Contributed by
Dengue
on
from the this-looks-fishy dept.
In an email posted to the Openssh developers mailing list, Tatu Ylonen claims that OpenSSH infringes on his trademarks: "SSH" and "Secure Shell", and demands the
OpenSSH
project change their name. Below, you can read Tatu's email, and the LICENSE to OpenSSH
/usr/src/usr.bin/ssh/LICENCE
, which contains the licensing terms applied to SSH-1.2.12, from which OpenSSH is derived.
Date: Wed, 14 Feb 2001 03:36:19 +0200
From: Tatu Ylonen
To: openssh-unix-dev@mindrot.org
Subject: SSH trademarks and the OpenSSH product name
Friends,
Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
here.
As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.
In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
SSH brand.
To protect the SSH trademark I (or SSH Communications Security Corp,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.
The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSH name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
Security Corp.
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.
We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
others.
Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.
I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.
The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthing the life cycle of the fundamentally broken SSH1
protocols.
The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
damage.
I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
confusion.
Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.
Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.
Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.
Regards,
Tatu Ylonen
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh
The following is the licence to OpenSSH, available in
/usr/src/usr.bin/ssh/LICENCE
on OpenBSD systems.
This file is part of the ssh software.
The licences which components of this software falls under are as
follows. First, we will summarize and say that that all components
are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1)
* Copyright (c) 1995 Tatu Ylonen
, Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
* However, I am not implying to give any licenses to any patents or
* copyrights held by third parties, and the software includes parts that
* are not under my direct control. As far as I know, all included
* source code is used in accordance with the relevant license agreements
* and can be used freely for any purpose (the GNU license being the most
* restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of
these restrictively licenced software components which he talks about
have been removed from OpenSSH, ie.
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, it's use is depricated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this
software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More
information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these
permissions and restrictions. Use only at your own responsibility.
You will be responsible for any legal consequences yourself; I am not
making any claims whether possessing or using this is legal or not in
your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
2)
The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
Comments in the file indicate it may be used for any purpose without
restrictions:
* COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
* code or tables extracted from it, as desired without restriction.
3)
The 32-bit CRC compensation attack detector in deattack.c was
contributed by CORE SDI S.A. under a BSD-style license. See
http://www.core-sdi.com/english/ssh/ for details.
* Cryptographic attack detector for ssh - source code
*
* Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
*
* All rights reserved. Redistribution and use in source and binary
* forms, with or without modification, are permitted provided that
* this copyright notice is retained.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
* CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
* SOFTWARE.
*
* Ariel Futoransky
*
4)
Remaining components of the software are provided under a standard
2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
I'm no lawyer, but I don't see how SSH Communications can have any valid claim over the terms "SSH" and "Secure Shell" being specific to their products.
<br>
<br>% grep ssh /etc/services
<br>ssh 22/tcp #Secure Shell Login
<br>ssh 22/udp #Secure Shell Login
<br>% uname -sr
<br>FreeBSD 4.2-STABLE
<br>
<br>/etc/services uses these terms to refer to the protocol, as does the IANA port assignments list from which they are derived.
<br>
<br>This shows that these terms are commonly used to describe the generic protocol, not any specific implementation of the protocol.
<br>
<br>SSH Communications must be aware of the IANA port assignments list, and as they have failed to enforce their trademarks on this list, they should not be able to enforce them on the OpenSSH project.
By
fansipans ()
on
let me quote tatu:
The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way).
now let me quote HIS OWN WORDS FROM HIS LICENSE:
* Copyright (c) 1995 Tatu Ylonen , Espoo, Finland
* All rights reserved
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
so let me get this straight:
1. openssh is allowed to use his code,
by the license given to them by him
2. when the first ssh code was released, tatu
allowed the creation of other programs using the ssh mark
, so long as they were compatible
with the ietf standard
*sigh* grow up tatu
By
grumpy old man ()
on
Just have a look at who has registered the opensecsh[.com|.net|.org] domains two weeks ago ;^)
By
Anonymous Coward ()
on
Hey at least this will solve the domain name issue with Alex de Joode
Let me just point out a long ago international lawsuit that was resolved the way it ought to be:
Coke-a-cola vs Pepsi Cola over the "cola".
openSSH clearly does not resemble SSH in the same way that GMC does not remsemble GMCSucks.
By
Boris () --
on
--
to sum up:
- Tatu forgot that he gave his original work away.
- now he's supporting the living of hundreds
of people with the ssh company.
- the OpenSSH team has made such a good work
that it's "competing" ssh.
- even more dreaded this competitor doesn't charge
for it and isn't even interested in profit...
- OpenSSH became so famous that SSH customers
even heard about it.
- asking OpenSSH team to shut its mouth
(actually to change face, even worse) and
not to let his customers know that they're
making something at least as good as him for
free.
If ever OpenSSH team change names , it would be as
a favor to him/his business rather than something
they owe him because of a dubious trademark name.
Does the grocery stores goes to complain to
the charity because charity feeder give better
food than in groceries ?
May be he got the idea from the Bind and
Nominum company, somehow that "free" software
has gotten too much freedom.
In french there is a proverb:
"Donner c'est donner, reprendre c'est voler"
-> "to give is to give, to take back is to steal".
I go to sleep now.
By
Yado () ha
on
ho
Not to mention OpenSSH got its name
from OpenBSD, since the team is well crossed.
so far names are concerned, Open comes first,
SSH comes second.
Darn, they can't even call it OpenSHELL Because they would get a conflict with Shell(you know the fuel sellers) Well ssh
<-- heheh is more than just a shell. It should be called OpenCODE.
Just wondering, seeing as this article has 18 posts, what article on deadly.org has had the most posts? The last big one I can think of was the article about Oreilly's OpenBSD articles and everyone was flaming it article.
To quote Tatu,
"OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols."
This infers OpenSSH provides an inferior tool. I guess that's why they include support for SSH2 also. See www.openssh.org
*NEW*OpenSSH 2.3.0 released Nov 6, 2000.
(contains support for both SSH1 and SSH2 protocols)
I wonder how much is true when a simple fact such as this is misleading.
By
- Chris. ()
on
I'm going to write an SSH client and call it
SSHIT
(or ssh-it or s-shit) and see if they sue me for trademark problems or making their products look bad :)
There is so much of this - Verizon, Warner Brothers vs Harry Potter fans... I'm getting bored of it all. Why don't the corporations just piss off for a change...
By Brendan () zarathustra@iwon.com on mailto:zarathustra@iwon.com
If you can't build a better product, sue them.
By Niekze () niekze@nothingkillsfaster.com on http://www.nothingkillsfaster.com
(yea, i know the grammatical error in that, hmm....sue me)
By Tom Hukins () tom@eborcom.com on mailto:tom@eborcom.com
By fansipans () on
The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product (without my approval for any of it, by the way). now let me quote HIS OWN WORDS FROM HIS LICENSE:
* Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved * * As far as I am concerned, the code I have written for this software * can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell".
so let me get this straight:
1. openssh is allowed to use his code, by the license given to them by him
2. when the first ssh code was released, tatu allowed the creation of other programs using the ssh mark , so long as they were compatible with the ietf standard
*sigh* grow up tatu
By grumpy old man () on
By Anonymous Coward () on
By liam () allenwc@home.com on mailto:allenwc@home.com
Coke-a-cola vs Pepsi Cola over the "cola".
openSSH clearly does not resemble SSH in the same way that GMC does not remsemble GMCSucks.
By Boris () -- on --
- Tatu forgot that he gave his original work away.
- now he's supporting the living of hundreds
of people with the ssh company.
- the OpenSSH team has made such a good work
that it's "competing" ssh.
- even more dreaded this competitor doesn't charge
for it and isn't even interested in profit...
- OpenSSH became so famous that SSH customers
even heard about it.
- asking OpenSSH team to shut its mouth
(actually to change face, even worse) and
not to let his customers know that they're
making something at least as good as him for
free.
If ever OpenSSH team change names , it would be as
a favor to him/his business rather than something
they owe him because of a dubious trademark name.
Does the grocery stores goes to complain to
the charity because charity feeder give better
food than in groceries ?
May be he got the idea from the Bind and
Nominum company, somehow that "free" software
has gotten too much freedom.
In french there is a proverb:
"Donner c'est donner, reprendre c'est voler"
-> "to give is to give, to take back is to steal".
I go to sleep now.
By Yado () ha on ho
from OpenBSD, since the team is well crossed.
so far names are concerned, Open comes first,
SSH comes second.
By Han () han@mijncomputer.nl on mailto:han@mijncomputer.nl
By Toy () gee308@mediaone.net on mailto:gee308@mediaone.net
By Philip Jensen () phil_jensen@[nospam]yahoo.com on mailto:phil_jensen@[nospam]yahoo.com
This infers OpenSSH provides an inferior tool. I guess that's why they include support for SSH2 also. See www.openssh.org *NEW*OpenSSH 2.3.0 released Nov 6, 2000. (contains support for both SSH1 and SSH2 protocols)
I wonder how much is true when a simple fact such as this is misleading.
By - Chris. () on
I'm going to write an SSH client and call it SSHIT (or ssh-it or s-shit) and see if they sue me for trademark problems or making their products look bad :)
There is so much of this - Verizon, Warner Brothers vs Harry Potter fans... I'm getting bored of it all. Why don't the corporations just piss off for a change...