[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IBM patents on key distribution and authentication
Recently, both Ran Atkinson (in the note below sent to IP-SEC) and Bill
Simpson (verbally) raised the issue of disclosing patent claims which may
be relevant to IETF proposals for standards. While I'm not a patent lawyer
and I'm not authorized to represent IBM as to its position on specific patents,
I decided to do a reasonable effort to provide the necessary details on
IBM policy. I am also initiating an internal IBM discussion as to the very
specific license conditions for the specific patents and standards (in simple
words, I want to make sure the fee is none or minimal).
In fact, I've asked Kannan to check if the following IBM official
statement is enough to allow discussions. Since Ran and Bill already
raised the question before Kannan could come back to me, let me offer
this statement here. If this statement is not enough, and/or if we should
have resolved/disclosed this before now, let me clearly express my regret;
I'm really new in IETF activities and I'm focusing on technical work
(I believe this holds for Hugo and Juan too). The summary of the statement
below, as I understand it, is that IBM policy is to make licenses available
on non-discriminatory and non-onerous basis (i.e. to all and for reasonable
cost). Note also that IBM have made several important patents available
for free or for a reasonable lump-sum, e.g. DES; so this is not just theory.
Also, while there are many objections to patents on software, I think IBM
does fall into the more `fair users' of s/w patents by not being too
aggressive in collection and by really investing a lot in research which
is made public. So, at least this is not one of these companies that just
try to make money by stopping others. Well, end of pro-IBM pitch...
Here is the statement, which I received from John Lowe from Licensing:
`In the event that the proposed standard is adopted and the standard
cannot be practiced without the use of one or more issued patents,
including design patents for type fonts but excluding other design
patents, which are now or hereafter owned or controlled by IBM, IBM
agrees upon request to grant a non-exclusive license under such patent
or patents on a nondiscriminatory basis and on reasonable terms and
conditions including its then current royalty rates and provided a similar
grant under lincensee's patents within the scope of the license granted
to licensee is made available upon request to IBM.'
IBM has quite a few patents and patent applications on cryptography and
cryptographic protocols. There is one of them which I think covers several
of the recent key management and authentication proposals. In particular,
I believe this patent covers the proposals we are about to make to both
IP-SEC and mobile-IP; I suspect it may cover some of the other proposals too,
maybe even the basic mobile-IP protocol in either timestamp or nonces versions.
(It is not up to me to argue if these claims in this patent are defendable
in court or not.) This is US patent 5,148,479, issued Sept 15, 1992 to
IBM and invented by Bird et al.; claim 1 in it says:
1. A method of auth a user... comprising the steps of
- transmitting a first challenge N1 from a first user A to ... B,
- transmitting a first response... [from B to A]
- verifying at ... [A] that the first response is correct,
- said first response being of the minimal form
f(S1,N1,D1,...),
wherein S1 is a shared secret between... [A and B], D1 is an
indication of the direction of flow of the message of the message...
and f() is a function selected such that
f(S1,N1',D1',...) = f(S1, N1, D1,...)
cannot be solved for N1' without knowledge of S1, wherein f(), N1', D1'
represent expressions in a reference connection.
(Doesn't make any sense to you? I can't blame you... I hate this patentish
and never understand it myself.)
For more (formal) information you can contact IBM diretor of licensing
at 914-742-6729 (fax), or call John Lowe at 914-742-6275, cc:ed above.
Best regards, Amir Herzberg
From: Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil>
> Note- DEC has patented this clever technique.
I'd like to put out a request and reminder since there are many on this
list who are somewhat new to the IETF way of doing things.
1) The IETF normally tries to avoid using patented techniques in IETF
specifications, though it is not always possible (sigh).
2) In any event, it is ALWAYS important to note ALL possible
intellectual property claims relating to any proposal in the FIRST
note or presentation of the proposal. It is not good practice to
propose a technology which is subject to intellectual property claims
(e.g. patents) without that up front disclosure.
IMHO, we do NOT want a repeat of recent events in another area of the
IETF where a vendor pushed a particular algorithm and did not disclose
patent claims up front. If that happens here, I _will_ formally make
a process violation complaint at or before Last Call.
However clever one might consider the DEC technique, I don't want to
include it in any portion of the standards-track specification UNLESS
DEC formally agrees in writing to license it to all comers at no cost.
One of the best reasons to use DES-CBC as a mandatory algorithm is
that one does NOT have to obtain any license to use or implement that
algorithm. The same is true of MD4 and MD5. These facts are a large
part of the reason that existing IETF specs use DES and MD5 as the
mandatory algorithms.
Regards,
Ran
atkinson@itd.nrl.navy.mil
Follow-Ups: