SSH Claims Trademark Infringement by OpenSSH
from the pissing-into-the-wind dept.
==================================================
From: Tatu Ylonen
To: openssh-unix-dev@mindrot.org
Subject: SSH trademarks and the OpenSSH product name
Organization: SSH Communications Security, Finland
Sender: owner-openssh-unix-dev@mindrot.org
Friends,
Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.
As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.
In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.
To protect the SSH trademark I (or SSH Communications Security Corp.,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.
The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH® name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.
We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.
Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.
I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.
The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthening the life cycle of the fundamentally broken SSH1
protocols.
The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.
I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.
Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.
Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.
Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.
Regards,
Tatu Ylonen
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
"
Update: 02/14 02:44 PM by CT : I just wanted to insert my 2 bits into this story. This is a problem close to my heart: I hate getting tech support for PHPSlash. I don't care that it exists, in fact, I'm happy that it does, it fills a need and a lot of people like it. But there is no doubt that this is confusing to people, I get the bug reports to prove it. (My other peeve examples are Linux Mandrake taking a certain Linux developer's name even though they knew better, and the K5 guys naming their project 'Scoop' even tho another major Web site was created by a guy with the same name). I have no problem with any of these projects: I think all 3 of them are great projects, but if they were just a little more original there would be no confusion. Now I'd personally never go so far as to call copyright infringement, I shouldn't have to. We're all nice people here. Maybe I'm just a bit idealistic on this one.
Public base/modulus *NOT* broken. (Score:3)
The kind of "probably prime" number generators that can operate in real time are pretty lousy, in my opinion, and I'd much rather trust a known good modulus and base pair.
-E
Take a look at these IETF documents... (Score:5)
SSH Transport Layer Protocol [ietf.org] (53476 bytes)
SSH Authentication Protocol [ietf.org] (26537 bytes)
SSH Protocol Architecture [ietf.org] (27345 bytes)
All of these documents are published on the IETF website. All of these documents cite Mr. Ylonen as an author. And all of these documents describe the SSH protocol. Not the "secsh" protocol - they consistantly refer to the discussed protocol as "SSH."
It's clear that "SSH" is the common name for the protocol that OpenSSH uses. Furthermore, by putting his name on a standards document that doesn't refer to the protocol by another name, surely he's endorsing this common use of "SSH"? And surely by publishing an open standard that in itself makes no claim to the name (I don't see the documents referring to the "SSH (R)" protocol), he should be relinquishing all exclusive rights to the name as a means of describing the protocol?
I don't see how OpenSSH could be construed to be deceptive in any way. It's derived from the original SSH in accordance with it's license, and interoperates with other computers using the SSH protocol. To turn around now and claim it's trademark violation which deceives the consumer, is analogous to Microsoft saying that "Word Viewer" is a trademark violation. Actually, it's closer to the Regents of the University of California accusing FreeBSD of trademark violation.
At best, it doesn't make sense. At worse, it's a deliberate and deceitful attempt to stab the people that are using the protocol (whose name he gave his blessing!) in the back.
So what _is_ it supposed to be called, then? (Score:5)
Well then, Mr. Secure Shell, what should we call it? Trademark law essentially prohibits trademarking nouns (and, in fact, you can lose the trademark if it's commonly used as a noun). Thus you have Tylenol-brand pain reliever, Rollerblade-brand inline skates, and so on. If there's no common noun to describe your product other than its trade name, then you don't get to keep the trademark. A quick search will turn up [ladas.com] lots of tidbits like this:
In the letter, he repeatedly uses both SSH and Secure Shell as nouns. He called it a "secure remote login product" a couple of times, but that's inadequately descriptive. "Tylenol-brand pain reliever" is OK; "Aspirin-brand pills" is not.It seems to me this guy wants to erase, or at least obscure, the excellent free replacement that's made his product irrelevant.
Going forward, and in the interests of bringing closure to this pressing issue, I'd suggest Mr. Ylonen piss up a Rope(TM)-brand rope.
cheers,
mike
I second the motion of FRESH (Score:4)
I'd also like to comment about the other postings in this thread. There seems to be about 90% of the 2+ posters talking about how he didn't defend his trademark initially, so screw him. OpenSSH should stay. May I ask these posters what the reaction would've been had he done so initially? Exactly. Same negative reaction.
