Re: Last Call on draft-bradner-rfc3979bis-08.txt ("Intellectual Property Rights in IETF Technology")

Stephan Wenger <> Sat, 30 April 2016 02:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BE2D12B00D for <>; Fri, 29 Apr 2016 19:23:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rHFvzQf8mkwf for <>; Fri, 29 Apr 2016 19:23:25 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::750]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B0B1120047 for <>; Fri, 29 Apr 2016 19:23:25 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.477.8; Sat, 30 Apr 2016 02:23:01 +0000
Received: from ([]) by ([]) with mapi id 15.01.0477.015; Sat, 30 Apr 2016 02:23:01 +0000
From: Stephan Wenger <>
To: Pete Resnick <>
Subject: Re: Last Call on draft-bradner-rfc3979bis-08.txt ("Intellectual Property Rights in IETF Technology")
Thread-Topic: Last Call on draft-bradner-rfc3979bis-08.txt ("Intellectual Property Rights in IETF Technology")
Thread-Index: AQHRhDTbKR9yu1RueEWA9RrAiHSISp+FI5mAgBYyZID//5/2gIAGpMUA///18oA=
Date: Sat, 30 Apr 2016 02:23:01 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 09d7e489-ced4-46c4-560d-08d3709e5ace
x-microsoft-exchange-diagnostics: 1; BLUPR17MB0276; 5:DO1YhpObgcdmXL/xeq1zqNOtiLglrgTeTXDmA74tLJVh2j7KMOLiWtvrzUrzz5bdnKICAz8MFS2GZXc6glaS8zpwPOmphyoG+hTYH43yo1LdMQRTc0duaUBSUQ3kQLtd1tlLsVNka6/8tK9J/mFXTQ==; 24:Y6U84yu+PtVvIQTfu0aspv6erejg2BarxenryEVHmzgCTxM0sckyP2AZWExEyfSN7mVlUcJpv8gKHIbjlW6C96mp4L5XES7C2FSy84lfJvk=; 7:JHsW+8Crs+AgoRgdgDKzkSWQzlkqbTuqZYq0sK5G/x0ZRXtT0hP2uBhrxTqqCxEYpQLy4KOz3K1siZi3kIWnOyL4S41HdEoVz0l+eALnUgk34ez1mHA18/lJeaopuvOr+f4BT/+c9SarD8AUdYCcU/JiEZb0+AOYcxLgDPScLkHvu8yJMLHOx4lHrlsj8Q07
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR17MB0276;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(9101521072)(6040130)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041072)(6043046); SRVR:BLUPR17MB0276; BCL:0; PCL:0; RULEID:; SRVR:BLUPR17MB0276;
x-forefront-prvs: 0928072091
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(51444003)(24454002)(5004730100002)(83716003)(2906002)(19580405001)(19580395003)(1220700001)(33656002)(1096002)(92566002)(6116002)(102836003)(3846002)(586003)(122556002)(76176999)(3660700001)(50986999)(86362001)(106116001)(11100500001)(230783001)(81166005)(54356999)(82746002)(99286002)(3280700002)(10400500002)(4326007)(5008740100001)(87936001)(36756003)(77096005)(2900100001)(2950100001)(5002640100001)(563304003)(93886004)(15975445007)(189998001)(66066001)(110136002)(104396002)(42262002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR17MB0276;; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2016 02:23:01.5143 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 865fc51c-5fae-4322-98ef-0121a85df0b6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR17MB0276
Archived-At: <>
Cc: IETF <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Apr 2016 02:23:29 -0000

Hi Pete.
I concur that there was no WG.  Sorry for implying that there was one.  I should have written BOF consensus or something like that.
As for the substance, please see inline.

On 4/29/16, 12:58, "Pete Resnick" <> wrote:

>On 25 Apr 2016, at 16:31, Stephan Wenger wrote:
>> On 4/25/16, 13:15, "ietf on behalf of Jari Arkko" 
>> < on behalf of> wrote:
>>>> - Section 5.5(C): Two things:
>> [...]
>>>> OLD
>>>>      must ensure that such
>>>>      commitments are binding on any subsequent transferee of the
>>>>      relevant IPR.
>>>> NEW
>>>>      must ensure that such commitments are binding on a transferee 
>>>> of
>>>>      the relevant IPR, and that such transferee will use reasonable
>>>>      efforts to ensure that such commitments are binding on a
>>>>      subsequent transferee of the relevant IPR, and so on.
>>>> END
>>>> The object of the "subsequent" wasn't clear, so this just spells it 
>>>> out. Wordy, but more precise.
>>> Right
>> I’m not sure I agree that the object of “subsequent wasn’t clear 
>> from context.  However, I don’t mind to see that fixed if others 
>> feel so.  However, the fix as proposed sets a very low standard 
>> (reasonable efforts) for ensuring that subsequent transferees are 
>> bound. That a substantial change from the WG consensus, and IMO in the 
>> wrong direction.
>Let's be clear that there was no "WG consensus" on this, since there was 
>no WG. But let's assume that the consensus of the BoF was for something 
>I disagree that "use reasonable efforts to ensure" is such a low 
>standard, and the stronger language you propose concerns me:
>> What we want to achieve is that if A assigns a patent to B, B and all 
>> further transferees (B to C, C to D, etc. etc.) are similarly bound.  
>> We want to make sure if any of these entities doesn’t feel bound for 
>> whatever reason, the patent is held unenforcible by a well-informed 
>> court.  It’s clear that this is much more onerous to the 
>> rightholder, and may well lower the value of the IPR.
>> I would be fine if the NEW part would be reworded as follows:
>> NEW
>>       must ensure that such commitments are binding on a transferee of
>>       the relevant IPR, and also binding on any subsequent transferees
>> of the relevant IPR.
>> END
>This seems to require that if my IPR is transferred 20 times over 20 
>years, I am on the hook in perpetuity to absolutely make sure that the 
>next person down the line sticks to the agreement. I'm certainly willing 
>to make *reasonable* efforts to do so, and it will be up to a court to 
>determine if my efforts were reasonable, but I certainly don't want to 
>be forced to completely indemnify to 21st person down the line. "Use 
>reasonable efforts to ensure" seems reasonable. Otherwise, it's not 
>clear to me what I'm signing up to.

For the information of the broader community here: the subject of licensing commitments traveling with patents is currently a hot topic in several IPR working groups of a number of SDOs.  Pete’s employer has a fairly strong position on that matter, and so have I (and a bunch of other folks).  I wouldn’t call this a proxy discussion here--the IETF’s policy is too important for that--but I’m not surprised that it comes up prominently now.  However, I do believe that the IETF’s patent policy practice has two unique features, lack of RAND licensing requirement based on membership or participation and the common use of non-assert covenants, that make a clean solution here even more important than in, say, the ITU.

My view is that certainty for the implementer that licensing commitments made should trump freedom of business for patents.  I want that a licensing commitment travels with the patent, just as a license travels with the patent (the latter as a matter of law, almost everywhere in the world and under almost all circumstances short of bankruptcy).

If you are not willing to stand behind your commitment once made, and enforce it yourself if violated by some guy downstream, then don’t sell your patent.  Or, sell your patent but make sufficient allowances to deal with the consequences of a sale to a misbehaving entity downstream.

Example: Assume A makes a non-assert covenant, and further assume that an implementation infringes on the patent in question (meaning an implementer needs a license or a reliance on a non-assert covenant).  Me, relying on this covenant, implement the technology and never violate conditions in the covenant--for example, I never sue A and thereby violate a reciprocity condition of the covenant.  A later assigns to B, B assigns to troll C, C sues me over a patent violation.  B and C may well not have a disclosure obligation in the IETF.  The lawsuit would come out of the blue to me.  That’s just wrong and exactly what the policy tries to avoid.  If the non-assert would travel with the patent, of course I could still get sued, but such a lawsuit would most likely have a rather swift resolution in my favor.  

