continue to use the older code thinking it's an equivelent product.
In short, I doubt he would mind them continuing to use the old code base, as long as they change their name.
Right! (Score:5)
The protocol is called SSH. Now it's obvious that people will want to name their applications after the protocols they implement. So: either Tatu should have named his app and his protocol differently, and trademarked the app name only; or he shouldn't have trademarked the name. If he'd trademarked the app name only, OpenSSH would have named itself after the protocol and there'd have been no problem.
Releasing a supposedly "open" protocol and then trademarking the name is an evil business practice, because it means that only Tatu is allowed to name his implementation in the obvious way. It's the trademark analogy of the GIF trick: releasing a supposedly "open" file format and then patenting the only known algorithm that can generate it.
In fact, this is exactly equivalent to the GIF trick, because he's waited until the OpenSSH name is well established before acting. If he'd had a polite word right when OpenSSH was starting out, they'd probably have released it under a different name initially and nobody would have a problem now. But by waiting until they're established and then complaining, he's trying to force the change of a name people are used to - which will do harm to OpenSSH.
If Tatu were genuinely concerned about brand recognition, he would have (a) arranged that the protocol name could be used without restriction, instead of deliberately making it the same as his brand name; and (b) he would have notified OpenSSH at a more appropriate time. Given that he's done neither of these, it seems to me that he's using this trademark as a weapon, not a legitimate form of protection.
(Disclaimer: this is a moral position, not a legal one. The law will probably not recognise arguments like this. If so, the law needs fixing.)
From ssh 1.2.12 COPYING (Score:5)
I find this interesting. By specifically saying when the terms "ssh" and "Secure Shell" can _not_ be used, it is in effect saying that use of these terms in a derivitive work is acceptable (in fact, what better way to show that OpenSSH is derived from SSH that including SSH in the name?).
Moreover, this version was released in November 1995, before either term was registered and before December 1995, when SSH Communicatins Corp. was founded.
I can see him politely asking OpenSSH to change the name, but I can't see that they would be required to do so.
Re:Right! (Score:5)
Does Ebay have the word 'auctions' in its name? Does Yahoo use the word 'directory'? You can name your product something off the wall, and people will pick up on it.
Name your stuff creativly. It doesn't hurt and you won't be crowding in on somebody else's brand image. (Its called creating your own hype folks.)
Re:Well, they (SSH) are pretty much screwed... (Score:3)
He must actively defend his trademark and he must send out notices and take legal action "quickly," but the definition of "quickly" can depend heavily on the circumstances. If someone started a national advertising campaign for openssh, he would need to react within a few months or weeks in order to not lose his copyright due to inaction. However, for a case where an infringement is lesser known and less publicly known, I'm sure judges generally allow for a longer period of time before action must be taken. If Tatu sent out notices to the main openssh developers shortly after he learned of openssh, then I think it is very safe to assume that he would win any copyright battle in court.
Jason
Re:Some Corrections (Score:3)
Bullshit. So me and a bunch of hardware hackers build a new machine, calling it an "OpenApple". We sell them out of our garage for close to a year, until finally they become so popular that most of the computer industry picks up on it, including Apple itself. Apple now files a complaint.
How could the original SSH guys possibly know how big a breadth OpenSSH would get in a year? It's just a bunch of hackers, after all. Not a definable company.
Re:Take a look at these IETF documents... (Score:3)
"SSH is a registered trademark...These trademarks may not be used as part of a product name or in otherwise confusing manner".
It's always bad news when the name of a product derives from its canonical implementation. It's not a BFD though - Samba is none the worse for a forced name change. At least with trademark infringment, nobody stops you hacking the code. If the name matters so much to them, I say let them have it.
Re:Slanting the Coverage (Score:3)
I guess you missed this part:
Some of the OpenBSD/OpenSSH developers/sponsors have also received a formal legal notice about the infringement earlier.
Re:Well, they (SSH) are pretty much screwed... (Score:3)
Uh, yeah, that's why he complained about the security problem in older forms of both products and how OpenSSH is prolonging their lives.
