RE: [TLS] Patents and draft-housley-authz-extns-07

To: Mark Brown <mark at redphonesecurity.com>
Subject: RE: [TLS] Patents and draft-housley-authz-extns-07
From: Dean Anderson <dean at av8.com>
Date: Fri, 8 Jun 2007 16:43:13 -0400 (EDT)
Cc: tls at ietf.org
In-reply-to: <002401c7a855$03831fc0$6801a8c0@rps.local>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>

Also I have learned that not everyone on the TLS list knows the history
of the draft, particularly the misbehavior. I'm going to put up a web
page on http://www.av8.net/IETF-watch/People/Housley/ to document this.

Inline

On Wed, 6 Jun 2007, Mark Brown wrote:

> Dean,
> 
> It sounds like you're expecting that the RedPhone Security patent will issue
> as filed but that it really doesn't contain any innovation -- i.e. that the
> patent grantors of the world will screw this one up.  I'm less cynical on
> this question, and so on that point I have to disagree with you.

I'm not cynical about the PTO 'screwing it up' (see also the
clarification below). But as president of the LPF, it is true that I've
seen many patents issue that aren't novel, and many that are finally
found to be invalid after being litigated or on review after issue.  
The patent office, to its credit, reviews such bad patents when
complaints are made after issue. But the fact is, that there are very
few novel software inventions out there.  The reason, I think, that
there are more bad software patents than other kinds of patents is
because it is easier for software writers to invent their own terms
which foil patent searches--there have been some interesting proposals
(one was a new language) to solve that problem, but none that are fully
workable [other than, of course, eliminating software patents].

But I do see novel software patents, now and again.  Those few novel
inventions create the most concern for the LPF and others, because when
an invention is truly novel, it is often very difficult to come up with
another alternative that is competitive.  A good example is the Fourier
Transform and the Fast Fourier Transform (FFT).  Once you have a patent
on the FFT, its pretty hard to compete using the old transform method.  
A novel invention usually has a benefit that isn't found anywhere else;
the benefit might not be performance, but it is something that makes the
invention "better", and that something is also novel.  A good example of
a not-novel patent is the infamous XOR patent, where ATT patented the
use of XOR to update a graphical mouse pointer image. [the patent office
rescinded that patent on review]

By contrast, your authz-extns claims aren't really novel: You didn't
invent federated authorization and identity. You didn't invent using
X.509 information for authorization.  There is nothing novel about
moving around X.509 certificate information. We do that all the time
without TLS extensions.  X.500 and LDAP use certification information
for authorization.  Anyone trying to implement say, RADIUS over TLS,
would have to carry most/all of the same steps.  There is nothing novel
about using authorization with TLS. Almost all web apps do that to some
extent.  Every step in your patent specification is dictated by the TLS
protocol, or by the steps required for authorization as determined
previously in other applications.  So, you haven't invented anything;
what you have is really a copyright on a sequence of obvious steps;
steps that would be obvious to anyone trying to perform authorization
through a TLS protocol extension.  There is nothing clever or inventive
in what you've done.  There is no secret to reveal in the patent. What
you have is an 'obvious first use'.

What is an 'obvious first use'?

For example, the first person to send HTTP over 10GigE is not entitled
to a patent on sending HTTP over 10GigE, even though they are the first
person to do so.  The only novelty is being the first to do something
obvious. Similarly, the only "first" in your patent, is being the first
to send authorization information using a TLS extension.  The patent
office is supposed to recognize this sort of non-patentable 'obvious
first use', but often does not do so until the patent is later
challenged.  

So, my view isn't cynicism, but long experience with the patent office.  
The patent office is well aware of its limitations, and honestly works
very hard to improve its processes. And the PTO has improved a lot since
the LPF was first founded.  When we began our efforts, the PTO didn't
hire software people, and had no computer scientists on staff to judge
software patents. That's how the infamous XOR patent got issued (and was
ultimately revoked on review).  The PTO responded to criticism, and
began hiring computer scientists to review software patents. When the
LPF first began, the PTO didn't publish patent applications until after
the patent was granted.  The fact that your patent application is
public, is a result of the PTO trying to improve its process in response
to criticism by the LPF and others. Things are much better now, but a
lot still slips though first review. This too, is changing, but slowly.

Clarification on 'likely to issue'

You also mentioned something about my statement that patent was 'likely
to issue' indicating cynicism. This needs some clarification. My
statement is not cynical.  It is not the case that I expect the patent
office to "screw it up"---in fact, the PTO will try hard to fix what
their mistakes after issuing a bad patent. It is true that I don't think
your patent is worthy of issue, but that is not what I mean when I talk
about 'likely to issue'; nor is it that I am second guessing the patent
office; When I say 'likely to issue', I mean that as a matter of our own
preparation, the patent office has published a live patent application,
and we have to anticipate that this patent will happen;  This is the
purpose pre-issue publication--to give us advance warning.  We
anticipate this on all published applications.  I mean 'likely to issue'
in the same sense as a live grenade is anticipated to explode, and would
be 'likely to explode'.  It could be a "fake grenade", but we can't
assume that.  We have been given notice by the PTO of something that
will 'likely happen', and have to act accordingly to minimize our
exposure to the anticipated patent.  This is the purpose of publicizing
the application before issuance.

> I think federated authorization & identity techniques are fascinating
> and are likely to be very useful in the future of Internet
> communications.

Federated authorization and identity techniques have been important in
the past, and I'm sure they will be important in the future.

> I love my job. It energizes me because I fully intend to bring useful
> products to market -- even though that's difficult to do as a small
> company.

I love my job, too. And I run a small company, too.  And I play by the
rules and I work really hard, and I contribute to community projects
like the LPF. And like others who also work really hard and play fairly,
I take some offense at people who cheat and expect not to be penalized.

> I may fail, but I'll try.  My country -- at least historically --
> thought that patents were a way to encourage this sort of passion
> because historically it's been the cradle of innovation.

Your passion does not entitle you to a patent or a monopoly. Other
people also have a passion for federated authorization and identity, and
for TLS and SSL, and would like to engage their passions without being
monopolized.

> That's the spirit behind what I'm doing, and I hope we can find a way
> to respectfully disagree about the systems supporting patents and the
> RedPhone Security filing in particular.

That is not entirely the spirit of what you are doing. You (that is,
your company, associate, contractor) have cheated by not revealing your
patent application to the IETF when you submitted your draft 7 times,
each time stating there were no undisclosed patents. While the writing
author (Housley) may be more at fault personally than you are personally
at fault, you and your company still bear the burden of the failure,
just as your business partners bear the burden of your personal failures
as CEO.  There has to be a penalty for that misbehavior, otherwise it
would be unfair to those who worked hard, played by the rules and
disclosed their patents as required.

I have learned that not everyone on the TLS list knows the history of
the draft, particularly the misbehavior. I'm going to put up a web page
on http://www.av8.net/IETF-watch/People/Housley/ to document this.

> It's taken me a while to understand your criticism on this point, but I
> think I get it now.  I have prepared a corrected license which will be ready
> and published shortly (or ASAP at the latest).

I look forward to seeing this. I should note, though, that resolving the
patent issue won't resolve the cheating issue, and won't absolve Housley
of the bad faith issue.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- RE: [TLS] Comments on draft-housley-tls-authz-extns-07
  - From: Mark Brown

Prev by Date: [TLS] Conclusion of TLS SRP straw poll
Next by Date: Re: [TLS] Comments on draft-housley-tls-authz-extns-07
Previous by thread: RE: [TLS] Comments on draft-housley-tls-authz-extns-07
Next by thread: Re: [TLS] Comments on draft-housley-tls-authz-extns-07 (fwd)
Index(es):
- Date
- Thread

RE: [TLS] Patents and draft-housley-authz-extns-07

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.