There are also a few who have noted that this isn't a letter from lawyers. It is written by a person who understands and even has contributed to the very open source community he is appealing to. I suggest that these facts are taken into consideration.
My observations are these:
1) This guy isn't a lawyer.
2) This guy helped create openSSH.
3) This guy didn't care about the use of the name OpenSSH until his customers started getting confused.
4) Free projects change their name fairly regularly without losing a users.
5) He wrote a reasonable and non-lawyer request to a group asking not for them to cease and desist design and implementation of their program, but for a name change.
It seems like a reasonable thing to do to change the name.
OpenSSH does not infringe! (Score:5)
There's a live claim on an SSH logo [uspto.gov]. This one is valid. It prevents others from using the logo. It doesn't prevent others from using the word "SSH".
There are a few other SSHs of no significance to this issue. His claim that OpenSSH infringes on his trademark is BS.
Re:A SSH by any other name... (Score:4)
"I have started receiving a significant amount of e-mail where people are confusing OpenSSH as either my product or my company's product, or are confusing or misrepresenting the meaning of the SSH and Secure Shell trademarks. I have also been informed of several recent press articles and outright advertisements that are further confusing the origin and meaning of the trademark."
As you can see here he's loosing business to a group who have implemented the ssh2 protocol, with a much better nicer and less restrictive license than theirs.
As others have said, if you don't protect your trademark then you loose the ability to enforce it. He's published the protocol under the name of ssh. Now that word just also happens to be the word that they patented. My question is if the word is now used to label something that is implemented in public domain and is avaiable from a standards comittee such as IETF, how the hell can you still use it in a trademark?
"we have offered certain licenses to use the SSH mark to refer to the protocol and to indicate that a product complies with the standard."
It seems to me that his company has allowed the use of the name and if I'm not mistaken, the OpenSSH group got their name from the protocol and not from the originating company. It was not explicitly stated that the name of the protocol couldn't be used in the name itself. If this is the case, then they should be allowed to keep their name as it stands.
Is the IETF to blame? (Score:5)
As far as I know the IETF doesn't like people publishing RFCs for technology that is patented, but they don't seem to have a similar policy for RFCs for protocalls that have a trademark infringing name, and no useful open use of the mark. Or do they and it was violated with SSH?
SMTP is the protocall, sendmail is the program and trademark. DNS is the protocall, bind is the program, and if there is a service mark it is bind, not DNS.
Why should SSH1/SSH2 be accepted as an open standard if nothing can be named that (or the very similar OpenSSH)?
I do think there are acceptable uses of a trademark on protocall names. If the trademark were used to make sure nothing was called "RADIUS" unless it implmented all the MUST parts of the RFC, none of the MUST NOT, and provided a argment on why SHOULD/SHOULD NOT wasn't followed, then I'm all for it. In that case the mark is actually protecting the word. For SSH the mark is being used after the fact to un-level the playing field.
Re:Hmmm... (Score:4)
2) The OpenSSH team doesn't need your approval; you in effect gave them your approval when you licensed it as you did (see 1).
It's pretty clear from the whole text that this is not his gripe. He doesn't care that they are hacking the systema and he knows he gave them that right with the license. What he cares about is that it "is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product". The paragraph you quited talks about how the cofusion is worse. This all related to the same thing. They are using the SSH trademark, and there are actualy damages in the confusion because customers continue to use the older code thinking it's an equivelent product.
In short, I doubt he would mind them continuing to use the old code base, as long as they change their name.
Right! (Score:5)
The protocol is called SSH. Now it's obvious that people will want to name their applications after the protocols they implement. So: either Tatu should have named his app and his protocol differently, and trademarked the app name only; or he shouldn't have trademarked the name. If he'd trademarked the app name only, OpenSSH would have named itself after the protocol and there'd have been no problem.
Releasing a supposedly "open" protocol and then trademarking the name is an evil business practice, because it means that only Tatu is allowed to name his implementation in the obvious way. It's the trademark analogy of the GIF trick: releasing a supposedly "open" file format and then patenting the only known algorithm that can generate it.
In fact, this is exactly equivalent to the GIF trick, because he's waited until the OpenSSH name is well established before acting. If he'd had a polite word right when OpenSSH was starting out, they'd probably have released it under a different name initially and nobody would have a problem now. But by waiting until they're established and then complaining, he's trying to force the change of a name people are used to - which will do harm to OpenSSH.
If Tatu were genuinely concerned about brand recognition, he would have (a) arranged that the protocol name could be used without restriction, instead of deliberately making it the same as his brand name; and (b) he would have notified OpenSSH at a more appropriate time. Given that he's done neither of these, it seems to me that he's using this trademark as a weapon, not a legitimate form of protection.
(Disclaimer: this is a moral position, not a legal one. The law will probably not recognise arguments like this. If so, the law needs fixing.)
From ssh 1.2.12 COPYING (Score:5)
I find this interesting. By specifically saying when the terms "ssh" and "Secure Shell" can _not_ be used, it is in effect saying that use of these terms in a derivitive work is acceptable (in fact, what better way to show that OpenSSH is derived from SSH that including SSH in the name?).
Moreover, this version was released in November 1995, before either term was registered and before December 1995, when SSH Communicatins Corp. was founded.
I can see him politely asking OpenSSH to change the name, but I can't see that they would be required to do so.
Re:Right! (Score:5)
Does Ebay have the word 'auctions' in its name? Does Yahoo use the word 'directory'? You can name your product something off the wall, and people will pick up on it.
Name your stuff creativly. It doesn't hurt and you won't be crowding in on somebody else's brand image. (Its called creating your own hype folks.)
Re:Well, they (SSH) are pretty much screwed... (Score:3)
He must actively defend his trademark and he must send out notices and take legal action "quickly," but the definition of "quickly" can depend heavily on the circumstances. If someone started a national advertising campaign for openssh, he would need to react within a few months or weeks in order to not lose his copyright due to inaction. However, for a case where an infringement is lesser known and less publicly known, I'm sure judges generally allow for a longer period of time before action must be taken. If Tatu sent out notices to the main openssh developers shortly after he learned of openssh, then I think it is very safe to assume that he would win any copyright battle in court.
Jason
Re:Some Corrections (Score:3)
Bullshit. So me and a bunch of hardware hackers build a new machine, calling it an "OpenApple". We sell them out of our garage for close to a year, until finally they become so popular that most of the computer industry picks up on it, including Apple itself. Apple now files a complaint.
How could the original SSH guys possibly know how big a breadth OpenSSH would get in a year? It's just a bunch of hackers, after all. Not a definable company.
Re:Take a look at these IETF documents... (Score:3)
"SSH is a registered trademark...These trademarks may not be used as part of a product name or in otherwise confusing manner".
It's always bad news when the name of a product derives from its canonical implementation. It's not a BFD though - Samba is none the worse for a forced name change. At least with trademark infringment, nobody stops you hacking the code. If the name matters so much to them, I say let them have it.
Re:Slanting the Coverage (Score:3)
I guess you missed this part:
Some of the OpenBSD/OpenSSH developers/sponsors have also received a formal legal notice about the infringement earlier.
Re:Well, they (SSH) are pretty much screwed... (Score:3)
Uh, yeah, that's why he complained about the security problem in older forms of both products and how OpenSSH is prolonging their lives.
I'm sorry; I read his letter; he's not asking OpenSSH to stop development, quite the contrary; he's just asking that they change the name enough that his company isn't put to expense and ... what should I call it, faceloss? ... damage to reputation ... getting inquiries or support calls or misleading journalism because of the consequent confusion. He even asks very nicely. I have no grand philosophical problem with his request; if I had any standing with the OpenSSH project I'd say "let's change the name".
Re:Name suggestions: (Score:3)
--
Re:No, he doesn't have to do so (Score:5)
No, "R" means "registered." After a trademark has been in use for two or more years (with the "TM" mark), it can be registered with the patent and trademark office; until it's officially approved it's "trademark pending"--which indicates the process is underway.
Simply using another name isn't going to kill anyone. "FreSH is a free, open source implementation of the SSH2 protocol." Bam. (The hardest part for most people would be learning to type "fresh" after their fingers are trained to type "ssh"... although on second thought, you know everyone's going to just make a symbolic link to "fresh"--or whatever it's called--from "ssh" anyway.)
People in the open source movement are very good at standing on principle, or at least shouting on it, but there are times I think they should be a bit more willing to accept "be courteous" as a valid principle, too. "Technically we can do this, so screw you, corporate whore" may give you a warm fuzzy feeling, but it's an attitude which quashes useful communication.
An incongruence on the argument (Score:5)
But let's forget this point and restrict to the money one. SSH Corp., (TM) as we see, is loosing money. So, we may understand they wish to avoid confusions with those who are, _potentially_, hitting their pockets. So it may be understandable that SSH wants to restrict its name. But there is a problem here. Also, in economical terms, SSH didn't do a bunch to secure its own name during all these years. So now "SSH" AND "Secure Shell" are terms of use. Much like "telnet", "ftp", "http". The only to blame here is Mr. Ylonen himself. Well we may give out SSH back to the owner if he wishes to. However the term "Secure Shell", a composition of two common words and being a technical derivate of "Remote Shell" conceptions is harder to give out. Meanwhile it is an established technical concept. Restricting such term for private use is a serious demonstration of being very unfriendly to a huge community of users and developers.
Mr. Ylonen is not only securing a trademark but also creating hassles in hows and whens of the use of a technical concept. By trademarking this concept he is forcing people to create other namings and conventions. This will break a continuity of the use of these namings and conventions on technical docs, manuals and products. Whishes he this or not, he is doing more damage then use. Frankly, this may be the real killer of the SSH mark as people may choose other namings and conventions to avoid such selfish consideration of his own value.
I think that covers more than the logo (Score:4)
However, it looks as if the one relevant live trademark, held by "SSH Communications Security", is I think meant to cover the name as well as the logo: thus the opening line "Word Mark: SSH" and the "Mark Drawing Code: (5) WORDS, LETTERS, AND/OR NUMBERS IN STYLIZED FORM".
--
What they can gain: (Score:3)
A SSH by any other name... (Score:3)
That said, if the developers are willing I wouldn't have any great problem with a name change. Perhaps "ossh"? *shrug*
He *has* to do so (Score:4)
Don't blame him, he has no real choice in this matter. Trademarks have to be protected, no matter how little you care, or else they will become invalid and anyone can use them. If he doesn't go after OpenSSH, tomorrow it'll be Microsoft using the name.
Blame instead the entire trademark system which has perpetuated this kind of attitude. It's gone from a system meant to protect rights to one that encourages, even demands, companies to trample all over their rivals.
Well, they (SSH) are pretty much screwed... (Score:4)
Trademarks must be defended against infringments or you risk losing them. Further, they must be defended as quickly as possible against infringement. You're not allowed to let someone use it for a couple of years then suddenly decide to go after them when they become successful.
By looking at the whois record for openssh.com, it's obvious that Openssh has been using the name Openssh publicly since at least October of 1999. That's well over a year. I would hardly call this a timely filing.
Re:Hmmm... Problem with that (Score:5)
The problem is not that openSSH resembles the original SSH, it has to in order to do what it does. But when it looks like SSH, acts like SSH, and the name is similar besides, it definitely can cause confusion.
IIRC, debian installs openSSH (since it falls under it's definition of "free"), but the package itself is called ssh. A user may think they are getting the true "ssh," when they are actually getting openSSH. This is a definite example of trademark confusion.
What wouldn't be bad is if someone released a first person shooter like quake, calling it openSSH. No confusion could arise, the fps "openSSH" and the secure shell "SSH" would be completely different products.
Doug
OpenSSH replacements offer... (Score:4)
OpenSHL... Hey, what's a single letter between friends?
Open S S H... Oh, Come on, quit whining. You registered "SSH" and NOT "S S H", so there!
OpenWhat?... How do you pronounce "SSH" anyway?
Open-You-Know-What... Just add a ".org" and, presto! We are back in business...
WeAreSecureAndWeAreCanadian... Yep, it's getting longer and longer.
OpenSourceSecureShell... There, feeling better already? Shush, it's all going to go away.
Ho and by the way, I want to get sued too!! I am going to register:
openssh.co.uk
openssh.org.uk
openssh.fr
openssh.asso.fr
openssh.ch
openssh.it
(...etc...)
Anybody cares to bankroll me ?? =)
Bonus question: How on earth can you copyright a three letters acronym? I'll try copyrighting "IBM".
At least, it's going to make the fight more interesting and potentially more lucrative. Hmmmm. US$50,000,000 out-of-court settlement. Please note that this is just the "Acronym", not the logo, which is copyrighted by our big, blue friends in Armonk.
And remember people: OpenBSD needs your help! Order your 2.8 CD today and makes the world a better place for security and a worse place for script kiddies and copyright hoarders...
Hmmm... (Score:5)
I would thus like to ask you to change the name OpenSSH to something else that doesn't infringe the SSH or Secure Shell trademarks, basically to something that is clearly different and doesn't cause confusion.
OK, I can go along with this. He has the trademark, the two applications are very similar, I can see where he's coming from.
The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the way). The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols.
Now this is a completely different kettle of fish.
1) If you didn't want people to hack on the code, why did you initially release it under a license that allowed that? It can't be retroactively retracted, y'know...
2) The OpenSSH team doesn't need your approval; you in effect gave them your approval when you licensed it as you did (see 1).
3) Yes, SSH1 has security problems. WHo developed it? You did. Also, IIRC, OpenSSH was just about the only implementation that wasn't vulnerable to several of the vulnerabilities that have been found so far.
4) OpenSSH supports SSH2 anyway, so I don't see how its existence is encouraging the use of SSH1. More than likely, people who had been put off by your version of SSH2's restrictive licensing terms moved to SSH2 only when OpenSSH provided it.
All in all, it seems a mix of a legitimate claim with some very clumsy revisionism and FUD.
Re:OpenSSH does not infringe! (Score:4)
But all but one of those are completely unrelated -- some temperature control thingie, mail catalog, and an electronic organ, I think. None of those are likely to ever be confused with the ssh that we're talking about, so the trademarks don't really conflict.
IMHO, Tatu Ylonen's wishes in this matter should be respected. The only serious weaknesses in his trademark are
- His product and the open protocol have the same name
- The "submarine" action: apparently (I don't know this
for 100% certain) he didn't start trying to do something about the
infringement until after OpenSSH became well established.
If it weren't for these two issues, his claim would be quite solid.But even with these holes in his argument, he's still pretty compelling, for two reasons:
- It looks to me like he has acted in Good Faith (something you don't
see in all these kinds of cases). Even the submarine action is pretty
easily explainable: perhaps he didn't think the similarity between the
names was going to be a problem. But then his customers started getting
confused. And it's not like he's trying to inhibit interoperability -- he
just wants a name changed. And furthermore: he's polite and not arrogant. And instead of
hiring a lawyer to write his letter and use terms like "demand you cease
and desist", he has explained his arguments himself, and uses terms like
"I am asking you to please choose another name."
- Changing the name of a free software project just isn't a big deal. It's
not like OpenSSH is a commercial interest where a lot of marketing dollars
and effort has been invested in shoving the word "OpenSSH" into the
public's mind. Changing OpenSSH's name to something else, has
negligable cost. Accomodating this guy's wishes will not be hardship,
or mess up anyone's project or significantly restrict what they can do.
And for those reasons, I think the guy deserves some slack and consideration. Adios, OpenSSH.One other thought: the name of the protocol should be changed too. Yes, it's his fault that the names conflict. So what? Let's just fix the problem.
---
My objections to the suit (Score:3)
First off, getting SSH as the name of an IETF protocol, and then trademarking it. This is the act that really stinks. Its as bad as Apple's Firewire stunt, getting an IEEE protocol set up and trademarking the name associated with it. This reeks of trademark trapping, or trying to grant oneself a monopoly with regards to an IETF protocol, or at least an unfair advantage. Only his software can use the name of the protocol in the name of the software using the protocol. It would be like trademarking HTTP.
Second off, I am somewhat suspicious at the time lag involved between the founding of OpenSSH and the present. If you're going to do the trademark enforcement thing, do it at the very beginning and go with the lawyers and accept the PR meltdown that is going to result because you did a sleazy thing like trademark an IETF protocol in the first place.
In short, this is someone who is trying to have it both ways. Playing the IETF and open standards game while still having the trademark and the exclusive right to make software with the name of that protocol in it. He tried to engineer himself an unfair marketing advantage and some reasonable uses of the SSH protocol name are causing him business confusion. You will notice there is no talk of his changing his software name and setting up a new trademark. And while you can talk about his investment in the mindshare of the SSH name, he did it in a fashion that puts other people trying to use the SSH protocol at an unfair disadvantage.
Now, perhaps I am being unfair here, perhaps he did not intend to do things that way, at least not consciously. But the end result is the same. He took an open protocol name and trademarked it so that no one else could use the protocol name in software that implements the software protocol but him, giving him an unfair advantage. Now that people are trying to erode that unfair advantage, he is crying foul, and after other people have invested work in the OpenSSH brand name as well.
Oh yes, and tradmarking "Secure Shell" strikes me about on the level of trying to trademark "Windows". You might be able to do it but its a really sleazy thing to try. Whatever sympathy I have for him was completely destroyed when that fact came to surface. This is a person using trademarks in an abusive fashion and I'd like to see that reap the rewards it deserves.
Name suggestions: (Score:5)
Re:He *has* to do so (Score:4)
That said I suggest that we at least *try* to find a way to solve this manner; unfortunately most postings here range from 'get lost, creep' to downright hostile, but I haven't seen many that are constructive.
So, how about 'Secure Telnet' or 'Secure Login' (as it is not exactly a shell but rather an encrypted connection to a shell)? Ah, yes, something with 'Open' in it (doesn't that contradict the 'secure' term? A secured system cannot exactly be described as 'open', right?). So, how about OSTAKAS (Open Secure Telnet Also Known As SSH). Uh, no, the acronym must be recursive, like ONS (O's Not SSH).
Now go use your imagination, this one time not for coding...
Re:OpenSSH replacements offer... (Score:4)
Bonus question: How on earth can you copyright a three letters acronym? I'll try copyrighting "IBM".
He didn't copyright SSH, he trademarked it. You can indeed do this, and IBM is indeed a registered trademark.
Actually, when you look at this case, it's a pretty clear example of why trademarks were created in the first place: to avoid customer confusion about branding. I'd say this guy is well within his rights.
The original SSH license (Score:5)
This is the license that OpenSSH is based on:
Sure looks like 'permission' to me.
Another reason for this (Score:5)
"OpenSSH is doing a disservice to the whole inernet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols."
Also - Isn't the actual protocol, as recognized by the IETF, named "SSH" - if so, how can you trademark that?
Some Corrections (Score:5)
2) If someone managed to get the recipe for Coca-Cola, they could use it to make another product and market it. The only reason they don't is it's a SECRET, and nobody knows what it is. What they can't do is call it 'coke' or 'coca cola' because that's coke's registered trademark. If they called it 'OpenCocaCola' and it was rather popular and it was 2 years before Coke sued them... coke would probably lose it's trademark.
This has nothing to do with patent.
Hmm. (Score:3)
Does not the original license on the ssh code allow for use 'for any purpose?'
IT also states that if the software functions differently from the protocol specified in the rfc's (called ssh1 and ssh2), it should not be called ssh.
That's like saying that as long as it behaves according to the protocols, it can be called ssh.
The protocols are commonly know to the entire internet community as 'ssh'... good luck enforcing that trademark.
Name suggestion: FRESH (Score:5)
I suggest FRESH: Free Remote Encrypted SHell.
