Date: Fri, 16 Feb 2001 12:51:06 +0200
From: Tatu Ylonen <firstname.lastname@example.org>
To: email@example.com, firstname.lastname@example.org, email@example.com
Subject: ssh(R) trademark issues: comments and proposal
I'd like to address several issues raised by people in relation to my
notice of the ssh(R) trademark to the OpenSSH group. Also, I would
like to make a proposal to the community for resolving this issue
(included at the end).
First, I'll answer a number of questions and arguments presented in
> "the SSH Corp trademark registration in the US is for a logo only"
It is for the lowercase word "ssh" (I was mistaken earlier in saying
that it was for the uppercase word "SSH"). As many people obviously
know, trademark registrations in the USA are a matter of public record
and it is open to anyone to review the details of SSH Corp's trademark
Under US law, a trademark registration entitles the owner to exclusive
use of the trademark as it is registered, in relation to the goods
and/or services for which it is registered. Trademark infringement
occurs when another person uses the same, or a substantially identical
mark, for the same or related goods or services, in a manner which is
likely to cause consumer confusion. Consequently, use of the
uppercase word "SSH" or a name containing the "ssh" or "SSH" mark will
likely amount to trademark infringement under US law, if it is in
relation to goods or services within the same field of use covered by
our ssh(R) trademark. Of course, there are many possible
non-infringing uses of "SSH", for example, anyone might have a brand
of chocolade called "SSH".
> "A license was granted in 1995 that allows free use of the trademarks"
This is not accurate, but refers to the following language in
ssh-1.2.12 COPYING file:
As far as I am concerned, the code I have written for this software
can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and if the derived work is
incompatible with the protocol description in the RFC file, it must be
called by a name other than "ssh" or "Secure Shell".
First, this is a copyright license ("the CODE can be used..."), with an
additional restriction on naming. It is not a trademark license.
Also, this text is from the COPYING file from ssh-1.2.12, dated Nov
17, 1995. The trademark claims were made in 1996 (ssh-1.2.13 was the
first release claiming them, released on Feb 11, 1996), and this
license provision would not have covered them anyway. Ever since, our
policy has been not to allow unauthorized use of the trademarks. The
trademark claims have been made consistently in every release ever
> "no-one has ever been notified of infringement"
For example, I notified Van Dyke of the trademark a few years ago when
they used the SSH mark on their web site inappropriately. We
discussed it, they were very co-operative, and immediately added
trademark markings and acknowledgement on their website. Issue
solved. (They were not using it in a product name.)
Basically, anyone we have ever really encountered in the marketplace
has either been notified or is a licensee of ours.
> "F-Secure SSH has been using the name for years"
F-Secure (formerly Data Fellows) is our distributor/VAR, and they are
using the SSH trademark in their product name under a separate written
trademark license agreement. All of the F-Secure SSH products are SSH
Communication Security Corp's products, some verbatim and some with
modifications by F-Secure.
> (reference to FiSSH, TTSSH, Top Gun ssh, etc.)
These are all non-commercial academic projects made at universities.
We have never really encountered any one of these in the marketplace.
We have tried to notify commercial people who have been using the
trademark inappropriately. OpenSSH was the first non-commercial
implementation to raise to the radar screen.
> "why did you notify OpenSSH now"
The reason OpenSSH was contacted now was that they have only become
more visible during the last months, and I have recently seen a
significant increase in e-mails confusing the meaning of the SSH
trademarks and using them inappropriately. I have also recently
received quite a few e-mails confusing OpenSSH as my product.
> "how about the 'ssh' command name under Unix/Linux?"
This relates to the proposal I want to make.
Basically, I am willing to work out a way that will allow anyone to use
the "ssh" command name on Unix/Linux. It appears that there are
ways to do it without exposing our trademarks to unnecessary risk.
The arrangement I am proposing would be as follows.
- We (SSH Corp) would allow the use of "ssh" (and sshd, etc) as a
command name on Unix/Linux under the following restrictions:
- Any product where the command name "ssh" is used must only be
licensed under a valid license (i.e., must not be in the
public domain). E.g. BSD license, GPL, and normal commercial
licenses would all be ok.
- An acknowledgement of our ownership of the ssh(R) and Secure
Shell(TM) trademarks must be included in the software (help
text, documentation, license). It would not need to be
printed out every time the program is normally run, but would
need to be included in e.g. in an appropriate place on man
pages and in help texts.
- The SSH Corp trademarks cannot be used in product names
without a separate trademark license from us (which we would
not normally grant, unless we see a valid business case for
it, and then only for products using a compatible protocol).
- A new unencumbered name is created for the protocol, which can be
used by any vendor without creating confusion. The IETF standard
would be renamed to use the new protocol name, and the community
would work to cease using "SSH" as a protocol name and would
instead start using the new name. The new name would need to be
unencumbered, and the xx.com, xx.net, and xx.org domain names
would be made to permanently point to e.g. the IETF main page. My
own proposal would be to change the name to SECSH, provided that
Van Dyke is willing to contribute their currently unused secsh.com
domain name for this purpose. We would be willing to contribute
our secsh.org and secsh.net domains on the same basis.
- We would submit an official statement to the IETF that we will make no
trademark claims about the "bits on the wire" in the protocol (e.g.,
the protocol version strings or the various names used in the
- We would need to reach agreement with the OpenSSH group to change
their product name and to otherwise cease using the SSH
trademarks inappropriately. We appreciate that some people have
brought the non-commercial university group use to our attention.
We are carefully reviewing this situation.
Let's discuss the exact terms if I get a preliminary "ok, looks fine,
let's try to get this resolved along those lines" from the community
and the relevant parties.
Please let us know what you think.
Chairman and CTO, SSH Communications Security Corp
PS. For reference, if someone hasn't seen it yet, I'll include my
original e-mail to the OpenSSH mailing list.
>>From ylo Wed Feb 14 03:36:19 +0200 2001
From: Tatu Ylonen <firstname.lastname@example.org>
Subject: SSH trademarks and the OpenSSH product name
Organization: SSH Communications Security, Finland
Sorry to write this to a developer mailing list. I have already
approached some OpenSSH/OpenBSD core members on this, including Markus
Friedl, Theo de Raadt, and Niels Provos, but they have chosen not to
bring the issue up on the mailing list. I am not aware of any other
forum where I would reach the OpenSSH developers, so I will post this
As you know, I have been using the SSH trademark as the brand name of
my SSH (Secure Shell) secure remote login product and related
technology ever since I released the first version in July 1995. I
have explicitly claimed them as trademarks at least from early 1996.
In December 1995, I started SSH Communications Security Corp to
support and further develop the SSH (Secure Shell) secure remote login
products and to develop other network security solutions (especially
in the IPSEC and PKI areas). SSH Communications Security Corp is now
publicly listed in the Helsinki Exchange, employs 180 people working
in various areas of cryptographic network security, and our products
are distributed directly and indirectly by hundreds of licensed
distributors and OEMs worldwide using the SSH brand name. There are
several million users of products that we have licensed under the
To protect the SSH trademark I (or SSH Communications Security Corp,
to be more accurate) registered the SSH mark in the United States and
European Union in 1996 (others pending). We also have a registration
pending on the Secure Shell mark.
The SSH mark is a significant asset of SSH Communications Security and
the company strives to protect its valuable rights in the SSHÂ® name
and mark. SSH Communications Security has made a substantial
investment in time and money in its SSH mark, such that end users have
come to recognize that the mark represents SSH Communications Security
as the source of the high quality products offered under the mark.
This resulting goodwill is of vital importance to SSH Communications
We have also been distributing free versions of SSH Secure Shell under
the SSH brand since 1995. The latest version, ssh-2.4.0, is free for
any use on the Linux, FreeBSD, NetBSD, and OpenBSD operating systems,
as well as for universities and charity organizations, and for
personal hobby/recreational use by individuals.
We have been including trademark markings in SSH distributions, on the
www.ssh.fi, www.ssh.com, and www.ssh.org web sites, IETF standards
documents, license/readme files and product packaging long before the
OpenSSH group was formed. Accordingly, we would like you to
understand the importance of the SSH mark to us, and, by necessity,
our need to protect the trademark against the unauthorized use by
Many of you are (and the initiators of the OpenSSH group certainly
should have been) well aware of the existence of the trademark. Some
of the OpenBSD/OpenSSH developers/sponsors have also received a formal
legal notice about the infringement earlier.
I have started receiving a significant amount of e-mail where people
are confusing OpenSSH as either my product or my company's product, or
are confusing or misrepresenting the meaning of the SSH and Secure
Shell trademarks. I have also been informed of several recent press
articles and outright advertisements that are further confusing the
origin and meaning of the trademark.
The confusion is made even worse by the fact that OpenSSH is also a
derivative of my original SSH Secure Shell product, and it still looks
very much like my product (without my approval for any of it, by the
way). The old SSH1 protocol and implementation are known to have
fundamental security problems, some of which have been described in
recent CERT vulnerability notices and various conference papers.
OpenSSH is doing a disservice to the whole Internet security community
by lengthing the life cycle of the fundamentally broken SSH1
The use of the SSH trademark by OpenSSH is in violation of my
company's intellectual property rights, and is causing me, my company,
our licensees, and our products considerable financial and other
I would thus like to ask you to change the name OpenSSH to something
else that doesn't infringe the SSH or Secure Shell trademarks,
basically to something that is clearly different and doesn't cause
Also, please understand that I have nothing against independent
implementations of the SSH Secure Shell protocols. I started and
fully support the IETF SECSH working group in its standardization
efforts, and we have offered certain licenses to use the SSH mark to
refer to the protocol and to indicate that a product complies with the
standard. Anyone can implement the IETF SECSH working group standard
without requiring any special licenses from us. It is the use of the
"SSH" and "Secure Shell" trademarks in product names or in otherwise
confusing manner that we wish to prevent.
Please also try to look at this from my viewpoint. I developed SSH
(Secure Shell), started using the name for it, established a company
using the name, all of our products are marketed using the SSH brand,
and we have created a fairly widely known global brand using the name.
Unauthorized use of the SSH mark by the OpenSSH group is threathening
to destroy everything I have built on it during the last several
years. I want to be able to continue using the SSH and Secure Shell
names as identifying my own and my company's products and
technologies, which the unlawful use of the SSH name by OpenSSH is
making very hard.
Therefore, I am asking you to please choose another name for the
OpenSSH product and stop using the SSH mark in your product name and
in otherwise confusing manner.
SSH Communications Security http://www.ssh.com/
SSH IPSEC Toolkit http://www.ipsec.com/
SSH(R) Secure Shell(TM) http://www.ssh.com/products/ssh