Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Beyond copyright -- IP for protocols

By kmself in Culture
Mon May 15, 2000 at 08:30:44 AM EST
Tags: Software (all tags)
Software

Bruce Perens's Technocrat article criticizing the Kerberos protocol of having been released under excessively liberal terms is on the mark. While it may not be clear, Bruce isn't calling for release of the protocol under the terms of the GNU GPL, but that similar licensing concepts be applied. The Kerberos protocol must be freely available, assure interoperability, and require that new implementations of the standard be similarly made freely available. Copyright-based licensing, while common in the free software community, is the wrong tool for this job.



Kerberos is licensed under terms which are too generous and too open to abuse, particularly in a climate in which embrace-and-extend "innovation" -- hostile hijacking of open standards -- is common "competitive" practice. The protocol is currently in danger of being splintered and rendered meaningless by the self-serving actions of Microsoft. Closer attention to how standards are established in the free software community is called for.

There are three general tools available in IP law:

  1. copyright: controlling specific expression -- words, sounds, visual art, performances, software. The expression and only the expression are covered. Copyright doesn't extend to ideas expressed, facts, or methods, and has been specifically limited from attempts to extend it in this direction by court decisions.
  2. patent: controlling ideas. A particular method, process, or device, may be patented. Patent doesn't govern discussion of a device (you're welcome to discuss issues of a patent), it controls embodiment, trade, and use in commerce.
  3. trademark and certification mark: controlling use of distinguishing marks in trade, including slogans, logos, art, and "trade dress" -- such as the shape of a Coke bottle, the sound of a Harley-Davidson motorcycle, the shape of a Ferrari automobile, and Kodak gold.

The problem in the free software community is that we've adopted an "our tool is a hammer and the world is a nail" approach to intellectual property. The focus is on copyright licensing terms, inspired by the success of the GNU GPL, BSD, and MIT licenses. Patents are almost universally decried as an evil abomination on the face of software [1], and trademark is virtually ignored, except to the extent companies don't wish to lose control of existing brands. We keep trying to pound our IP nails with our copyright license hammers, and get frustrated when the nails get bent, or refuse to drive home.

Protocols, such as Kerberos, are best addressed with a combined patent and trademark strategy.

Patents, while not sufficient to protect the definition of a protocol as a whole, could be applied to specific processes or methods utilized by the protocol. These patents could be used to enforce compliance under pain of withholding patent licenses from non-compliant implementations. This is a powerful and blunt instrument, and relies very strongly on the integrity of the patent-holding authority. OTOH, if this authority is a patent pooling organization, it is under fairly tight antitrust constraints as to what actions it is allowed to undertake.

The tool best suited to protocol compliance, however, is a trademark or certification mark. What, might you ask, is a certification mark? From the Nolo Law FAQ:

A certification mark is a symbol, name or device used by an organization to vouch for products and services provided by others--for example, the "Good Housekeeping Seal of Approval." This type of mark may cover characteristics such as regional origin, method of manufacture, product quality and service accuracy. Some other examples of certification marks: Stilton cheese (a product from the Stilton locale in England), Carneros wines (from grapes grown in the Carneros region of Sonoma/Napa counties), and Harris Tweed (a special weave from a specific area in Scotland).

What a certification mark provides is for standards of application of a given name, term, logo, or other trade dress, to be used. A well known instance of this in the free software community was the creation of an OSI Certified ™ certification mark, governed by the Open Source Definition. In this case, a testable definition of the term is used to certify a specific license as compliant or not with the Open Source Definition.

In the specific case of Kerberos, MIT produced three distinct intellectual properties:

  1. A protocol, with unlimited distribution terms.
  2. An implementation of the protocol, licensed under the MIT license -- largely similar to the BSD license, allowing free redistribution and requiring only retention of the copyright notice.
  3. A name, Kerberos, apparently an unprotected piece of intellectual property. [2]

In the face of hostile parties such as Microsoft, the licensing authority may need the right and means to "embrace and extend" the compliance requirements in light of quickly-changing tactics. How necessary this would be varies on tactics -- there's probably a lot which could be accomplished by requiring open and freely available, unencumbered publication of standards. Ideally, a combination of a functional regression and/or compatibility test, and requirement of free, unencumbered publication of implementation specifics, would suffice.

The key is that licensing terms are an arbitrary decision on the part of the mark holder. There is no obligation to license a mark, there is a wide range of possible licensing terms (payment of fees, compatibility testing, filial relationship, phase of the moon), and terms can be changed without prejudice -- subject to limitations of existing license contracts.