With your language, once C sues me, as the very minimum I would have to go through discovery of both assignments (there goes the first million of many).  I may or may not win the lawsuit based on an existing covenant or resulting implied license.  Once done, I can’t even go after A for damages unless I could show A forgot to put some “best effort” language in A's assignment paperwork.  That’s not equitable, because A did profit from the assignment of the patent.  

>>>> - Section 7, paragraph 6:

This is IMO a much less critical point then the one above, and in fact I was mainly asking a question (of an IETF security consensus as of 2005) rather than pushing a point.  Still, as you are arguing substance rather than provide historic context, please see below for my own arguments.

>>>> The only change in this paragraph from 3979 was to add the word 
>>>> "all" in the second-to-last sentence. My lawyer friends tell me that 
>>>> this little change is opening a can of worms, having to do with 
>>>> licensing to makers of parts instead of implementers of the whole 
>>>> specification. I don't think we meant to change the meaning from the 
>>>> 3979 meaning, and I certainly don't think that we meant to change 
>>>> some implication about whether folks in general needed to license to 
>>>> people that make parts where they wouldn't have before. Was there 
>>>> something unclear about that sentence that needed the word "all" 
>>>> added to it? We aren't making a substantive change, are we? Can we 
>>>> just strike it? It seemed pretty clear to me before.
>>> Agree
>> I’m not sure here.
>> For context, the paragraph is in section 7 of RFC3979bis (which used 
>> to be the second paragraph of section 8 of RFC3979).  The sentence in 
>> question describes an purported IETF consensus established in 
>> pre-RFC3979 times, as follows (the critical and new “ALL” is 
>> capitalized):
>> “
>> An IETF consensus has developed that no mandatory-to-implement 
>> security technology can be specified in an IETF specification unless 
>> it has no known IPR claims against it or a royalty-free license is 
>> available to ALL implementers of the specification unless there is a 
>> very good reason to do so.
>> “
>Right, the only change between 3979 and the above is the addition of the 
>word "ALL" (not in all caps in 3979bis).
>> I agree that the tightened language removes an arguably unclear 
>> loophole that has been present in RFC3979, and which Pete’s 
>> lawyer-friends probably would like to preserve.  However, generally 
>> speaking, removing loopholes like this is a Good Thing, unless the 
>> consensus at the time was such that there ought to be a loophole.  I 
>> did not follow the consensus process in sufficient detail to have an 
>> opinion, but perhaps security and IPR conscious folks in the IETF 
>> remember?
>Wait, what "arguably unclear loophole" do you think was there that 
>adding "all" in the above sentence tightens? 

The loophole is as follows: Arguably, without the ALL, there could be some implementers of mandatory to implement security technologies that are not covered by the RFC3979 language.  You yourself made that point, by saying that there actually IS a difference between presence and absence of the “ALL".  I got alarmed by your statement.  If you guys really think that the language gives enough wiggle-room that, for example, a library/chip-IP house offering a cipher could charge patent royalties for a mandatory to implement cypher technology even if the final hardware or software product cannot, then I find that alarming.  They shouldn’t be able to do so, because at least my understanding of the IETF consensus here has been that they would never, ever select a cipher as mandatory to implement unless that cipher is free of patent royalties.  

>Calling it a "loophole" 
>implies that somehow the IETF intention was to disallow something that 
>the current text allows. What is that something that you think we ought 
>to be removing?

See above.

>I know that my lawyer friend was concerned not about security technology 
>per se, but the issue of licensing levels more generally. I'm pretty 
>sure we only wanted to talk about requiring royalty-free licensing for 
>security protocols specifically and never intended to require particular 
>kinds of licensing across the board. Either way, I think that the 
>original text was perfectly clear and had no loopholes.

Again, the text above is ONLY related to mandatory to implement security technology.  Nothing (but common sense and the law, including antitrust law) prevents you guys to choose whatever language you prefer in your free-form licensing declaration.


>So, why are we adding "all"? What loophole are we trying to close? If 
>there is none, let's strike "all" and use the original text.
>Pete Resnick <>
>Qualcomm Technologies, Inc. - +1 (858)651-4478