I'm sorry; I read his letter; he's not asking OpenSSH to stop development, quite the contrary; he's just asking that they change the name enough that his company isn't put to expense and ... what should I call it, faceloss? ... damage to reputation ... getting inquiries or support calls or misleading journalism because of the consequent confusion. He even asks very nicely. I have no grand philosophical problem with his request; if I had any standing with the OpenSSH project I'd say "let's change the name".
Re:Name suggestions: (Score:3)
--
Re:No, he doesn't have to do so (Score:5)
No, "R" means "registered." After a trademark has been in use for two or more years (with the "TM" mark), it can be registered with the patent and trademark office; until it's officially approved it's "trademark pending"--which indicates the process is underway.
Simply using another name isn't going to kill anyone. "FreSH is a free, open source implementation of the SSH2 protocol." Bam. (The hardest part for most people would be learning to type "fresh" after their fingers are trained to type "ssh"... although on second thought, you know everyone's going to just make a symbolic link to "fresh"--or whatever it's called--from "ssh" anyway.)
People in the open source movement are very good at standing on principle, or at least shouting on it, but there are times I think they should be a bit more willing to accept "be courteous" as a valid principle, too. "Technically we can do this, so screw you, corporate whore" may give you a warm fuzzy feeling, but it's an attitude which quashes useful communication.
An incongruence on the argument (Score:5)
But let's forget this point and restrict to the money one. SSH Corp., (TM) as we see, is loosing money. So, we may understand they wish to avoid confusions with those who are, _potentially_, hitting their pockets. So it may be understandable that SSH wants to restrict its name. But there is a problem here. Also, in economical terms, SSH didn't do a bunch to secure its own name during all these years. So now "SSH" AND "Secure Shell" are terms of use. Much like "telnet", "ftp", "http". The only to blame here is Mr. Ylonen himself. Well we may give out SSH back to the owner if he wishes to. However the term "Secure Shell", a composition of two common words and being a technical derivate of "Remote Shell" conceptions is harder to give out. Meanwhile it is an established technical concept. Restricting such term for private use is a serious demonstration of being very unfriendly to a huge community of users and developers.
Mr. Ylonen is not only securing a trademark but also creating hassles in hows and whens of the use of a technical concept. By trademarking this concept he is forcing people to create other namings and conventions. This will break a continuity of the use of these namings and conventions on technical docs, manuals and products. Whishes he this or not, he is doing more damage then use. Frankly, this may be the real killer of the SSH mark as people may choose other namings and conventions to avoid such selfish consideration of his own value.
I think that covers more than the logo (Score:4)
However, it looks as if the one relevant live trademark, held by "SSH Communications Security", is I think meant to cover the name as well as the logo: thus the opening line "Word Mark: SSH" and the "Mark Drawing Code: (5) WORDS, LETTERS, AND/OR NUMBERS IN STYLIZED FORM".
--
What they can gain: (Score:3)
A SSH by any other name... (Score:3)
That said, if the developers are willing I wouldn't have any great problem with a name change. Perhaps "ossh"? *shrug*
He *has* to do so (Score:4)
Don't blame him, he has no real choice in this matter. Trademarks have to be protected, no matter how little you care, or else they will become invalid and anyone can use them. If he doesn't go after OpenSSH, tomorrow it'll be Microsoft using the name.
Blame instead the entire trademark system which has perpetuated this kind of attitude. It's gone from a system meant to protect rights to one that encourages, even demands, companies to trample all over their rivals.
Well, they (SSH) are pretty much screwed... (Score:4)
Trademarks must be defended against infringments or you risk losing them. Further, they must be defended as quickly as possible against infringement. You're not allowed to let someone use it for a couple of years then suddenly decide to go after them when they become successful.
By looking at the whois record for openssh.com, it's obvious that Openssh has been using the name Openssh publicly since at least October of 1999. That's well over a year. I would hardly call this a timely filing.