I make this name available without restriction.
<Off-topic>
Of course, I feel that RMS ought to use the term "liberated software" to avoid the whole "free beer/free speech" issue, but that's another story....
</Off-topic>
Re:Let try and decide (Score:4)
We should be good neighbors here. (Score:3)
Most of the "infringment" stories that Slashdot has seen are of the inflammatory nature. Many of them are projects that have nothing to do with one another, but here we have a different case.
The OpenSSH group is being asked by the project from whom their original code derived, and which group came up with the protocol they're implementing, to change their name. This isn't some monster corporation looking to quash competition. This is a small company which is receiving legitimate confusion about their product due to the success of a free implementation.
And when they ask the free implementation to change their name - the open source community scoffs. IMO, the open source community isn't being a very good neighbor.
Really, what's lost with a name change? Do the executables need to be renamed, thus causing confusion for the user? NO A while ago, when Sun first came out with what is now known as NIS, it was called Yellow Pages (yp). I believe it was British Telecom who held the trademark for the "Yellow Pages" name, and Sun was forced to change the name of their product. Did it cause confusion for the user? Maybe some initially, while people got acclimated to the new name in documentation, etc -- but the utilities, today, over 10 years later, still bear their original names of yp*. An earlier post mentioned other free projects creating symbolic links to the more widely known executable names, such as vim and elvis..
But even further, why must a project's name match the name of their executable? Apache installs httpd, not apached. (Ignoring windows, here). Samba installs [ns]mbd, not sambad. OpenSSH itself, as it is NOW doesn't install "opensshd".
All in all, I think the Open Source community needs to be a good neighbor here. This is more than a case of name usage, this is a case of a coder developing one of the most widely used pieces of software on the 'net. For better or worse, he chose to take it and make money with it, changing his license in the process. Should this negate the fact that the earlier code was out there? That he put the effort in to coming up with the protocol as well? I certainly don't think so.
Really, it doesn't take much effort to change the name of newly released products, and I don't think they're asking to change the millions of installed copies. All that would really be required is a new chosen name, and the registration of an appropriate domain.
Who knows, by being good neighbors, SSH Communications might even foot the bill for it.
If not, email me. I will.
-Jeff
Re:SSH1 vs SSH2 (Score:3)
Put simply, Tatu considers ssh1 broken because he released it under a non-restrictive license and wishes he could take it back. While it is true that ssh2 encrypts more of the communications channel than ssh1, the attacks on ssh1 are of a difficulty roughly on par with stealing a TCP connection from a modern OS: the attack is possible, but extremely impractical.
I do consider ssh2 to be broken crypto. The protocol specifies the base and modulus for its public-key-exchange algorithm. This means that anybody can sit down and "study" that base and modulus for weaknesses and attack spots. Heck, the NSA -- or Tatu -- could have pre-computed the information necessary to break the encryption on an ssh2 stream.
The above is a quick sketch of the arguments for why ssh1 and ssh2 are broken, together with some highly cynical suggestions for why they might be built that way. Go do some real research before you pick crypto to trust with anything you care about.
Slanting the Coverage (Score:4)
- actually reading the letter doesn't give the impression that the author is "demanding" the name change. He states he is "asking" twice. Yet the comments from slashdot readers are talking about "litigation," "demands," etc.
- The discussion of this letter on Linux Today, where there is no editorial introduction, just the text of the letter, is far more reasoned and moderate.
- Gee, he contacted the developers and they did not address the issue. Did he immediately sue? Nope. Is this a cease and desist order? Nope. Is this a demand . . . I hardly think so and I doubt that it deserves the characterizations it is receiving in some of these posts.
I think this points out what journalists know and some have yet to learn: the description of the content is as - or even more significant - than the content itself.
You are right.. (Score:3)
If you don't enforce your mark, you lose it. If you allow it to come into common use by others, and don't defend it at all, then you can't come back later when you think it's a threat and try to enforce it. It's not like Patents, that can be selectively enforced.
If he admits he originally left them alone, *even though they were in violation of his mark*, then he can't come back later and enforce it, period. It won't hold up in court.