[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Software Patents are Freezing Evolution of Products





>>Thesis: Software patents are a bad idea because they freeze the evolution
>>too early and payment metering schemes are too difficult to arrange, which
>>also helps to freeze evolution. Software patents are bad because customers
>>cannot freely and without entanglements incorporate the ideas into their
>>own products. The situation has become much worse with software, because
>>there is no physical object which can be used to meter usage of a patent.
 
Its nice to see a carefully reasoned argument.

Consider, also reading

http://www.verisign.com/faqs/id_faq.html  
http://www.verisign.com/apple/cis.html

Comment:

The thesis is fundamentally flawed in the case of publickey applications
which provide or exploit digital signatures, as its assumptions are false,
patently. However, a gem of truth is revealed; however, possible outcomes
may be unpalatable as "pay-per-view".

Crypto metering for commercial-grade systems is easy. A number of companies,
including those who are bantering about the latest batch of payment protocols, 
are beginning to really understand that to combat intruder-in-the middle
attacks 
of the commercial end-systems' keying material, its necessary to
authenticate the 
source of keying material used for all subsequent security services. Contrary to
the thesis, there are an ever evolving number of practical ideas upon the nature
of security services and secure applications. (In fact, its ever harder to track
the explosion of innovation which is actually happening.)

To combat the threat which intruder-in-the-middle represents to the key
exchange/agreement crypto underlying most applications, a notion of public-key
certificates was formulated. The certificate is a certified end-system key. 
The evaluation of the certificate requires users to consider trust models, as
someone "trusted" digitally signs the key to assert that the key is certified
for purpose X. The number of trust models being propounded is astounding; the
innovation wonderful to behold; contrary to the thesis. Two models are
prevalent - the 
Kent RFC 1422  model which uses third-parties to base non-repudiation services,
and the  Zimmermann PGP model which does not use third-parties, and accomplishes
something other than non-repudiation. Other models are in heated discussion!

There is a little truth in the thesis that asserting upfront to the
licensor the nature of your idea does hamper innovation. However, a solution
maybe at hand. Note, anyway, that (a) RSA is an excellent public-key scheme 
which is free of patent restrictions anywhere in the world except US 
territories (b) personal use of RSA in the US is effectively unlicensed (see
PGP/PGPfone) (c) RSAREF is a free reference implementation available for
developers to  innovate with, before deciding how to make their ideas
commercially 
available (d)  there are lots of competitive providers of RSA stuff supporting
many form-factors  and packaging styles. So either all innovation occurs in the
US, else free public availability is not the key to idea generation. Both these
conclusions are  patently wrong, in my view.

Whats a solution?

Well there is a solution which gets rid of the up-front, tell-all requirement.
Its called controlled certificate issuance. Given the importance of the
certificate role, if one meters certificate issuance such that a postage-stamp
fee goes to the licensor for each key used in any idea, for any purpose, 
however often or valuable-a-transaction, then the developer is effectively 
freed up - in terms of innovation. The keying material can be Diffie-Helman,
knapsack,
anything the developer like.

Whats the downside - well its like having a pay-per-view box on your company
TV. Still,
this is highly regarded by many industries and is the basis of much
competition in the broadcasting & programming distribution industry. Some
people, really object to pay-per-view. But then, some people object to
inventors getting benefit from their discovery. One metering product is the BBN
safekeyper. Metering certificates causes about as much hate mail, as MIT patent
enforcement though. So beware about even thinking about reading the following
pages for more information about the options and issues: 

http://www.verisign.com/faqs/id_faq.html - for digital ID material (lots of 
references)

http://www.verisign.com/apple/cis.html - for metering and "simple" licensing



How do we do away with the say-it-all-up-front restriction, which is currently
the only means whereby the licensor can collect a negotiated fee?

RSA DSI invested heavily in a hardware product for metering the issuance of
those critical certificates. That is, any developer w