[Dean Anderson] RE: Withdrawal of Approval and Second Last Call: draft-housley-tls-authz-extns

Dean cannot post to the ietf list so I have forwarded his comments here.

Ok, I've now read most of the patent documents and claims, and I've 
looked over the draft-housley-tls-authz-extns-07.txt.

Short answer: The RFC and the patent application are very close, if not
identical.  It is not the case that the patent is merely overbroad, and
therefore covers the housley draft; they are the same.  On the draft: 
rewrite so as not to infringe the patent application if granted.

The timeline of events is very important:

-- The first patent applicationis filed in January, 2005, with Mark D. 
Brown and David J. Wilke as the applicants.

-- The application was apparently amended September, 2005 with
application number 11/234404. This application is not listed in the IPR
disclosure, but can be found on the "Continuity Data" tab of the USPTO
web site (see below). This is somewhat strange, I think, especially as 
its the most similar to the housley draft.

-- The first draft of draft-housley-tls-authz-extns was submitted in
February, 2006.  Mark Brown and Russ Housley are the authors.

-- February 2007, IESG approval is withdrawn after Russ Housley becomes
Chair of IETF and IPR information comes out regarding the draft.

Having reviewed the documents, the 'housley' draft and the patent
application contain essentially identical message exchange diagrams.
For example, Figure 6 of the drawings associated with patent application
11/234404 is nearly identical with Figure 2 of
draft-housley-tls-authz-extns-07.txt.

It seems impossible to me that, as Brown describes below, that the
patent claims could merely 'be read more broadly.' This patent is
essentially identical with the IETF draft.  The primary difference is
the housley draft doesn't contain the concrete examples of the patent
application, and is more abstractly written.

I'm not sure what it means to file a patent and subsequently author an
essentially identical draft 'in good faith', since it is unclear what
bad faith would be.  I am still uncertain about when Brown and Housley
each knew about RFC3979, and when did they each know about the existance
of the patent application.  I haven't seen any such dates and evidence
on this by either Housley or by Brown.  I'm a still uncertain as to how
the existance of the patent application became known to the IETF.  I
would like to see definite answers to these questions, rather than
assurances of good faith.

BTW, creating a permanent royalty free license grant to the public is
quite easy.  Other variations are quite hard, until you get down to
licensing individual entities. However, you cannot simulataneously both
grant royalty free use of this patent, and continue to make money using
this patent as a monopoly on the technology; these are mutually
exclusive.

On the subject of how to proceed with the draft:  Having reviewed
documents, my view is that the technology in the patent application is
not novel, but would be obvious to anyone trying perform the services
described, and that therefore the patent application should be denied.
Furthermore, except for possibly overbroad claims, the TLS protocol
extension can be changed so that it doesn't use the patented methods.  
My recommendation, informed by the actual documents, is that the draft
should be rejected and rewritten using non-patented alternatives.

FYI: The patent files can be downloaded from the "How to Search" page at
http://www.uspto.gov/main/profiles/acadres.htm 
Then click "Track Patent Status" 
Then select "Application Number" and enter the application
number 60/646749 or 11/234404 and click on Search.

To get the patent documents, click the tab "Image File Wrapper" and 
download the images as a PDF.  There are other tabs which are 
interesting.

		--Dean

On Thu, 29 Mar 2007, Mark Brown wrote:

> Simon,
> 
> I filed for patent (Jan and Sep 2005) and later promoted TLS authz (Feb
> 2006) in good faith.  It is possible that the patent claims can be read more
> broadly than I expected, but that's a fairly detailed and unresolved legal
> question.  I am working diligently to -- let me speak carefully -- explore
> if and how I can make a royalty free license grant to ensure that promoting
> TLS authz continues to be an act in good faith, while still protecting a way
> for my company to make money on its IPR.
> 
> I have experienced some surprises when mixing law and Internet standards.
> To try to avoid surprises, I have hired IPR attorneys at two different firms
> to review my draft which proposes a royalty-free license grant.  I expect
> any resulting license will be conditioned upon IETF acceptance of TLS authz
> as a standard.  I hope to have concluded these services next week.
> 
> I think IPR questions are complicated in part because for some questions
> only a lawsuit can answer the question -- but we should all want to stay
> clear of these kinds of lawsuits!  So answers seem to me to be in short
> supply.  I want to craft the proposed license to make this situation a
> little clearer than that, but doing so often involves taking risks of giving
> away a huge loophole.  So I'm working to get good legal advice.
> 
> In short, I am working to create a royalty-free license grant -- hopefully I
> can disclose it next week.  With some luck, it will clarify the situation.
> 
> Best regards,
> 
> mark
> 
> > -----Original Message-----
> > From: Simon Josefsson [mailto:simon@josefsson.org]
> > Sent: Thursday, March 29, 2007 10:12 AM
> > To: Sam Hartman
> > Cc: ietf@ietf.org; iesg@ietf.org; mark@redphonesecurity.com
> > Subject: Re: Withdrawal of Approval and Second Last Call: draft-housley-
> > tls-authz-extns
> > 
> > Sam Hartman <hartmans-ietf@mit.edu> writes:
> > 
> > >>>>>> "Simon" == Simon Josefsson <simon@josefsson.org> writes:
> > >
> > >     Simon> I don't care strongly about the standards track status.
> > >     Simon> However, speaking as implementer of the protocol: If the
> > >     Simon> document ends up as informational or experimental, I
> > >     Simon> request that we make an exception and allow the protocol to
> > >     Simon> use the already allocated IANA protocol constants.  That
> > >     Simon> will avoid interoperability problems.  I know the numbers
> > >     Simon> are allocated from the pool of numbers reserved for
> > >     Simon> standards track documents.  There is no indication that we
> > >     Simon> are running out of numbers in that registry.  Thus, given
> > >     Simon> the recall, I think the IETF should be flexible and not
> > >     Simon> re-assign the IANA allocated numbers at this point just
> > >     Simon> because of procedural reasons.
> > >
> > > Would you support publication on the standards track given the IPR
> > > situation as someone who has implemented?
> > 
> > If the patent concern is valid and covers TLS libraries or other
> > applications, no.
> > 
> > However, as far as I am aware of the public information that is
> > available, the situation appears to be that we don't know whether
> > these patents apply and to what extent.  I don't know whether the
> > patents were filed in good or bad faith.  More information from the
> > patent holders may help here.
> > 
> > If it is possible to implement the protocol without violating the
> > patents, I would support publication.  I've seen some claims that this
> > may be possible.  I have no interest in reading these patents myself,
> > but my position would be influenced if someone knowledgeable reads the
> > patents.
> > 
> > Given the amount of patents out there, it would be unreasonable for us
> > to move everything to informational just because someone finds
> > something that may be relevant to a piece of work.
> > 
> > The community needs to evaluate patent claims, and preferably reach
> > conservative agreement (rough consensus is not good enough) on whether
> > we should care about a particular patent or not.  Input to that
> > community evaluation process may be documentation of legal actions
> > taken by a patent owner.  Sometimes that may happen only after a
> > document has been published.
> > 
> > I would support down-grading standards track documents that later turn
> > out to be patent-infected to informational.  Doing so would avoid
> > sending a message that the IETF supports patented technology, when the
> > IETF community didn't know about the patents at publication time.  For
> > credibility of the process, I believe it is important that these
> > decisions are only made based on publicly available information.
> > 
> > /Simon
> 
> 
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf