Re: Last Call on draft-bradner-rfc3979bis-08.txt ("Intellectual Property Rights in IETF Technology")

Pete Resnick <presnick@qti.qualcomm.com> Sun, 01 May 2016 18:06 UTC

Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D24ED12D164 for <ietf@ietfa.amsl.com>; Sun, 1 May 2016 11:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.016
X-Spam-Level:
X-Spam-Status: No, score=-8.016 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgskFsM_Ro2y for <ietf@ietfa.amsl.com>; Sun, 1 May 2016 11:06:47 -0700 (PDT)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBB1B12D159 for <ietf@ietf.org>; Sun, 1 May 2016 11:06:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1462126006; x=1493662006; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=039waRexhTly35AlJCssBWDyVZT43OdIPLZV9pX4aDo=; b=Re24e27xzn+Ig7KplBus5Dg290ZabtdCAD84xPI9Q0bTopT4Mw51H2L6 qWSlMsa57r5fLNgbm0G24/lOjueVG9oYsNZVQGB7f7u7fHhjJo4Hlqy3H KcjXg/R/nge2KOLGZASwRiZl5wlaCDnDlevhKpdFXjPVzG/vdZoCYtf9J k=;
X-IronPort-AV: E=Sophos;i="5.24,563,1455004800"; d="scan'208,217";a="189899125"
Received: from ironmsg04-l-new.qualcomm.com (HELO Ironmsg04-L.qualcomm.com) ([10.53.140.111]) by wolverine01.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 May 2016 11:06:46 -0700
X-IronPort-AV: E=McAfee;i="5700,7163,8152"; a="1114315027"
Received: from nasanexm01f.na.qualcomm.com ([10.85.0.32]) by Ironmsg04-L.qualcomm.com with ESMTP/TLS/RC4-SHA; 01 May 2016 11:06:46 -0700
Received: from [10.64.160.3] (10.80.80.8) by NASANEXM01F.na.qualcomm.com (10.85.0.32) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Sun, 1 May 2016 11:06:45 -0700
From: Pete Resnick <presnick@qti.qualcomm.com>
To: Stephan Wenger <stewe@stewe.org>
Subject: Re: Last Call on draft-bradner-rfc3979bis-08.txt ("Intellectual Property Rights in IETF Technology")
Date: Sun, 01 May 2016 13:06:45 -0500
Message-ID: <8E2E596F-E53F-4A4E-A296-6366F0D2C032@qti.qualcomm.com>
In-Reply-To: <C7E5B6F0-23C9-4A94-9A8B-2A65490F0F8C@stewe.org>
References: <0000431F-F977-4A24-BA4D-064F740977A0@piuha.net> <E7E31E22-1C86-40C4-BC5B-F65132015EF5@qti.qualcomm.com> <6CA3C554-0FF6-4779-80B9-C75698FB61C1@piuha.net> <EC4CBF0D-1B7C-4FB5-85EA-E622B24E9B9A@stewe.org> <9AFC22D7-C509-4765-AAC9-3096F188C4C6@qti.qualcomm.com> <C7E5B6F0-23C9-4A94-9A8B-2A65490F0F8C@stewe.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_EBCAC687-6854-426A-AD38-17E3575B5B6B_="
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.4r5239)
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: NASANEXM01C.na.qualcomm.com (10.85.0.83) To NASANEXM01F.na.qualcomm.com (10.85.0.32)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/waZpIyKOHhN7Z_31EjxAGXIrXds>
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2016 18:06:50 -0000

Stephen,

First some level-setting. You write below, "Pete's employer has a fairly 
strong position on that matter". That may well be. But let's be crystal 
clear that I am speaking for myself. Now, I have no illusions (nor 
should anyone else have any illusions) that I am not influenced by my 
employer's positions on any number of issues, but neither in technical 
nor policy discussions do I bring things to the table that I don't 
personally think are the correct thing to do for the IETF. I have 
disagreements with my employer from time to time on any number of 
topics, and I choose whether to disagree publicly or remain silent on 
those issues. In any case, I think whether or not my "employer has a 
fairly strong position on that matter" is absolutely irrelevant to the 
discussion and I'd insist that it not be a topic of conversation.

That said, on the issues themselves [trimming a bit as I go]:

On 29 Apr 2016, at 21:23, Stephan Wenger wrote:

>>>>> OLD
>>>>>      must ensure that such
>>>>>      commitments are binding on any subsequent transferee of the
>>>>>      relevant IPR.
>>>>> NEW
>>>>>      must ensure that such commitments are binding on a transferee
>>>>> of
>>>>>      the relevant IPR, and that such transferee will use 
>>>>> reasonable
>>>>>      efforts to ensure that such commitments are binding on a
>>>>>      subsequent transferee of the relevant IPR, and so on.
>>>>> END

On my original proposal above: I want to be clear that the language 
above says that for the first transfer from me to someone else, I 
absolutely must ensure that the commitments are binding on the 
transferee. The "use reasonable efforts to ensure" bit comes in at the 
second transfer: *I* must ensure that the second guy will use reasonable 
efforts to ensure that the commitments are binding on the next guy, and 
so-on.

>>> I would be fine if the NEW part would be reworded as follows:
>>> NEW
>>>       must ensure that such commitments are binding on a transferee 
>>> of
>>>       the relevant IPR, and also binding on any subsequent 
>>> transferees
>>> of the relevant IPR.
>>> END
>>
>> This seems to require that if my IPR is transferred 20 times over 20
>> years, I am on the hook in perpetuity to absolutely make sure that 
>> the
>> next person down the line sticks to the agreement. I'm certainly 
>> willing
>> to make *reasonable* efforts to do so, and it will be up to a court 
>> to
>> determine if my efforts were reasonable, but I certainly don't want 
>> to
>> be forced to completely indemnify to 21st person down the line. "Use
>> reasonable efforts to ensure" seems reasonable. Otherwise, it's not
>> clear to me what I'm signing up to.
>
> My view is that certainty for the implementer that licensing 
> commitments made should trump freedom of business for patents.  I want 
> that a licensing commitment travels with the patent, just as a license 
> travels with the patent (the latter as a matter of law, almost 
> everywhere in the world and under almost all circumstances short of 
> bankruptcy).

Again, I'm fine with assuring that the license commitment travels with 
the patent on the first hop, and making sure that the next guy makes 
reasonable efforts to do the same. I just don't want to use 
extraordinary measures to enforce, under every jurisdiction worldwide, 
all transfers for the rest of time.

> If you are not willing to stand behind your commitment once made, and 
> enforce it yourself if violated by some guy downstream, then don’t 
> sell your patent.  Or, sell your patent but make sufficient allowances 
> to deal with the consequences of a sale to a misbehaving entity 
> downstream.
>
> Example: Assume A makes a non-assert covenant, and further assume that 
> an implementation infringes on the
> patent in question (meaning an implementer needs a license or a 
> reliance on a non-assert covenant).  Me, relying on this covenant, 
> implement the technology and never violate conditions in the 
> covenant--for example, I never sue A and thereby violate a reciprocity 
> condition of the covenant.  A later assigns to B, B assigns to troll C

And insert here, "and A has ensured that B will use reasonable efforts 
to ensure that C will honor the covenant"

> C sues me over a patent violation.  B and C may well not have a 
> disclosure obligation in the IETF.  The lawsuit would come out of the 
> blue to me.  That’s just wrong and exactly what the policy tries to 
> avoid.  If the non-assert would travel with the patent, of course I 
> could still get sued, but such a lawsuit would most likely have a 
> rather swift resolution in my favor.

IANAL, but I would think that with the inserted bit, such a lawsuit 
would equally have a rather swift resolution in your favor.

> With your language, once C sues me, as the very minimum I would have 
> to go through discovery of both assignments (there goes the first 
> million of many).  I may or may not win the lawsuit based on an 
> existing covenant or resulting implied license.  Once done, I can’t 
> even go after A for damages unless I could show A forgot to put some 
> “best effort” language in A's assignment paperwork.  That’s not 
> equitable, because A did profit from the assignment of the patent.

I don't see it. Leaving aside the "I can always get sued" argument, I 
don't see how the difference in language changes that much for you in 
this scenario.

>>>>> - Section 7, paragraph 6:
>>>
>>> An IETF consensus has developed that no mandatory-to-implement
>>> security technology can be specified in an IETF specification unless
>>> it has no known IPR claims against it or a royalty-free license is
>>> available to ALL implementers of the specification unless there is a
>>> very good reason to do so.
>>> “
>>
>> Right, the only change between 3979 and the above is the addition of 
>> the
>> word "ALL" (not in all caps in 3979bis).
>>
>>> I agree that the tightened language removes an arguably unclear
>>> loophole that has been present in RFC3979...
>>
>> Wait, what "arguably unclear loophole" do you think was there that
>> adding "all" in the above sentence tightens?
>
> The loophole is as follows: Arguably, without the ALL, there could be 
> some implementers of mandatory to implement security technologies that 
> are not covered by the RFC3979 language.

No, absolutely not. The current language is crystal clear that all 
implementers of MTI security technologies must get an RF license, or 
that there are no known claims. I want it to be perfectly clear that 
we've made no change in policy in this regard, and adding "all" sounds 
like something was different before. There's not anything different.

> You yourself made that point, by saying that there actually IS a 
> difference between presence and absence of the “ALL".

No, as I said in my earlier message, the difference is *not* as it 
pertains to this paragraph. Again, I think adding "all" makes no 
difference in this paragraph at all, which is why I thought it was 
reasonable to remove. The issue is that adding "all" might imply to some 
folks that the IETF *does* think there's a difference that applies to 
non-RF cases, that somehow the IETF thinks that it's gotten into the 
business of dictating particular licensing levels in cases not related 
to security protocols.

> I got alarmed by your statement.

I'm sorry to have alarmed you. I just want it to be clear that we've 
made no change in this policy regarding security protocols, and also 
that the IETF continues to take no position on other sorts of licenses.

> If you guys really think that the language gives enough wiggle-room 
> that, for example, a library/chip-IP house offering a cipher could 
> charge patent royalties for a mandatory to implement cypher technology 
> even if the final hardware or software product cannot, then I find 
> that alarming.  They shouldn’t be able to do so, because at least my 
> understanding of the IETF consensus here has been that they would 
> never, ever select a cipher as mandatory to implement unless that 
> cipher is free of patent royalties.

(a) Not "you guys"; just me (see top of message). (b) Not interested in 
any wiggle-room in this paragraph. Just assuring that we're not making a 
change in policy.

(And if we haven't, at this point, made enough of a record of the intent 
of the consensus on this point, I don't know how we could.)

>> I know that my lawyer friend was concerned not about security 
>> technology
>> per se, but the issue of licensing levels more generally. I'm pretty
>> sure we only wanted to talk about requiring royalty-free licensing 
>> for
>> security protocols specifically and never intended to require 
>> particular
>> kinds of licensing across the board. Either way, I think that the
>> original text was perfectly clear and had no loopholes.
>
> Again, the text above is ONLY related to mandatory to implement 
> security technology.  Nothing (but common sense and the law, including 
> antitrust law) prevents you guys to choose whatever language you 
> prefer in your free-form licensing declaration.

In which case sticking with the original text seems just fine.

pr
-- 
Pete Resnick <http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478