SSH trademarks and the OpenSSH product name

[Damien Miller]

On Wed, 14 Feb 2001, Tatu Ylonen wrote:

> Friends,
> 
> Sorry to write this to a developer mailing list.  I have already
> approached some OpenSSH/OpenBSD core members on this, including Markus
> Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
> bring the issue up on the mailing list.  I am not aware of any other
> forum where I would reach the OpenSSH developers, so I will post this
> here.

As I understand it, the OpenBSD team is still waiting on a letter from
your lawyer.

> As you know, I have been using the SSH trademark as the brand name of
> my SSH (Secure Shell) secure remote login product and related
> technology ever since I released the first version in July 1995.  I
> have explicitly claimed them as trademarks at least from early 1996.

To my knowledge you have not contacted any of the other implementors
of SSH clients and servers who use 'SSH' in the name of there product
(there are several). Why are you 1) making an issue now, when there 
have been SSH implementations using 'SSH' in their names for several 
years? and 2) targeting the OpenSSH team only?

> In December 1995, I started SSH Communications Security Corp to
> support and further develop the SSH (Secure Shell) secure remote login
> products and to develop other network security solutions (especially
> in the IPSEC and PKI areas).  SSH Communications Security Corp is now
> publicly listed in the Helsinki Exchange, employs 180 people working
> in various areas of cryptographic network security, and our products
> are distributed directly and indirectly by hundreds of licensed
> distributors and OEMs worldwide using the SSH brand name.  There are
> several million users of products that we have licensed under the
> SSH brand.
> 
> To protect the SSH trademark I (or SSH Communications Security Corp,
> to be more accurate) registered the SSH mark in the United States and
> European Union in 1996 (others pending).  We also have a registration
> pending on the Secure Shell mark.

This should be of interest to the IETF. It would be better for other
implementers if every SSH implementation did not have to bear an 
advertisement for your company.

> The SSH mark is a significant asset of SSH Communications Security and
> the company strives to protect its valuable rights in the SSH® name
> and mark.  SSH Communications Security has made a substantial
> investment in time and money in its SSH mark, such that end users have
> come to recognize that the mark represents SSH Communications Security
> as the source of the high quality products offered under the mark.
> This resulting goodwill is of vital importance to SSH Communications
> Security Corp.
> 
> We have also been distributing free versions of SSH Secure Shell under
> the SSH brand since 1995.  The latest version, ssh-2.4.0, is free for
> any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
> as well as for universities and charity organizations, and for
> personal hobby/recreational use by individuals.
> 
> We have been including trademark markings in SSH distributions, on the
> www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
> documents, license/readme files and product packaging long before the
> OpenSSH group was formed.  Accordingly, we would like you to
> understand the importance of the SSH mark to us, and, by necessity,
> our need to protect the trademark against the unauthorized use by
> others.

Recognise also that SSH has been a generic term to describe the protocol
well before your attempt to trademark it.

> Many of you are (and the initiators of the OpenSSH group certainly
> should have been) well aware of the existence of the trademark.  Some
> of the OpenBSD/OpenSSH developers/sponsors have also received a formal
> legal notice about the infringement earlier.
> 
> I have started receiving a significant amount of e-mail where people
> are confusing OpenSSH as either my product or my company's product, or
> are confusing or misrepresenting the meaning of the SSH and Secure
> Shell trademarks.

I can relate to this - a receive a fair bit of email from users asking
for help with your products.

> I have also been informed of several recent press
> articles and outright advertisements that are further confusing the
> origin and meaning of the trademark.

Surely this is a matter should be resolved with the authors of said 
articles.

> The confusion is made even worse by the fact that OpenSSH is also a
> derivative of my original SSH Secure Shell product, and it still looks
> very much like my product (without my approval for any of it, by the
> way).

This is unfair and more than a little disingenuous, as you must 
recall the license that you released ssh-1.2.12 under:

      ``As far as I am concerned, the code I have written for this
        software can be used freely for any purpose. Any derived
        versions of this software must be clearly marked as such,
        and if the derived work is incompatible with the protocol
        description in the RFC file, it must be called by a name 
        other than "ssh" or "Secure Shell".''

> The old SSH1 protocol and implementation are known to have
> fundamental security problems, some of which have been described in
> recent CERT vulnerability notices and various conference papers.
> OpenSSH is doing a disservice to the whole Internet security community
> by lengthing the life cycle of the fundamentally broken SSH1
> protocols.

This is being uncharitable in the extreme. OpenSSH is providing a       
smooth migration path from SSH1 to SSH2. A near-future release of       
OpenSSH will be making protocol 2 the default.                          

As a security professional, you must surely be aware of the human
factors pertaining to software uptake, specifically the tendency of
people to refuse to upgrade if the immediate costs of doing so are too
high. 

Furthermore it is hypocritical to accuse us of doing a "disservice to
the whole Internet security community" when you are still distributing
ssh-1.x from ftp://ftp.ssh.com/

Please reconsider this approach, I think that the antipathy generated
by pursuing a free software project will cost your company a lot more
than a trademark.

-d

> The use of the SSH trademark by OpenSSH is in violation of my
> company's intellectual property rights, and is causing me, my company,
> our licensees, and our products considerable financial and other
> damage.
> 
> I would thus like to ask you to change the name OpenSSH to something
> else that doesn't infringe the SSH or Secure Shell trademarks,
> basically to something that is clearly different and doesn't cause
> confusion.
>
> Also, please understand that I have nothing against independent
> implementations of the SSH Secure Shell protocols.  I started and
> fully support the IETF SECSH working group in its standardization
> efforts, and we have offered certain licenses to use the SSH mark to
> refer to the protocol and to indicate that a product complies with the
> standard.  Anyone can implement the IETF SECSH working group standard
> without requiring any special licenses from us.  It is the use of the
> "SSH" and "Secure Shell" trademarks in product names or in otherwise
> confusing manner that we wish to prevent.
>
> Please also try to look at this from my viewpoint.  I developed SSH
> (Secure Shell), started using the name for it, established a company
> using the name, all of our products are marketed using the SSH brand,
> and we have created a fairly widely known global brand using the name.
> Unauthorized use of the SSH mark by the OpenSSH group is threathening
> to destroy everything I have built on it during the last several
> years.  I want to be able to continue using the SSH and Secure Shell
> names as identifying my own and my company's products and
> technologies, which the unlawful use of the SSH name by OpenSSH is
> making very hard.
> 
> Therefore, I am asking you to please choose another name for the
> OpenSSH product and stop using the SSH mark in your product name and
> in otherwise confusing manner.
> 
> Regards,
> 
>     Tatu Ylonen

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's 
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer