openssh unix dev - Feb 2001 - SSH trademarks and the OpenSSH product name

Friends,

Sorry to write this to a developer mailing list.  I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list.  I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.

As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995.  I
have explicitly claimed them as trademarks at least from early 1996.

In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas).  SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name.  There are
several million users of products that we have licensed under the
SSH brand.

To protect the SSH trademark I (or SSH Communications Security Corp,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending).  We also have a registration
pending on the Secure Shell mark.

The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH? name
and mark.  SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.

We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995.  The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.

We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed.  Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.

Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark.  Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.

I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks.  I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.

The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way).  The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthing the life cycle of the fundamentally broken SSH1
protocols.

The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.

I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.

Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols.  I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard.  Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us.  It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in
otherwise
confusing manner that we wish to prevent.

Please also try to look at this from my viewpoint.  I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years.  I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.

Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.

Regards,

    Tatu Ylonen

SSH Communications Security           http://www.ssh.com/
SSH IPSEC Toolkit                     http://www.ipsec.com/
SSH(R) Secure Shell(TM)               http://www.ssh.com/products/ssh

Tatu,

On Wed, Feb 14, 2001 at 03:36:19AM +0200, Tatu Ylonen
wrote:
> Friends,
> Sorry to write this to a developer mailing list.  I have already
> approached some OpenSSH/OpenBSD core members on this, including Markus
> Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
> bring the issue up on the mailing list.  I am not aware of any other
> forum where I would reach the OpenSSH developers, so I will post this
> here.
	[...]

	I understand what you have written.  I wonder if you understand
what you have just done.  You've probably done yourself far more damage
than any since the ssh 2.x licensing debacle.  Probably far more damage
than any security attack.

	I was a contributor back in the early days of ssh.  I can now
say that, what ever name it is named, I will support the OpenSSH project
and recommend, both personally and profesionally against the use of
the commercial version of SSH in any environment.  I find that the use
of trademarks in this maner to be intellectually and ethically offensive
in a maner which detracts severely from my confidence in your product.
Security, apparently, now plays second fiddle at SSH Communications
behind marketing and bully business practices.

	If that's the effect you want to achieve, I hope you enjoy
the consequences.

	I hope that you have informed the IETF of your efforts to trademark
SSH and Secure Shell and have given them time to remove any and all
reference from the RFCs.  With luck, they'll change the RFC's
sufficiently
(to protect your trade mark) to render your version incompatible with the
standard.

	You should also now notify IANA of your actions to have their
allocation of port 22 to ssh to be revoked.  After all, we can't have your
trademarked sullied by association with other inferior products through
the use of a common port bearing your trademarked name.  Or are you also
going to demand that they (OpenSSH, psst, lsh, and IETF) change port
numbers as well since port 22 would link their products to your trademark?
After all, your trademark is branded into almost every /etc/services file
in many flavors of Unix/Linux/BSD.

	I suppose you will now require that they change the name of the
binaries as well.  No more running ssh to connect to other systems or
sshd to serve those connections.  Well, we've seen what happened when
RSA tried that.  When RC4 became known and they tried to claim IP rights
over the name.  The public implimentation became arcfour (for Aledged RC4).
Based on that premiss, I propose the term assh and asshd.  That way
all of us will be reminded of the people who originated ssh.  Our
appreciation for that inventiveness and innovation.  Our regrets for
the ill turn of affairs.  It will not be forgotten.

	Regretable and sad.  Unfortunately, I suppose, also inevitable.
> Regards,
>     Tatu Ylonen
> SSH Communications Security           http://www.ssh.com/
> SSH IPSEC Toolkit                     http://www.ipsec.com/
> SSH(R) Secure Shell(TM)               http://www.ssh.com/products/ssh
	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

On Wed, Feb 14, 2001 at 03:36:19AM +0200, Tatu Ylonen
wrote:
> Friends,
> 
> Sorry to write this to a developer mailing list.  I have already
> approached some OpenSSH/OpenBSD core members on this, including Markus
> Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
> bring the issue up on the mailing list.  I am not aware of any other
> forum where I would reach the OpenSSH developers, so I will post this
> here.
> 
> As you know, I have been using the SSH trademark as the brand name of
> my SSH (Secure Shell) secure remote login product and related
> technology ever since I released the first version in July 1995.  I
> have explicitly claimed them as trademarks at least from early 1996.
Tatu - 

I'm sure nobody bears your company or its employees any ill will.  We 
can understand wanting to protect your investment of time, money, and
will into your company.

However, I think you're at a decision point with your trademark of
the SSH name.  Either it's a protocol and it's a standard name, or
it's your company's name and it's proprietary.  I think that asking
a protocol to go to internet draft standard status and THEN, after
last call, calling reserved words of that protocol proprietary is
unfair and dishonest.  Is it 'ok' to use the three letters 'SSH'
in the initial version exchange "SSH-1.5-OpenSOMETHINGELSE_2.3.2"?
Should we even have to think about it?

-- 
David Terrell           | If a crypto algorithm is cracked in a forest
Nebcorp Prime Minister  | and a tree falls on a mime, does microsoft
dbt at meat.net            | need to publish an advisory on it?
http://wwn.nebcorp.com/

Tatu Ylonen writes:
 > The confusion is made even worse by the fact that OpenSSH is also a
 > derivative of my original SSH Secure Shell product, and it still looks
 > very much like my product (without my approval for any of it, by the
 > way).  The old SSH1 protocol and implementation are known to have
 > fundamental security problems, some of which have been described in
 > recent CERT vulnerability notices and various conference papers.
 > OpenSSH is doing a disservice to the whole Internet security community
 > by lengthing the life cycle of the fundamentally broken SSH1
 > protocols.

OpenSSH makes it quite clear that it's a derivative of your code by
including your original READMEs and license information, as indicated by
this excerpt from the LICENCE file distributed with it:

     * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
     *                    All rights reserved
     *
     * As far as I am concerned, the code I have written for this software
     * can be used freely for any purpose.  Any derived versions of this
     * software must be clearly marked as such, and if the derived work is
     * incompatible with the protocol description in the RFC file, it must be
     * called by a name other than "ssh" or "Secure Shell".

Apparently you've forgotten the original licensing terms under which you
distributed SSH, and the rights you specifically granted to those who
would derive works from it.  It's too late for you to call those back
now.

While I definitely agree that people should be encouraged to migrate
away from SSH 1, even your company continues to distribute an SSH 1
client and server and continues to allow for fallback support in your
SSH 2 server.  OpenSSH is no more promoting the "fundamentally broken"
SSH 1 protocol than your company is.

At 3:36 AM +0200 2/14/01, Tatu Ylonen wrote:
>I would thus like to ask you to change the name OpenSSH
>to something else that doesn't infringe the SSH or Secure
>Shell trademarks, basically to something that is clearly
>different and doesn't cause confusion.
>
>Also, please understand that I have nothing against independent
>implementations of the SSH Secure Shell protocols.  I started and
>fully support the IETF SECSH working group in its standardization
>efforts, [...].  It is the use of the "SSH" and "Secure
Shell"
>trademarks in product names or in otherwise confusing manner
>that we wish to prevent.
Does this just effect the name of the product, such as
OpenSSH or FreSSH (assuming they capitalize it that way),
or does it go down to the command names to?  Ie, are you
saying that the command typed at the unix prompt needs to
be something other than 'ssh', and the daemon should not
be called 'sshd'?

[disclaimer: I'm not an openssh developer, I am just on
this list to keep track of it's development]
-- 
Garance Alistair Drosehn            =   gad at eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad at freebsd.org
Rensselaer Polytechnic Institute    or  drosih at rpi.edu

On Wed, 14 Feb 2001, Tatu Ylonen wrote:
> Friends,
>
[..] 
> The confusion is made even worse by the fact that OpenSSH is also a
> derivative of my original SSH Secure Shell product, and it still looks
> very much like my product (without my approval for any of it, by the
> way).  The old SSH1 protocol and implementation are known to have
[..]

No disrespect, but I must point out a few things.

1) SSH Protocol 1 exists because people use it.  There is a larger SSH v1
user base then v2 at this point.  To just 'drop' a protocol without
building a migration path is in extremely poor taste (it's something I
expect from Microsoft or Intel).

2) The OpenSSH/OSSH source base came from a version of SSH that was under
pure BSD licensing.  And thus does not require your blessing nor
"approval" to use.  That is the whole point behind BSD licensing.  
> Also, please understand that I have nothing against independent
> implementations of the SSH Secure Shell protocols.  I started and
> fully support the IETF SECSH working group in its standardization
> efforts, and we have offered certain licenses to use the SSH mark to
> refer to the protocol and to indicate that a product complies with the
> standard.  Anyone can implement the IETF SECSH working group standard
> without requiring any special licenses from us.  It is the use of the
> "SSH" and "Secure Shell" trademarks in product names or
in otherwise
> confusing manner that we wish to prevent.
> 
I suggest you go through your IEFT draft and change all 'SSH' references
to 'SECSH'.  Because as it stands it stats that 'SSH' is the
protocol
name.  Which is confusing and also weakens your position.  

[..]
> Therefore, I am asking you to please choose another name for the
> OpenSSH product and stop using the SSH mark in your product name and
> in otherwise confusing manner.
> 
I urge you to consider what you are currently doing.  This is currently
still contained.  This will be a very bad PR move if this continues, and
it would not suprise me if this causes a backlash of hate from the
Internet Community as a whole.

- Ben

On Wed, 14 Feb 2001, Tatu Ylonen wrote:
> Friends,
> 
> Sorry to write this to a developer mailing list.  I have already
> approached some OpenSSH/OpenBSD core members on this, including Markus
> Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
> bring the issue up on the mailing list.  I am not aware of any other
> forum where I would reach the OpenSSH developers, so I will post this
> here.
As I understand it, the OpenBSD team is still waiting on a letter from
your lawyer.
> As you know, I have been using the SSH trademark as the brand name of
> my SSH (Secure Shell) secure remote login product and related
> technology ever since I released the first version in July 1995.  I
> have explicitly claimed them as trademarks at least from early 1996.
To my knowledge you have not contacted any of the other implementors
of SSH clients and servers who use 'SSH' in the name of there product
(there are several). Why are you 1) making an issue now, when there 
have been SSH implementations using 'SSH' in their names for several 
years? and 2) targeting the OpenSSH team only?
> In December 1995, I started SSH Communications Security Corp to
> support and further develop the SSH (Secure Shell) secure remote login
> products and to develop other network security solutions (especially
> in the IPSEC and PKI areas).  SSH Communications Security Corp is now
> publicly listed in the Helsinki Exchange, employs 180 people working
> in various areas of cryptographic network security, and our products
> are distributed directly and indirectly by hundreds of licensed
> distributors and OEMs worldwide using the SSH brand name.  There are
> several million users of products that we have licensed under the
> SSH brand.
> 
> To protect the SSH trademark I (or SSH Communications Security Corp,
> to be more accurate) registered the SSH mark in the United States and
> European Union in 1996 (others pending).  We also have a registration
> pending on the Secure Shell mark.
This should be of interest to the IETF. It would be better for other
implementers if every SSH implementation did not have to bear an 
advertisement for your company.
> The SSH mark is a significant asset of SSH Communications Security and
> the company strives to protect its valuable rights in the SSH? name
> and mark.  SSH Communications Security has made a substantial
> investment in time and money in its SSH mark, such that end users have
> come to recognize that the mark represents SSH Communications Security
> as the source of the high quality products offered under the mark.
> This resulting goodwill is of vital importance to SSH Communications
> Security Corp.
> 
> We have also been distributing free versions of SSH Secure Shell under
> the SSH brand since 1995.  The latest version, ssh-2.4.0, is free for
> any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
> as well as for universities and charity organizations, and for
> personal hobby/recreational use by individuals.
> 
> We have been including trademark markings in SSH distributions, on the
> www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
> documents, license/readme files and product packaging long before the
> OpenSSH group was formed.  Accordingly, we would like you to
> understand the importance of the SSH mark to us, and, by necessity,
> our need to protect the trademark against the unauthorized use by
> others.
Recognise also that SSH has been a generic term to describe the protocol
well before your attempt to trademark it.
> Many of you are (and the initiators of the OpenSSH group certainly
> should have been) well aware of the existence of the trademark.  Some
> of the OpenBSD/OpenSSH developers/sponsors have also received a formal
> legal notice about the infringement earlier.
> 
> I have started receiving a significant amount of e-mail where people
> are confusing OpenSSH as either my product or my company's product, or
> are confusing or misrepresenting the meaning of the SSH and Secure
> Shell trademarks.
I can relate to this - a receive a fair bit of email from users asking
for help with your products.
> I have also been informed of several recent press
> articles and outright advertisements that are further confusing the
> origin and meaning of the trademark.
Surely this is a matter should be resolved with the authors of said 
articles.
> The confusion is made even worse by the fact that OpenSSH is also a
> derivative of my original SSH Secure Shell product, and it still looks
> very much like my product (without my approval for any of it, by the
> way).
This is unfair and more than a little disingenuous, as you must 
recall the license that you released ssh-1.2.12 under:

      ``As far as I am concerned, the code I have written for this
        software can be used freely for any purpose. Any derived
        versions of this software must be clearly marked as such,
        and if the derived work is incompatible with the protocol
        description in the RFC file, it must be called by a name 
        other than "ssh" or "Secure Shell".''
> The old SSH1 protocol and implementation are known to have
> fundamental security problems, some of which have been described in
> recent CERT vulnerability notices and various conference papers.
> OpenSSH is doing a disservice to the whole Internet security community
> by lengthing the life cycle of the fundamentally broken SSH1
> protocols.
This is being uncharitable in the extreme. OpenSSH is providing a       
smooth migration path from SSH1 to SSH2. A near-future release of       
OpenSSH will be making protocol 2 the default.                          

As a security professional, you must surely be aware of the human
factors pertaining to software uptake, specifically the tendency of
people to refuse to upgrade if the immediate costs of doing so are too
high. 

Furthermore it is hypocritical to accuse us of doing a "disservice to
the whole Internet security community" when you are still distributing
ssh-1.x from ftp://ftp.ssh.com/

Please reconsider this approach, I think that the antipathy generated
by pursuing a free software project will cost your company a lot more
than a trademark.

-d
> The use of the SSH trademark by OpenSSH is in violation of my
> company's intellectual property rights, and is causing me, my company,
> our licensees, and our products considerable financial and other
> damage.
> 
> I would thus like to ask you to change the name OpenSSH to something
> else that doesn't infringe the SSH or Secure Shell trademarks,
> basically to something that is clearly different and doesn't cause
> confusion.
>
> Also, please understand that I have nothing against independent
> implementations of the SSH Secure Shell protocols.  I started and
> fully support the IETF SECSH working group in its standardization
> efforts, and we have offered certain licenses to use the SSH mark to
> refer to the protocol and to indicate that a product complies with the
> standard.  Anyone can implement the IETF SECSH working group standard
> without requiring any special licenses from us.  It is the use of the
> "SSH" and "Secure Shell" trademarks in product names or
in otherwise
> confusing manner that we wish to prevent.
>
> Please also try to look at this from my viewpoint.  I developed SSH
> (Secure Shell), started using the name for it, established a company
> using the name, all of our products are marketed using the SSH brand,
> and we have created a fairly widely known global brand using the name.
> Unauthorized use of the SSH mark by the OpenSSH group is threathening
> to destroy everything I have built on it during the last several
> years.  I want to be able to continue using the SSH and Secure Shell
> names as identifying my own and my company's products and
> technologies, which the unlawful use of the SSH name by OpenSSH is
> making very hard.
> 
> Therefore, I am asking you to please choose another name for the
> OpenSSH product and stop using the SSH mark in your product name and
> in otherwise confusing manner.
> 
> Regards,
> 
>     Tatu Ylonen
-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor
man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan
Geer

> As you know, I have been using the SSH trademark as the brand name of
> my SSH (Secure Shell) secure remote login product and related
> technology ever since I released the first version in July 1995.  I
> have explicitly claimed them as trademarks at least from early 1996.
Didn't know that, since I've never seen it credited.  See
http://www.fsecure.com/products/ssh/client/index.html as an example; no
mention I can find that "F-Secure SSH Client" is in any way related to
a trademarked name.  

Curious that a business doesn't seem to be getting pushed about it,
when they could actually pay licensing fees.
> The SSH mark is a significant asset of SSH Communications Security and
> the company strives to protect its valuable rights in the SSH name
> and mark.  SSH Communications Security has made a substantial
> investment in time and money in its SSH mark, such that end users have
> come to recognize that the mark represents SSH Communications Security
> as the source of the high quality products offered under the mark.
Nah- I've come to recognize SSH Communications Security as the purveyor
of commercial security software that, generally speaking, can't keep up
with free stuff.  Just out of curiosity, when the bug in RSAREF was
discovered, was SSHCS's ssh-1 software vulnerable?  Was OpenSSH?
> We have also been distributing free versions of SSH Secure Shell under
> the SSH brand since 1995.  The latest version, ssh-2.4.0, is free for
> any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
> as well as for universities and charity organizations, and for
> personal hobby/recreational use by individuals.
Does that mean to imply that you have significant good will towards
free software/open source software?  Clearly it isn't the case here, if
you're leaning on OpenSSH but not F-Secure.

As of this moment, I'm writing this thanks to the free ssh client,
Nifty Telnet SSH.  No mention on the web page of the guy who added SSH
support (http://www.lysator.liu.se/~jonasw/freeware/niftyssh/) that
you're giving *him* trouble, nor any mention of the trademark you're
claiming.  Why is it that you're apparently not going after him?
> Many of you are (and the initiators of the OpenSSH group certainly
> should have been) well aware of the existence of the trademark.  Some
> of the OpenBSD/OpenSSH developers/sponsors have also received a formal
> legal notice about the infringement earlier.
Is it legal infringement when the license is clear that if the derived
work is "incompatible with the protocol description in the RFC file, it
must be called by a name other than "ssh" or "Secure
Shell""?  I don't
have a copy of that RFC file, but I'm willing to bet OpenSSH is
compatible with it.
> Shell trademarks.  I have also been informed of several recent press
> articles and outright advertisements that are further confusing the
> origin and meaning of the trademark.
Blame stupid media.
> The confusion is made even worse by the fact that OpenSSH is also a
> derivative of my original SSH Secure Shell product, and it still looks
> very much like my product (without my approval for any of it, by the
> way).
Yeah, well, that's what happens when you make something nice available
for free (thank you by the way) and then try to restrict it.  People
take that free release and run with it.
> The use of the SSH trademark by OpenSSH is in violation of my
> company's intellectual property rights, and is causing me, my company,
> our licensees, and our products considerable financial and other
> damage.
Oh please.  Because OpenSSH is better?  Well, OK, that makes sense. 
But not because people are confused; just because they prefer a free,
quality product to a not-free, not-so-quality product.
> I would thus like to ask you to change the name OpenSSH to something
> else that doesn't infringe the SSH or Secure Shell trademarks,
> basically to something that is clearly different and doesn't cause
> confusion.
Yeah.  OpenSSH is open, but it's based on SSH.  SSH is, well, SSH.  I
fail to see the confusion.
> Also, please understand that I have nothing against independent
> implementations of the SSH Secure Shell protocols.
No, but it sounds like you have a problem, from your above comments and
related facts, that you've got something against implementations based
on your own code.  Which, frankly, doesn't make sense, since you gave
us the code in the first place.
>                                                     I started and
> fully support the IETF SECSH working group in its standardization
> efforts, and we have offered certain licenses to use the SSH mark to
> refer to the protocol and to indicate that a product complies with the
> standard.  Anyone can implement the IETF SECSH working group standard
> without requiring any special licenses from us.  It is the use of the
> "SSH" and "Secure Shell" trademarks in product names or
in otherwise
> confusing manner that we wish to prevent.
Does that mean we can't even use ssh for the binary name?  Yeesh.
> Please also try to look at this from my viewpoint.  I developed SSH
> (Secure Shell), started using the name for it, established a company
> using the name, all of our products are marketed using the SSH brand,
> and we have created a fairly widely known global brand using the name.
Oh?  I didn't even know about the company for quite some time after I
first started using it -- all I knew about was this hacker who'd
realized telnet wasn't enough.
> Unauthorized use of the SSH mark by the OpenSSH group is threathening
> to destroy everything I have built on it during the last several
> years.  I want to be able to continue using the SSH and Secure Shell
> names as identifying my own and my company's products and
> technologies, which the unlawful use of the SSH name by OpenSSH is
> making very hard.
Ummm... but OpenSSH *does* identify your (the singular, Tatu Ylonen
form of you) product: it's based on your code, given unto the Internet
community.  Just because other people own copyright to some of the
code, since they've added it, doesn't seem so bad, does it?

Why you're not chasing after other people's products, just your own, is
strange.
> Therefore, I am asking you to please choose another name for the
> OpenSSH product and stop using the SSH mark in your product name and
> in otherwise confusing manner.
I like the name OpenSSH.  Short, simple, to the point.

There are more worthy causes for the money I have to donate (like
helping battered women) than OpenSSH, don't make me spend it -- and
encourage other people to spend theirs -- to give all the help we can
to OpenSSH.
-- 
 Matthew Weigel
 Research Systems Programmer
 mcweigel+ at cs.cmu.edu

I have used secure shell, SSH 1, 2 and now recently SFTP in the
administering and normal use of my servers. Our campus like many others has
made a concerted effort to completely remove insecure protocols and
connection methods. The catch in migrations is getting users to move
in a relatively painless manner.

In late 1998 when I decided to try out SSH2 I had the unfortunate time of
trying to get a straight and complete answer on how and when I could or
could not use SSH in my daily duties. The license included appeared dense
confusing and contradictory. No one I talked with (which included ssh.com
people) had any answer to my questions only rumor and assumption.

I was left with the decision to move to "free" SSH.com products with
possible dubious licenses or remain in the status quo of using clear text
services and protocols. It was a tuff decision but we stuck with the enemy
we knew, SSH was available for our Computer Science and academic people.

I like to play by the rules and because your company continued to release
license after license that gave the educational user/reader the
"impression" of usability, but continually avoid specific language to
that
effect. I could never justify the cost of having a lawyer review and
explain in detail the "wherefore and what-nots" contained therein. The
F-Secure/Data-fellows/SSH.com's products thus have never been supported by
our campus.

I harbor no ill will to you or your associates Mr. Ylonen but as stated
in at least one e-mail the appearance of OpenSSH was not only a godsend
but allowed me to begin moving our whole campus to secure protocols. While
this process has not completed, through the efforts of OpenSSH developers,
testers and users to believe it to be an attainable goal.

Your recent posts to BUGTRAQ have been disturbing as they appear to be a
intense effort force users to SSH2 and alienate users of SSH1 by not
providing a clear upgrade path.  Thus OpenSSH is again a better product
for our campus as it supports both 1 & 2 in the same daemon which while
perhaps not as "secure" as the dueling daemons needed to provide the
same
functionality in SSH.com products. It certainly gives me a viable solution
for our campus.

I think you have chosen a poor way of announcing your intentions, I also
think you'll find more ill will directed to you and your company because
of your message and your attitude. That will be your burden to bear and I
wish you luck as life can be extremely hard when you have to fight your
own words.

Sincerely,

Brian Friday
Systems Administrator
La Sierra University
(909) 785-2554 x2

Damien Miller wrote:
> To my knowledge you have not contacted any of the other implementors of
> SSH clients and servers who use 'SSH' in the name of there product
> (there are several). Why are you 1) making an issue now, when there have
> been SSH implementations using 'SSH' in their names for several
years?
> and 2) targeting the OpenSSH team only?
[Note: I'm not actually subscribed to this list; I was pointed to the
web archive...]

So I guess I should throw in my CA$0.02.  IANAL, so I'm going to
restrict this message to facts, and not opinions.

When I wrote an independent implementation of the RFC file contained in
the ssh distribution (a version for the Palm Pilot, called Top Gun ssh),
I used "ssh" in the name because that was the name of the protocol, as
outlined in the RFC.  Certainly TGssh was not a derived work of ssh
in the copyright sense; it was merely an implementation of the ssh
protocol.

This was in the summer of 1997.  I exchanged email with Tatu,
Camillo Sars, and Kalle Kaukonen at the time (I had found discrepancies
between the ssh RFC and the ssh deployed software); Tatu even asked me
if I'd be willing to do an implementation of the 2.0 protocol.  No one
ever asked me to not use the "ssh" name in the program title.

   - Ian

>>>>> Tatu Ylonen writes:
TY> To protect the SSH trademark I (or SSH Communications Security
TY> Corp, to be more accurate) registered the SSH mark in the United
TY> States and European Union in 1996 (others pending).  We also have
TY> a registration pending on the Secure Shell mark.

Mr Ylonen, you do not have a registered trademark in the United States
for the term 'SSH'.  You have a registered trademark for a specific
stylized form of the letters 'SSH' (registration number 2141991).
There is a "typed drawing" mark registered for SSH, but that belongs
to Fairchild Industries.  As for your obtaining a "typed drawing"
registered mark, you may wish to refer to Section 2 paragraph e of the
Trademark Act (15 USC 1052), which indicates that a mark may be denied
if the mark is merely descriptive of the product.  If you wish to
claim that that the term "secure shell" and its abbreviation
'ssh' are
not descriptive of your product, please feel free to do so.

-- 
What country can preserve its liberties if its rulers are not warned from time
to time that their people preserve the spirit of resistance?  Let them take
arms. The remedy is to set them right as to facts, pardon and pacify them.
   -- Thomas Jefferson to William Stephens Smith, 1787. ME 6:373, Papers 12:356