I'd like to address several issues raised by people in relation to my notice of the ssh(R) trademark to the OpenSSH group. Also, I would like to make a proposal to the community for resolving this issue (included at the end). First, I'll answer a number of questions and arguments presented in the discussion.> "the SSH Corp trademark registration in the US is for a logo only"It is for the lowercase word "ssh" (I was mistaken earlier in saying that it was for the uppercase word "SSH"). As many people obviously know, trademark registrations in the USA are a matter of public record and it is open to anyone to review the details of SSH Corp's trademark portfolio. Under US law, a trademark registration entitles the owner to exclusive use of the trademark as it is registered, in relation to the goods and/or services for which it is registered. Trademark infringement occurs when another person uses the same, or a substantially identical mark, for the same or related goods or services, in a manner which is likely to cause consumer confusion. Consequently, use of the uppercase word "SSH" or a name containing the "ssh" or "SSH" mark will likely amount to trademark infringement under US law, if it is in relation to goods or services within the same field of use covered by our ssh(R) trademark. Of course, there are many possible non-infringing uses of "SSH", for example, anyone might have a brand of chocolade called "SSH".> "A license was granted in 1995 that allows free use of the trademarks"This is not accurate, but refers to the following language in ssh-1.2.12 COPYING file: As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell". First, this is a copyright license ("the CODE can be used..."), with an additional restriction on naming. It is not a trademark license. Also, this text is from the COPYING file from ssh-1.2.12, dated Nov 17, 1995. The trademark claims were made in 1996 (ssh-1.2.13 was the first release claiming them, released on Feb 11, 1996), and this license provision would not have covered them anyway. Ever since, our policy has been not to allow unauthorized use of the trademarks. The trademark claims have been made consistently in every release ever since.> "no-one has ever been notified of infringement"For example, I notified Van Dyke of the trademark a few years ago when they used the SSH mark on their web site inappropriately. We discussed it, they were very co-operative, and immediately added trademark markings and acknowledgement on their website. Issue solved. (They were not using it in a product name.) Basically, anyone we have ever really encountered in the marketplace has either been notified or is a licensee of ours.> "F-Secure SSH has been using the name for years"F-Secure (formerly Data Fellows) is our distributor/VAR, and they are using the SSH trademark in their product name under a separate written trademark license agreement. All of the F-Secure SSH products are SSH Communication Security Corp's products, some verbatim and some with modifications by F-Secure.> (reference to FiSSH, TTSSH, Top Gun ssh, etc.)These are all non-commercial academic projects made at universities. We have never really encountered any one of these in the marketplace. We have tried to notify commercial people who have been using the trademark inappropriately. OpenSSH was the first non-commercial implementation to raise to the radar screen.> "why did you notify OpenSSH now"The reason OpenSSH was contacted now was that they have only become more visible during the last months, and I have recently seen a significant increase in e-mails confusing the meaning of the SSH trademarks and using them inappropriately. I have also recently received quite a few e-mails confusing OpenSSH as my product.> "how about the 'ssh' command name under Unix/Linux?"This relates to the proposal I want to make. Basically, I am willing to work out a way that will allow anyone to use the "ssh" command name on Unix/Linux. It appears that there are ways to do it without exposing our trademarks to unnecessary risk. The arrangement I am proposing would be as follows. - We (SSH Corp) would allow the use of "ssh" (and sshd, etc) as a command name on Unix/Linux under the following restrictions: - Any product where the command name "ssh" is used must only be licensed under a valid license (i.e., must not be in the public domain). E.g. BSD license, GPL, and normal commercial licenses would all be ok. - An acknowledgement of our ownership of the ssh(R) and Secure Shell(TM) trademarks must be included in the software (help text, documentation, license). It would not need to be printed out every time the program is normally run, but would need to be included in e.g. in an appropriate place on man pages and in help texts. - The SSH Corp trademarks cannot be used in product names without a separate trademark license from us (which we would not normally grant, unless we see a valid business case for it, and then only for products using a compatible protocol). - A new unencumbered name is created for the protocol, which can be used by any vendor without creating confusion. The IETF standard would be renamed to use the new protocol name, and the community would work to cease using "SSH" as a protocol name and would instead start using the new name. The new name would need to be unencumbered, and the xx.com, xx.net, and xx.org domain names would be made to permanently point to e.g. the IETF main page. My own proposal would be to change the name to SECSH, provided that Van Dyke is willing to contribute their currently unused secsh.com domain name for this purpose. We would be willing to contribute our secsh.org and secsh.net domains on the same basis. - We would submit an official statement to the IETF that we will make no trademark claims about the "bits on the wire" in the protocol (e.g., the protocol version strings or the various names used in the protocol). - We would need to reach agreement with the OpenSSH group to change their product name and to otherwise cease using the SSH trademarks inappropriately. We appreciate that some people have brought the non-commercial university group use to our attention. We are carefully reviewing this situation. Let's discuss the exact terms if I get a preliminary "ok, looks fine, let's try to get this resolved along those lines" from the community and the relevant parties. Please let us know what you think. Best regards, Tatu Ylonen Chairman and CTO, SSH Communications Security Corp PS. For reference, if someone hasn't seen it yet, I'll include my original e-mail to the OpenSSH mailing list.>From ylo Wed Feb 14 03:36:19 +0200 2001From: Tatu Ylonen <ylo at ssh.com> To: openssh-unix-dev at mindrot.org Subject: SSH trademarks and the OpenSSH product name Organization: SSH Communications Security, Finland Friends, Sorry to write this to a developer mailing list. I have already approached some OpenSSH/OpenBSD core members on this, including Markus Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to bring the issue up on the mailing list. I am not aware of any other forum where I would reach the OpenSSH developers, so I will post this here. As you know, I have been using the SSH trademark as the brand name of my SSH (Secure Shell) secure remote login product and related technology ever since I released the first version in July 1995. I have explicitly claimed them as trademarks at least from early 1996. In December 1995, I started SSH Communications Security Corp to support and further develop the SSH (Secure Shell) secure remote login products and to develop other network security solutions (especially in the IPSEC and PKI areas). SSH Communications Security Corp is now publicly listed in the Helsinki Exchange, employs 180 people working in various areas of cryptographic network security, and our products are distributed directly and indirectly by hundreds of licensed distributors and OEMs worldwide using the SSH brand name. There are several million users of products that we have licensed under the SSH brand. To protect the SSH trademark I (or SSH Communications Security Corp, to be more accurate) registered the SSH mark in the United States and European Union in 1996 (others pending). We also have a registration pending on the Secure Shell mark. The SSH mark is a significant asset of SSH Communications Security and the company strives to protect its valuable rights in the SSH? name and mark. SSH Communications Security has made a substantial investment in time and money in its SSH mark, such that end users have come to recognize that the mark represents SSH Communications Security as the source of the high quality products offered under the mark. This resulting goodwill is of vital importance to SSH Communications Security Corp. We have also been distributing free versions of SSH Secure Shell under the SSH brand since 1995. The latest version, ssh-2.4.0, is free for any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems, as well as for universities and charity organizations, and for personal hobby/recreational use by individuals. We have been including trademark markings in SSH distributions, on the www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards documents, license/readme files and product packaging long before the OpenSSH group was formed. Accordingly, we would like you to understand the importance of the SSH mark to us, and, by necessity, our need to protect the trademark against the unauthorized use by others. Many of you are (and the initiators of the OpenSSH group certainly should have been) well aware of the existence of the trademark. Some of the OpenBSD/OpenSSH developers/sponsors have also received a formal legal notice about the infringement earlier. I have started receiving a significant amount of e-mail where people are confusing OpenSSH as either my product or my company's product, or are confusing or misrepresenting the meaning of the SSH and Secure Shell trademarks. I have also been informed of several recent press articles and outright advertisements that are further confusing the origin and meaning of the trademark. The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product (without my approval for any of it, by the way). The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers. OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols. The use of the SSH trademark by OpenSSH is in violation of my company's intellectual property rights, and is causing me, my company, our licensees, and our products considerable financial and other damage. I would thus like to ask you to change the name OpenSSH to something else that doesn't infringe the SSH or Secure Shell trademarks, basically to something that is clearly different and doesn't cause confusion. Also, please understand that I have nothing against independent implementations of the SSH Secure Shell protocols. I started and fully support the IETF SECSH working group in its standardization efforts, and we have offered certain licenses to use the SSH mark to refer to the protocol and to indicate that a product complies with the standard. Anyone can implement the IETF SECSH working group standard without requiring any special licenses from us. It is the use of the "SSH" and "Secure Shell" trademarks in product names or in otherwise confusing manner that we wish to prevent. Please also try to look at this from my viewpoint. I developed SSH (Secure Shell), started using the name for it, established a company using the name, all of our products are marketed using the SSH brand, and we have created a fairly widely known global brand using the name. Unauthorized use of the SSH mark by the OpenSSH group is threathening to destroy everything I have built on it during the last several years. I want to be able to continue using the SSH and Secure Shell names as identifying my own and my company's products and technologies, which the unlawful use of the SSH name by OpenSSH is making very hard. Therefore, I am asking you to please choose another name for the OpenSSH product and stop using the SSH mark in your product name and in otherwise confusing manner. Regards, Tatu Ylonen SSH Communications Security http://www.ssh.com/ SSH IPSEC Toolkit http://www.ipsec.com/ SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
On Fri, Feb 16, 2001 at 12:51:06PM +0200, Tatu Ylonen wrote:> I'd like to address several issues raised by people in relation to my > notice of the ssh(R) trademark to the OpenSSH group. Also, I would > like to make a proposal to the community for resolving this issue > (included at the end).> First, I'll answer a number of questions and arguments presented in > the discussion.> > "the SSH Corp trademark registration in the US is for a logo only"> It is for the lowercase word "ssh" (I was mistaken earlier in saying > that it was for the uppercase word "SSH"). As many people obviously > know, trademark registrations in the USA are a matter of public record > and it is open to anyone to review the details of SSH Corp's trademark > portfolio.> Under US law, a trademark registration entitles the owner to exclusive > use of the trademark as it is registered, in relation to the goods > and/or services for which it is registered. Trademark infringement > occurs when another person uses the same, or a substantially identical > mark, for the same or related goods or services, in a manner which is > likely to cause consumer confusion. Consequently, use of the > uppercase word "SSH" or a name containing the "ssh" or "SSH" mark will > likely amount to trademark infringement under US law, if it is in > relation to goods or services within the same field of use covered by > our ssh(R) trademark. Of course, there are many possible > non-infringing uses of "SSH", for example, anyone might have a brand > of chocolade called "SSH".Counter point... Containing a sequence of letters within another word does not necessarily constitute trademark infringement or Microsoft would have been all over the X Consortium for violating their trademark for "Windows" by the term "X-Windows". I think they would have a MUCH stronger leg to stand on than OpenSSH vs ssh. I think I remember some of the controversy over that, years ago, and the arguments regarding trademarking of common terms and whether the actual trademark is for MS-Windows or Windows. Someone else can research the details on that one if they really like. You, yourself, have now even contradicted yourself. In the paragraphs above, you have confirmed that the trademark is for the lower case "ssh" and NOT for the uppercase "SSH". Therefore OpenSSH does not incorporate your trademark (lowercase ssh). I will leave to others the arguement of the style and design of the lowercase ssh, but you made it clear right here: "I was mistaken earlier in saying that it was for the uppercase word "SSH"". That should close that issue, but you go on to put forth the non-sequitar that "Consequently, use of the uppercase word "SSH" or a name containing the "ssh" or "SSH" mark will likely amount to trademark infringement under US law..." That directly contradicts your statement that "SSH" is not part of the registration as a trademark. The question is whether "OpenSSH" as opposed to "ssh" is substantially different enough to distinguish between the two. IMHO, the very term "Open"SSH establishes a boundry of distinction that it is separate and unique and that it is set apart from "SSH(r)". [Skipping the license point] [Skipping the notification point]> > "how about the 'ssh' command name under Unix/Linux?"> This relates to the proposal I want to make.> Basically, I am willing to work out a way that will allow anyone to use > the "ssh" command name on Unix/Linux. It appears that there are > ways to do it without exposing our trademarks to unnecessary risk.> The arrangement I am proposing would be as follows.> - We (SSH Corp) would allow the use of "ssh" (and sshd, etc) as a > command name on Unix/Linux under the following restrictions:> - Any product where the command name "ssh" is used must only be > licensed under a valid license (i.e., must not be in the > public domain). E.g. BSD license, GPL, and normal commercial > licenses would all be ok.I don't see how you could possibly enforce that. Quite frankly, that doesn't even seem to make sense. If someone puts something into public domain, anyone can rename it to anything they want. But that's totally non-relevant to this discussion anyways, since OpenSSH is not "public domain".> - An acknowledgement of our ownership of the ssh(R) and Secure > Shell(TM) trademarks must be included in the software (help > text, documentation, license). It would not need to be > printed out every time the program is normally run, but would > need to be included in e.g. in an appropriate place on man > pages and in help texts.Just for the name of the command? Can you quote some precedence for that? I can certainly see adding some changes to the acknowledgements THAT ALREADY EXIST: ] AUTHORS ] OpenSSH is a derivative of the original and free ssh 1.2.12 release by ] Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo ] de Raadt and Dug Song removed many bugs, re-added newer features and cre? ] ated OpenSSH. Markus Friedl contributed the support for SSH protocol ] versions 1.5 and 2.0. Fine... I could see placing a trademark acknowledgement in there. That would seem perfectly reasonable and appropriate. By "help texts" I assume you mean things like Windows help files and info files and READMEs. Seems like they already acknowledge authorship and acknowledging trade mark on "lower case ssh" sounds reasonable as well. I would vote for that.> - The SSH Corp trademarks cannot be used in product names > without a separate trademark license from us (which we would > not normally grant, unless we see a valid business case for > it, and then only for products using a compatible protocol).Not sure were the relevance of this is. That would be between you and those other parties. No connection with OpenSSH under discussion now.> - A new unencumbered name is created for the protocol, which can be > used by any vendor without creating confusion. The IETF standard > would be renamed to use the new protocol name, and the community > would work to cease using "SSH" as a protocol name and would > instead start using the new name. The new name would need to be > unencumbered, and the xx.com, xx.net, and xx.org domain names > would be made to permanently point to e.g. the IETF main page. My > own proposal would be to change the name to SECSH, provided that > Van Dyke is willing to contribute their currently unused secsh.com > domain name for this purpose. We would be willing to contribute > our secsh.org and secsh.net domains on the same basis.You pushed this effort within the IETF and you obtained the registration from IANA. Now maybe you realize your mistake and you want to tell everybody you just want to take it back. Your credibility with the IETF is certain shot to hell from the sounds of the comments on that list. IANAL... Considering that the comoditization of your term "ssh" is largely the result of your efforts with IANA and IETF and your promotion of other implimentation as required by the IETF (what, you only expected non-commercial implimentations?), I can't see where you have a position you can even bring to court. This was a self inflicted injury on your part. IMPO... The use of ssh as the protocol name vs the use of ssh as the command name vs the use of "SSH" encapsulated as a substring within another string are three totally separate issues. Right now, it looks like the IETF is pulling back their draft for a rework as a direct result of YOUR SCREWUP. They are rightfully and justifyably pissed at the under handed double dealing you've just pulled. IANA is another matter. IANA still says that port 22/tcp is registered to "ssh" (all lower case). I have never heard of ANY single instance where a port allocation was changed due to a trademark infringement, and there are LOTS of trademarks in the port-numbers document. Just search for "Oracle" or "SQL*NET" (sql*net) or SNA. Say! SNA is a good one, isn't that an IBM trademark? We've got all kinds of Cisco stuff and Unisys stuff in there. We (where I work) have implimented code which utilizes the "sql*net" protocol without infrinding on trademarks and there is even open source code for a lot of these protocols. A significant percentage of that document seems to be trademark stuff. I don't think you've got any justification for renaming the port or protocol. Changing the name of the protocol is also outside the scope of this mailing list as well. If you convince IANA and IETF to change the name and then magically get all the /etc/services files updated and get everyone else to agree to the new symbolic name for the protocol, then OpenSSH would have no choice but to follow. So OpenSSH can't change it on their own and, if the other bodies change it, OpenSSH would have to change it. That makes the decision here neither necessary nor sufficient.> - We would submit an official statement to the IETF that we will make no > trademark claims about the "bits on the wire" in the protocol (e.g., > the protocol version strings or the various names used in the > protocol).To avoid them totally shooting you out the tubes and telling everyone to just go home because it was just one big mistake. Yes, that would be nice and a minimum just to protect your own investment in that process.> - We would need to reach agreement with the OpenSSH group to change > their product name and to otherwise cease using the SSH > trademarks inappropriately. We appreciate that some people have > brought the non-commercial university group use to our attention. > We are carefully reviewing this situation.So far, with OpenSSH you've only got the name of the project (but that's not using your lower case "ssh"), the name of the protocol (which there is no precedence or justification for changing the name and plenty of precedence for not), and references in the documentation. I would vote for adding appropriate remarks to the documentation but the command name and the already non-infringing project name, not. How far are you going to take the name thing. Would HSS conflict (in the great XINU tradition - XINU is not UNIX)? What about S-S-H? or "Security-Shell". At what point do you stop dangling a sword over everyone's head or can we expect more noise like the same before every stockholder's meeting?> Let's discuss the exact terms if I get a preliminary "ok, looks fine, > let's try to get this resolved along those lines" from the community > and the relevant parties.IMPO... The acknowledgements are reasonable and should be done as soon as possible in any case. Changing the name of the protocol has no precedence and there are plenty of registered protocols carrying names which are also trademark names, so that's not a reasonable requirement. Updating the IETF draft to clarify the trademark status, is reasonable and taking place now. By your own statement about the wording of your trademark registration, OpenSSH, the name, is not literally conflicting with the trademark "ssh", so I don't see that as reasonable either, but the choice of the project name is best left up to the project team.> Please let us know what you think.> Best regards,> Tatu Ylonen > Chairman and CTO, SSH Communications Security Corp> PS. For reference, if someone hasn't seen it yet, I'll include my > original e-mail to the OpenSSH mailing list.[Skipping original letter]> Regards,> Tatu Ylonen> SSH Communications Security http://www.ssh.com/ > SSH IPSEC Toolkit http://www.ipsec.com/ > SSH(R) Secure Shell(TM) http://www.ssh.com/products/sshInteresting... You just told us that the trademark is only for "ssh" and not "SSH". Now you are trying to convince us that "SSH" is also a registered trademark in direct contradiction of your earlier statements. I think it's also significant to note that this is a recent trend (less than a year) of yours. I have mail from you going back years. Here's your signature from one back in late 1998: ] -- ] SSH Communications Security http://www.ssh.fi/ ] SSH IPSEC Toolkit http://www.ipsec.com/ ] Free Unix SSH http://www.ssh.fi/sshprotocols2/ Hmmm... No claims of trademark there... Here it is from 4/14/2000 on the ssh mailing list: ] SSH Secure Shell http://www.ssh.com/ ] - The real and the original SSH, directly from the people who invented ] the SSH protocol. Later that very day, your current signature with the (R) and (TM) claims appeared. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
On Fri, Feb 16, 2001 at 12:51:06PM +0200, Tatu Ylonen wrote:> - Any product where the command name "ssh" is used must only be > licensed under a valid license (i.e., must not be in the > public domain). E.g. BSD license, GPL, and normal commercial > licenses would all be ok. > > - An acknowledgement of our ownership of the ssh(R) and Secure > Shell(TM) trademarks must be included in the software (help > text, documentation, license). It would not need to be > printed out every time the program is normally run, but would > need to be included in e.g. in an appropriate place on man > pages and in help texts. >I wonder now if grep, sed, sh, and other unix commands must be similarly carefully treated. What if I have been distributing my little Unix like OS for 20 years, and this OS has a script called s.sh? Now you are telling me to change this script's name? What if openssh changes its name to opensafesh (but opensafe sounds better---it even sounds like a challenge), the executable is called safesh, and INSTALL has as a final step, run ln -s safesh ssh ln -s safeshd sshd ln -s safecp scp # just to be a on the safeside ln -s safeftp sftp # ditto> would work to cease using "SSH" as a protocol name and would > instead start using the new name. The new name would need to be > unencumbered, and the xx.com, xx.net, and xx.org domain names > would be made to permanently point to e.g. the IETF main page. My > own proposal would be to change the name to SECSH, provided that > Van Dyke is willing to contribute their currently unused secsh.com > domain name for this purpose. We would be willing to contribute > our secsh.org and secsh.net domains on the same basis.Until somebody comes along, and trademarks/copyrights this name as well, so we have to start removing secsh from our boxes. Do people know for sure that `sh' has not been trademarked in some obscure coutry?> > - We would submit an official statement to the IETF that we will make no > trademark claims about the "bits on the wire" in the protocol (e.g., > the protocol version strings or the various names used in the > protocol).Again, somebody else will come and trademark the name. They *will* succeed. People might even succeed just trademarking the letter `s' in places where it might imply `secure'. In any case, I am not sure anymore if I can say "ssssh" to my crying 7 months old. --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Tatu Ylonen wrote:> > > "A license was granted in 1995 that allows free use of the > > trademarks" > > This is not accurate, but refers to the following language in > ssh-1.2.12 COPYING file: > > As far as I am concerned, the code I have written for this software > can be used freely for any purpose. Any derived versions of this > software must be clearly marked as such, and if the derived work is > incompatible with the protocol description in the RFC file, it must > be called by a name other than "ssh" or "Secure Shell". > > First, this is a copyright license ("the CODE can be used..."), with an > additional restriction on naming. It is not a trademark license.Of course, because you didn't have the trademark then. However, your statement presumes that the word "ssh" is in the public domain and that others will be able to use it ... otherwise you wouldn't need this clause at all.> Also, this text is from the COPYING file from ssh-1.2.12, dated Nov > 17, 1995. The trademark claims were made in 1996 (ssh-1.2.13 was the > first release claiming them, released on Feb 11, 1996), and this > license provision would not have covered them anyway. Ever since, our > policy has been not to allow unauthorized use of the trademarks. The > trademark claims have been made consistently in every release ever > since.The fact remains that in 1995 you stated your intention to allow people to use the name "ssh" for their derived works, with no indication of limited duration or other terms, and then in Feb 1996 you decided to rescind that right. Even if you could legally do that, which I doubt, that's pretty low.> > "no-one has ever been notified of infringement" > > For example, I notified Van Dyke of the trademark a few years ago when > they used the SSH mark on their web site inappropriately. We > discussed it, they were very co-operative, and immediately added > trademark markings and acknowledgement on their website. Issue > solved. (They were not using it in a product name.)No-one (or at least, none of the posts I've read) claimed "no-one has ever been notified of infringement". The claim is that there are major users of the word "SSH" who have never been notified.> > (reference to FiSSH, TTSSH, Top Gun ssh, etc.) > > These are all non-commercial academic projects made at universities. > We have never really encountered any one of these in the marketplace.FiSSH never really existed and Top Gun doesn't seem to be used much, but there are a lot of TTSSH users. Try searching for "TTSSH" in Google and observe how many universities, labs, ISPs, etc have set up Web pages to tell their students/customers/employees about it. It's a very long list*. Now, it may not be commercially significant to you, since I never got a dime and a lot of those people wouldn't pay for your client anyway. And of course you can stretch your definition of "really encountered" to fit whatever scenario you need. The fact remains that (except for my ego) it doesn't matter what you "really encountered" or what is "commercially significant", because under trademark law you have to protect your mark against all comers, not just the ones you don't like or the ones you think are important. Note that searching for "Windows SSH client" in Google, the first hit is TTSSH, and the second hit is PuTTY, which uses the word "SSH" prominently in its Web page without attribution. If that's not trademark dilution, I don't know what is. * Also, searching for "TTSSH" in Google gets about 5,600 hits, whereas "SecureCRT" gets around 8,100. Your threshold of "really encountered" seems to be quite finely tuned.> > "how about the 'ssh' command name under Unix/Linux?" > > This relates to the proposal I want to make....> Let's discuss the exact terms if I get a preliminary "ok, looks fine, > let's try to get this resolved along those lines" from the community > and the relevant parties.It would be a fair proposal if your trademark was defensible, but I think it could hardly be more clear that you have failed to protect the mark and that it has passed into the public domain. So I'm not very interested in your proposal. If you can somehow get the community to go along with it, I'll follow, otherwise, I won't bother. This is a sad situation because I think by not pursuing your trademark in the past, you did a good and reasonable thing. It feels a bit like you're now being punished for that. However, the truth is that you are being punished because you have stopped being reasonable. If you planned to ever enforce your trademark, then it would have been better for everyone (and required by law) for you to have enforced it from the beginning. Rob -- [Robert O'Callahan http://www.cs.cmu.edu/~roc 7th year CMU CS PhD student "Now when Joshua was near Jericho, he looked up and saw a man standing in front of him with a drawn sword in his hand. Joshua went up to him and asked, 'Are you for us or for our enemies?' 'Neither,' he replied, 'but as commander of the army of the LORD I have now come.'" - Joshua 5:13-14]
> > "A license was granted in 1995 that allows free use of the trademarks" > > This is not accurate, but refers to the following language in > ssh-1.2.12 COPYING file:That's a mischaracterization of the argument: a license was granted in 1995 that allows derivative works to use of the term ssh, when in compliance with the SSH-1.3 protocol. Note the result of the trademark of Linux(R). While you are certainly not in the same position as Della Croce, who attempted to establish a trademark for something with which he had no connection, you are in a similar position as to the prior existance and use of the term within the markets the trademark is active.> Also, this text is from the COPYING file from ssh-1.2.12, dated Nov > 17, 1995. The trademark claims were made in 1996 (ssh-1.2.13 was the > first release claiming them, released on Feb 11, 1996), and this > license provision would not have covered them anyway. Ever since, our > policy has been not to allow unauthorized use of the trademarks. The > trademark claims have been made consistently in every release ever > since.But it clearly delineates that software, not from SSH Corp, has been using the mark since before the trademark was in existance or claimed. Thus, by not preventing these non-SSH Corp products from using the trademark, I think you've given it up.> > "no-one has ever been notified of infringement" > > For example, I notified Van Dyke of the trademark a few years ago when > they used the SSH mark on their web site inappropriately. We > discussed it, they were very co-operative, and immediately added > trademark markings and acknowledgement on their website. Issue > solved. (They were not using it in a product name.) > > Basically, anyone we have ever really encountered in the marketplace > has either been notified or is a licensee of ours. > > > "F-Secure SSH has been using the name for years" > > F-Secure (formerly Data Fellows) is our distributor/VAR, and they are > using the SSH trademark in their product name under a separate written > trademark license agreement. All of the F-Secure SSH products are SSH > Communication Security Corp's products, some verbatim and some with > modifications by F-Secure.But trademark is not claimed, regardless -- note the web pages I previously referenced.> > (reference to FiSSH, TTSSH, Top Gun ssh, etc.) > > These are all non-commercial academic projects made at universities.Irrelevant. They are still "Computer programs and software for preventing unauthorized access to computer networks and for providing secure connections to computer networks."> We have never really encountered any one of these in the marketplace.But you make an SSH for MacOS. Haven't you encountered Nifty Telnet SSH there? Hint: I use Nifty Telnet SSH, and specifically avoid the SSH for MacOS from F-Secure because of it. So you have.> We have tried to notify commercial people who have been using the > trademark inappropriately. OpenSSH was the first non-commercial > implementation to raise to the radar screen.Well, you clearly can't claim lack of knowledge about some of these other products, so can you explain what is required to 'raise to the radar screen'? These other products diluted the trademark, since they fall under the description of the purpose of the trademark as delineated in your trademark registration.> > "why did you notify OpenSSH now" > > The reason OpenSSH was contacted now was that they have only become > more visible during the last months, and I have recently seen a > significant increase in e-mails confusing the meaning of the SSH > trademarks and using them inappropriately. I have also recently > received quite a few e-mails confusing OpenSSH as my product.Sorry, that can be annoying. But then, you misuse the ssh mark as well, since you use it in a form other than "ssh-brand secsh [or whatever]."> > "how about the 'ssh' command name under Unix/Linux?" > > This relates to the proposal I want to make. > > Basically, I am willing to work out a way that will allow anyone to use > the "ssh" command name on Unix/Linux. It appears that there are > ways to do it without exposing our trademarks to unnecessary risk.But are you in a position to offer this? That is, can you enforce it, or is it just a description of what you'd like to happen?> The arrangement I am proposing would be as follows. > > - We (SSH Corp) would allow the use of "ssh" (and sshd, etc) as a > command name on Unix/Linux under the following restrictions:What about under Windows, Plan 9, OS/2.... I'm all for an amicable conclusion. Unfortunately, I also think that the ssh trademark is indefensible and a poor idea. -- Matthew Weigel Research Systems Programmer mcweigel+ at cs.cmu.edu
Matthew (and others): Please do not CC: discussions of the validity of the ssh trademark to the IETF Secure Shell protocol working group list <ietf-ssh at clinet.fi>; they're out of scope for the working group. Thank you for your cooperation. - Bill
At 12:51 PM +0200 2/16/01, Tatu Ylonen wrote:>I'd like to address several issues raised by people in relation >to my notice of the ssh(R) trademark to the OpenSSH group. Also, >I would like to make a proposal to the community for resolving >this issue (included at the end).I think Tatu has done a great service for the internet community by creating an encrypted alternative to telnet, one which became good enough, available widely enough, and promoted well enough that we can now talk about machines where telnetd is completely disabled. Part of the reason it caught on so well was the initial licensing. If the code had come out in 1994 with all of these trademark issues explicitly stated, then people would have shied away from it, and it would not have caught on as well. Witness, for instance, how much more reluctant people are to install ssh2 than the original ssh, even though everyone seems to agree that the ssh2 protocol is superior to ssh1's. The difference is in the licensing. I state that as fact, not opinion, because I know why WE (RPI) have not deployed ssh2 anywhere, except for machines which have openssh installed. While I can appreciate the challenge of running a company on software, I really don't see how you can retroactively change the original license. I find the following excerpt particularly ludicrous:>The confusion is made even worse by the fact that OpenSSH is >also a derivative of my original SSH Secure Shell product, >and it still looks very much like my product (without my >approval for any of it, by the way).The original license EXPLICITLY said: As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell". The openssh project took that paragraph literally. They used it to create another ssh. They clearly indicate that their work is a derivative of yours, because YOU EXPLICITLY ASKED people to do that. The result IS compatible with the RFC, and thus they do NOT have to change the name from 'ssh' and 'secure shell' to comply with the above paragraph. You EXPLICITLY said that "this software can be used FREELY for any purpose", so it's pretty odd that you now imply that people were supposed to ask for "your approval" before creating a derivative work. Part of your proposal states: - A new unencumbered name is created for the protocol, which can be used by any vendor without creating confusion. The IETF standard would be renamed to use the new protocol name, and the community would work to cease using "SSH" as a protocol name and would instead start using the new name. The new name would need to be unencumbered, and ... I think this just proves the fact that the name 'ssh' is already a generic term. It IS being used generically. You want to STOP that generic use, claiming that 'ssh' should be your trademark. However, it became a generic term BEFORE you had it registered as a trademark, which to me implies the problem is in the trademark, and not in its use as a generic term. So, I'm no lawyer, but I would be interested in hearing how your current position is legally defensible, given the actual history of events. As I say, I appreciate that you're trying to run a company, and I wish you no ill-will in that endeavor. However, I maintain that part of the reason for the success of ssh (the protocol) was the original licensing, and I don't appreciate that you are now trying to subvert that original license. In your message, you also claim:>The reason OpenSSH was contacted now was that they have only >become more visible during the last months, and I have recently >seen a significant increase in e-mails confusing the meaning of >the SSH trademarks and using them inappropriately.In your earlier message, you mentioned:>We have also been distributing free versions of SSH Secure Shell >under the SSH brand since 1995. The latest version, ssh-2.4.0, >is free for any use on the Linux, FreeBSD, NetBSD, and OpenBSD >operating systems, ...Funny how ssh2 is available for free for these operating systems, ALL OF WHICH now ship with openssh (although I guess NetBSD might soon change). I must admit that I do not know your current license, but back when OpenSSH was just starting to appear I am pretty certain that we could NOT use ssh2 "for any use" on OpenBSD or FreeBSD. How is it that you now know these operating systems well enough to list them in your license, but you were not aware that OpenSSH was available for all of them? I think you will have trouble proving "due diligence" in protecting your trademark, under these circumstances. Speaking of "due diligence", you should also note: ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-current/pkgsrc/security/fressh/README.html ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-current/pkgsrc/security/fressh/pkg/DESCR which talks about "fressh", a clean-room implementation of the ssh protocols. You'll need to go after them, too, I would think. At 12:51 PM +0200 2/16/01, Tatu Ylonen wrote:>Please also try to look at this from my viewpoint. I developed >SSH (Secure Shell), started using the name for it, established >a company using the name, all of our products are marketed >using the SSH brand, and we have created a fairly widely known >global brand using the name.When did you start using the SSH brand for your company products? As far as I'm aware, I initially bought your products thru a company called DataFellows, under a brand name of 'F-Secure'. (and yes, I did buy Mac clients thru there). It is only in the last year or two that I was aware that ssh.com sold clients of it's own. By then, openssh and teraterm ssh were well known. In the Mac world, there's also "MacSSH" and "NiftyTelnet SSH" (check www.macorchard.com, under the 'Terminal' section). You will also need to go after all of those, if you have problems with OpenSSH infringing on your trademark. You also wrote:> > "the SSH Corp trademark registration in the US is for a logo only" > >It is for the lowercase word "ssh" (I was mistaken earlier in >saying that it was for the uppercase word "SSH").Note that here you claim it is explicitly for the LOWERCASE word 'ssh'.>Under US law, a trademark registration entitles the owner to >exclusive use of the trademark as it is registered, in relation >to the goods and/or services for which it is registered. [...]. >Consequently, use of the uppercase word "SSH" or a name >containing the "ssh" or "SSH" mark will likely amount to >trademark infringement under US law, if it is in relation >to goods or services within the same field of use covered by >our ssh(R) trademark.And here you claim that the uppercase word is also "likely" covered by it. Another legal point which seems odd to me. If the uppercase word is covered, then why wouldn't the trademark be for "ssh" instead of "the lowercase word 'ssh'". Perhaps this is one of those nuances of law that I just don't understand. Still, if you CAN get the IETF and everyone else to go along with this, then I don't have much reason to object. I do think it is inappropriate, and something of a waste of time. I know you think that 'ssh' as a trademark is valuable, but if you do change the name then you can be pretty sure that everyone that you have irritated will do their best to put that value into the new, generic and unencumbered name. I would think that we would make sure that 'ssh' is not referenced anywhere, in any man pages or other documentation. We would only use generic names, to make sure we do not ever hear from your lawyers again. However, it does seem to me that you should need to get IETF to agree, and to MAKE all the necessary changes, before you expect the OpenSSH project to consider changing it's name. Right now, OpenSSH is just an implementation of the generic protocol known as ssh. I don't see a problem. I also wonder how you can guarantee the new name will remain unencumbered. I mean, we used 'ssh' because we thought IT was unencumbered, as long as we made something compatible with the ssh protocol. If we use 'secsh', how do we know that Van Dyke won't pull the same stunt a few years from now, and claim that we owe THEM something due to copyright infringement? If we do pick some new term, then I suggest that we only consider alternatives which are brought up by someone who we can trust to leave that term as a generic term. I'm afraid to say that I doubt we can trust ssh.com to do that. Disclaimer: while I happen to have an account at freebsd.org, please note that all of the above are my own personal thoughts, and should not be taken as the position of "the freebsd project" or much of anyone else. In a separate message, which just came in as I was about to hit "send" on this, Bill Sommerfeld wrote:>Please do not CC: discussions of the validity of the ssh >trademark to the IETF Secure Shell protocol working group list ><ietf-ssh at clinet.fi>; they're out of scope for the working group.I appreciate this, except that Tatu claims the IETF will be asked to change the protocol name. If the working group is planning on a name change, then it is relevant to this debate. More importantly, if the working group has NO intention of changing the name, then it seems to me that openssh is just an implementation of a generic protocol named 'ssh'. This message (this one here, the one I am writing) is a reply to Tatu Ylonen, and it was Tatu who felt this was appropriate for the ietf-ssh mailing list. Perhaps that is the wrong list, but I don't know what else in the ietf would be the correct alternative. So, it is not that I'm trying to ignore Bill's request, but I don't know who else is supposed to clarify IETF's position on this. -- Garance Alistair Drosehn = gad at eclipse.acs.rpi.edu Senior Systems Programmer or gad at freebsd.org Rensselaer Polytechnic Institute or drosih at rpi.edu