From: Peter Williams <peter@verisign.com>
To: cypherpunks@toad.com
Message Hash: 4ac293ce1fc5b48ec92dcf00623e49016bfee1e675638c2cbcc036fdaa39ff29
Message ID: <199510091730.KAA07041@dustin.verisign.com>
Reply To: N/A
UTC Datetime: 1995-10-09 17:30:13 UTC
Raw Date: Mon, 9 Oct 95 10:30:13 PDT
From: Peter Williams <peter@verisign.com>
Date: Mon, 9 Oct 95 10:30:13 PDT
To: cypherpunks@toad.com
Subject: Re: Software Patents are Freezing Evolution of Products
Message-ID: <199510091730.KAA07041@dustin.verisign.com>
MIME-Version: 1.0
Content-Type: text/plain
>>Thesis: Software patents are a bad idea because they freeze the evolution
>>too early and payment metering schemes are too difficult to arrange, which
>>also helps to freeze evolution. Software patents are bad because customers
>>cannot freely and without entanglements incorporate the ideas into their
>>own products. The situation has become much worse with software, because
>>there is no physical object which can be used to meter usage of a patent.
Its nice to see a carefully reasoned argument.
Consider, also reading
http://www.verisign.com/faqs/id_faq.html
http://www.verisign.com/apple/cis.html
Comment:
The thesis is fundamentally flawed in the case of publickey applications
which provide or exploit digital signatures, as its assumptions are false,
patently. However, a gem of truth is revealed; however, possible outcomes
may be unpalatable as "pay-per-view".
Crypto metering for commercial-grade systems is easy. A number of companies,
including those who are bantering about the latest batch of payment protocols,
are beginning to really understand that to combat intruder-in-the middle
attacks
of the commercial end-systems' keying material, its necessary to
authenticate the
source of keying material used for all subsequent security services. Contrary to
the thesis, there are an ever evolving number of practical ideas upon the nature
of security services and secure applications. (In fact, its ever harder to track
the explosion of innovation which is actually happening.)
To combat the threat which intruder-in-the-middle represents to the key
exchange/agreement crypto underlying most applications, a notion of public-key
certificates was formulated. The certificate is a certified end-system key.
The evaluation of the certificate requires users to consider trust models, as
someone "trusted" digitally signs the key to assert that the key is certified
for purpose X. The number of trust models being propounded is astounding; the
innovation wonderful to behold; contrary to the thesis. Two models are
prevalent - the
Kent RFC 1422 model which uses third-parties to base non-repudiation services,
and the Zimmermann PGP model which does not use third-parties, and accomplishes
something other than non-repudiation. Other models are in heated discussion!
There is a little truth in the thesis that asserting upfront to the
licensor the nature of your idea does hamper innovation. However, a solution
maybe at hand. Note, anyway, that (a) RSA is an excellent public-key scheme
which is free of patent restrictions anywhere in the world except US
territories (b) personal use of RSA in the US is effectively unlicensed (see
PGP/PGPfone) (c) RSAREF is a free reference implementation available for
developers to innovate with, before deciding how to make their ideas
commercially
available (d) there are lots of competitive providers of RSA stuff supporting
many form-factors and packaging styles. So either all innovation occurs in the
US, else free public availability is not the key to idea generation. Both these
conclusions are patently wrong, in my view.
Whats a solution?
Well there is a solution which gets rid of the up-front, tell-all requirement.
Its called controlled certificate issuance. Given the importance of the
certificate role, if one meters certificate issuance such that a postage-stamp
fee goes to the licensor for each key used in any idea, for any purpose,
however often or valuable-a-transaction, then the developer is effectively
freed up - in terms of innovation. The keying material can be Diffie-Helman,
knapsack,
anything the developer like.
Whats the downside - well its like having a pay-per-view box on your company
TV. Still,
this is highly regarded by many industries and is the basis of much
competition in the broadcasting & programming distribution industry. Some
people, really object to pay-per-view. But then, some people object to
inventors getting benefit from their discovery. One metering product is the BBN
safekeyper. Metering certificates causes about as much hate mail, as MIT patent
enforcement though. So beware about even thinking about reading the following
pages for more information about the options and issues:
http://www.verisign.com/faqs/id_faq.html - for digital ID material (lots of
references)
http://www.verisign.com/apple/cis.html - for metering and "simple" licensing
How do we do away with the say-it-all-up-front restriction, which is currently
the only means whereby the licensor can collect a negotiated fee?
RSA DSI invested heavily in a hardware product for metering the issuance of
those critical certificates. That is, any developer w
Return to October 1995
Return to “Peter Williams <peter@verisign.com>”