The flipside is that the markholder is obligated to to uphold the mark, prevent its abuse, or "dilution". Trademarks can be lost -- well known examples include aspirin ), Cellophane, and Dixie Cups. The first was stripped from Bayer Gmbh, a German company, by the US during WWII. The latter two lost through general adoption. A lawyer friend captivated me with tales of research he had to do in defending the Hooters ™ trademark (I kid you not -- entertainment, and sex, are big business).

What we've seen in the past are modifications to code which wasn't subject to trademark (Kerberos), or attempts to regulate ability to modify code directly, rather than certification of compliance (Java). Neither mode works particularly well. Kerberos is on its way to becoming a meaningless term referring generically to key-based authentication. Java as been co-opted by a hostile party (Microsoft), as well as by a friendly one (IBM), who simply wants to get things done. Sun, in its efforts to maintain control over the standard, is in danger of losing it completely.

The use of a mark to insure compliance means that someone contemplating a code fork has to weigh the strategic advantages of non-compliant operation with the loss of branding or certified compliance. Likewise, the licensing authority is under pressure to keep terms reasonable enough that a separate compliance program isn't launched in competition, with more reasonable (or easier to comply with) rules.

In an interesting twist on the current situation, one could contemplate, say, Samba and WINE seeking branding, certification, and regression testing independent of the Microsoft-controlled SMB and Win32 "standards". If third parties could be persuaded to track the open, rather than closed protocols, Microsoft would be forced to change its tune, and a new standard would emerge free of its control.

Free software has worked, paradoxically, by leveraging existing intellectual property law, though at times in novel directions. Copyright law is a fairly well understood tool. The power of patent, and trademark law however, is often maligned and much misunderstood. These can be powerful tools furthering free software and open standards as well.


[1] While arguably true, they're unlikely to go away. I prefer to see them as a feature which, blighted as it may be, still has its uses.

[2] A search at the USPTO website for "Kerberos" returns no items. Nor is any mention evident on the MIT Kerberos website of restrictions on the use of the Kerberos name.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Technocrat
o Technocrat article
o IP law
o Nolo Law FAQ
o A protocol
o An implementation
o Samba
o WINE
o Also by kmself


Display: Sort:
Beyond copyright -- IP for protocols | 11 comments (11 topical, editorial, 0 hidden)
drunk, but from what I can understa... (2.00 / 5) (#1)
by davidu on Mon May 15, 2000 at 04:41:05 AM EST

davidu voted 1 on this story.

drunk, but from what I can understand, it is cool

This is still.... (none / 0) (#9)
by kmself on Wed May 17, 2000 at 11:06:22 PM EST

...my favorite response.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

A very good write up.... (2.00 / 4) (#2)
by Dacta on Mon May 15, 2000 at 07:28:16 AM EST

Dacta voted 1 on this story.

A very good write up.

Perhaps standards regulation is required (4.00 / 2) (#3)
by ZamZ on Mon May 15, 2000 at 11:01:57 AM EST

Although I'm never keen on government intervention in such matters it does have an occasional use.

The application of a standard has helped the mobile phone network in Europe expand rapidly. The internet has exploded purely because of standards. When it comes to communication devices (and I include computers here) standards are required to ensure that we can communicate with each other and are not frustrated by proprietary protocols.

We need either an empowered governing body or legislation requiring that computer communication protocols are open. The latter is being proposed in France at the moment and this is something I strongly support.

ZamZ
(opinions are my own, facts are global)


Gov't standards -- they work when they work, but.. (none / 0) (#7)
by kmself on Tue May 16, 2000 at 03:42:12 PM EST

Government imposed standards aren't a full solution. When they work, they're great, but when they work, I'd also argue that it's because the underlying climate is such that other means of arriving at the same goal would have returned similar results. The problem is that anything involving government is an inherently political process, and if high tech standards are at stake, you've got one of the worse mixes of politics and financial interests.

One of the clearest examples IMO is the high definition digital TV standard -- HDTV. The US has adopted a standard, it's specified by the government, and...was supposed to have been in general use years ago. Problem: it's a compromise solution, it's a technology which offers weak gains for big losses in broadcast spectrum space (better pictures, fewer stations), and among the alternatives offered stations was the choice to put more low-quality signals into the same space. Guess what many broadcasters decided they wanted?

I'm not saying that government intervention is entirely unecessary. If you've followed the recent debate at American Prospect, principally the exchanges between Eric Raymond and Lawrence Lessig.

I side more with Lessig than with Raymond in this debate -- government is necessary, but its role is to level the playing ground and establish ground rules. Lessig makes the powerful point that in a lawless society, such as post-Soviet Russia, capitalism doesn't have the necessary democratic foundations on which to build. I believe that government intervention in the markets, and in establishing standards, must be of this form. Establish grounds on which a meaningful standard can be defined and defended, but don't specify the standard itself.

