Kerberos is licensed under terms which are too generous and too open
to abuse, particularly in a climate in which embrace-and-extend
"innovation" -- hostile hijacking of open standards -- is common
"competitive" practice. The protocol is currently in danger of being
splintered and rendered meaningless by the self-serving actions of
Microsoft. Closer attention to how standards are established in the
free software community is called for.
There are three general tools available in
- copyright: controlling specific expression -- words, sounds,
visual art, performances, software. The expression and only the
expression are covered. Copyright doesn't extend to ideas expressed,
facts, or methods, and has been specifically limited from attempts to
extend it in this direction by court decisions.
- patent: controlling ideas. A particular method, process, or device,
may be patented. Patent doesn't govern discussion of a device (you're
welcome to discuss issues of a patent), it controls embodiment, trade,
and use in commerce.
- trademark and certification mark: controlling
use of distinguishing marks in trade, including slogans, logos, art, and
"trade dress" -- such as the shape of a Coke bottle, the sound of a
Harley-Davidson motorcycle, the shape of a Ferrari automobile, and Kodak
The problem in the free software community is that we've adopted an
"our tool is a hammer and the world is a nail" approach to intellectual
property. The focus is on copyright licensing terms, inspired by the
success of the GNU GPL, BSD, and MIT licenses. Patents are almost
universally decried as an evil abomination on the face of software ,
and trademark is virtually ignored, except to the extent companies don't
wish to lose control of existing brands. We keep trying to pound our IP
nails with our copyright license hammers, and get frustrated when the
nails get bent, or refuse to drive home.
Protocols, such as Kerberos, are best addressed with a combined
patent and trademark strategy.
Patents, while not sufficient to protect the definition of a protocol
as a whole, could be applied to specific processes or methods utilized by
the protocol. These patents could be used to enforce compliance under
pain of withholding patent licenses from non-compliant implementations.
This is a powerful and blunt instrument, and relies very strongly on
the integrity of the patent-holding authority. OTOH, if this authority
is a patent pooling organization, it is under fairly tight antitrust
constraints as to what actions it is allowed to undertake.
The tool best suited to protocol compliance, however, is a trademark
or certification mark. What, might you ask, is a certification mark?
From the Nolo
A certification mark is a symbol, name or device used by an
organization to vouch for products and services provided by
others--for example, the "Good Housekeeping Seal of Approval." This
type of mark may cover characteristics such as regional origin,
method of manufacture, product quality and service accuracy. Some
other examples of certification marks: Stilton cheese (a product from
the Stilton locale in England), Carneros wines (from grapes grown
in the Carneros region of Sonoma/Napa counties), and Harris Tweed
(a special weave from a specific area in Scotland).
What a certification mark provides is for standards of application of
a given name, term, logo, or other trade dress, to be used. A well known
instance of this in the free software community was the creation of an OSI Certified
certification mark, governed by the Open Source Definition.
In this case, a testable definition of the term is used to certify a
specific license as compliant or not with the Open Source Definition.
In the specific case of Kerberos, MIT produced three distinct
protocol, with unlimited distribution terms.
implementation of the protocol, licensed under the MIT license --
largely similar to the BSD license, allowing free redistribution and
requiring only retention of the copyright notice.
- A name, Kerberos, apparently an unprotected piece of intellectual
In the face of hostile parties such as Microsoft, the licensing
authority may need the right and means to "embrace and extend"
the compliance requirements in light of quickly-changing tactics.
How necessary this would be varies on tactics -- there's probably a
lot which could be accomplished by requiring open and freely available,
unencumbered publication of standards. Ideally, a combination of a
functional regression and/or compatibility test, and requirement of
free, unencumbered publication of implementation specifics, would
The key is that licensing terms are an arbitrary decision on the
part of the mark holder. There is no obligation to license a mark,
there is a wide range of possible licensing terms (payment of
fees, compatibility testing, filial relationship, phase of the moon),
and terms can be changed without prejudice -- subject to limitations
of existing license contracts.
The flipside is that the markholder is obligated to to uphold the
mark, prevent its abuse, or "dilution". Trademarks can be lost -- well
known examples include aspirin ), Cellophane, and Dixie Cups. The first
was stripped from Bayer Gmbh, a German company, by the US during WWII.
The latter two lost through general adoption. A lawyer friend captivated
me with tales of research he had to do in defending the Hooters
trademark (I kid you not -- entertainment, and sex, are big business).
What we've seen in the past are modifications to code which wasn't
subject to trademark (Kerberos), or attempts to regulate ability to
modify code directly, rather than certification of compliance (Java).
Neither mode works particularly well. Kerberos is on its way to becoming
a meaningless term referring generically to key-based authentication.
Java as been co-opted by a hostile party (Microsoft), as well as by a
friendly one (IBM), who simply wants to get things done. Sun, in its
efforts to maintain control over the standard, is in danger of losing
The use of a mark to insure compliance means that someone contemplating
a code fork has to weigh the strategic advantages of non-compliant
operation with the loss of branding or certified compliance. Likewise,
the licensing authority is under pressure to keep terms reasonable enough
that a separate compliance program isn't launched in competition, with
more reasonable (or easier to comply with) rules.
In an interesting twist on the current situation, one could
seeking branding, certification, and regression testing independent of
the Microsoft-controlled SMB and Win32 "standards". If third parties
could be persuaded to track the open, rather than closed protocols,
Microsoft would be forced to change its tune, and a new standard would
emerge free of its control.
Free software has worked, paradoxically, by leveraging existing
intellectual property law, though at times in novel directions.
Copyright law is a fairly well understood tool. The power of patent,
and trademark law however, is often maligned and much misunderstood.
These can be powerful tools furthering free software and open standards
 While arguably true, they're unlikely to go away. I prefer to see
them as a feature which, blighted as it may be, still has its uses.
 A search at the USPTO website for "Kerberos" returns no items.
Nor is any mention evident on the MIT Kerberos website of restrictions
on the use of the Kerberos name.