In this framework, standards can be proposed (standards -- sure I believe in standards -- the more the merrier...). But the job of knocking out which specific standards are adopted needs to be left to the industry -- both vendors and users -- to whom it applies. What's essential to the process, however, is that the contestants play fairly. Fair judge and cop is a proper role for government.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

Certification mark sounds like the way to go (3.00 / 1) (#4)
by madams on Mon May 15, 2000 at 11:35:27 AM EST

I'll agree that, by and large, the free software community has ignored other forms of IP, particularly trademarks (patent issues have occasionally arisen, but with negative connotations).

Free software advocates need to understand all the legal means of protecting the free distibution of software, protocols, and anything else.

There were a few good responses in <A HREF="http://www.kuro5hin.org/?op=displaystory;sid=2000/5/13/131236/425">Protecting Free and Open Protocols stating that companies might hesitate in adopting Microsoft protocols that can only claim to be Kerberos-like. With something as valuable as Kerberos, I would probobly only trust certified implementations. This would be dependent, of course, on how well a particular certification is maintained.


--
Mark Adams
"But pay no attention to anonymous charges, for they are a bad precedent and are not worthy of our age." - Trajan's reply to Pliny the Younger, 112 A.D.

Where's the white horse and armour when you need i (4.70 / 3) (#5)
by Rasputin on Mon May 15, 2000 at 04:16:28 PM EST

I agree completely that the open source community needs more effective ways to defend against "embrace, extend and control" tactics. Unfortunately, in the short term I would say there probably is no easy answer. Even with trademarks, patents and copyrights in place, the reality is without a "white knight" backer the open source community would be hard pressed to fully execute a lawsuit against companies like M$, Sun, IBM or any of several similar 700 pound gorillas. What these companies consider a nuisance lawsuit would bankrupt most open source supporters, and they would happily spend millions of $ if they thought there was a market advantage in it.

A good example of this is the lawsuit between M$ and Sun over Java. M$ saw an opportunity to embrace, extend and control Java which would give them a shot at controlling a substantial part of the internet, and this is easily worth the few tens of millions of $ they spent trying to defend themselves. The only reason M$ lost that suit was because Sun was willing and able to match them lawyer for lawyer and dollar for dollar in the courts. M$ knew they were violating the agreements, but attempted to buy an exemption. Sun was able to hold them off, but the reality is that the open source community probably couldn't without substantial backing and help.

I hope someone smarter than me sees an answer that can be effective in the near future, or things will get very painful indeed before they get netter.
Even if you win the rat race, you're still a rat.

See what Sun is in to? (4.00 / 1) (#6)
by cdegroot on Tue May 16, 2000 at 04:20:08 AM EST

Now we have a very clear example of what M$ does when protocols and standards are up for the grabs, and a good discussion of what can be done against them, I hope that people will take the time to appreciate Sun's hairy position with Java and Jini, and the - admittedly imperfect - way they are trying to protect everyone from the Redmond droids doing the embrace'n'extend thingy with these standards, while still allowing widespread distribution of the source code.

Java standards (4.00 / 1) (#8)
by CrisR on Wed May 17, 2000 at 12:22:47 PM EST

Just wanted to mention that it might help to look at the way Sun is trying to control the standard Java language and VM. They allow others to do their own implementations, but have been trying to keep a tight reign on what qualifies as Java. Sun's efforts are not Open Source compatible, but their use of the law could be applied in any attempt to Trademark a standard implementation.

The gall of Microsoft. (2.00 / 1) (#10)
by Inoshiro on Thu May 18, 2000 at 04:37:06 PM EST

From: Microsoft Security Response Center <secure@MICROSOFT.COM> Wed 19:09
 Subject: Re: BUFFER OVERRUN VULNERABILITIES IN KERBEROS
     To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

Hi All -

Windows 2000 is not affected by these vulnerabilities.  Regards,

Secure@microsoft.com

Considering they don't have a working true implementation of Kerberos, this really pisses me off. This is like "our diesel powered clones don't have the exploding engine problems those gas powered Genuin Thing (tm)s have" -- of course not, Win2k doesn't support Kebreros in the true sense. It can be a client, somewhat, but it can't be a server!

I felt the need to say that :-)



--
[ イノシロ ]
kerb spec to be modified, MSFT's mods out? (none / 0) (#11)
by kmself on Wed May 24, 2000 at 04:33:37 PM EST

Just an update post, with me too rushed to check sources. Saw a note the past couple of days that the Kerberos spec would be rewritten to explicitly deny the changes Microsoft has made to the header portions it's changed. Seems the control in this case lies with the IETF and some preservation of integrity may be possible. Probably posted to LinuxToday as that's where I pick up a lot of news.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

Beyond copyright -- IP for protocols | 11 comments (11 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!