[FDE] Introductions

Allen netsecurity at sound-by-design.com
Wed Jul 4 16:12:08 MDT 2007 


James A. Donald wrote:
[snip]
> I was under the impression that the use of ECC was obstructed by 
> multiple extremely broad overlapping patents, each patenting much the 
> same thing, but that if the NSA licenses you, your ass is covered.  But 
> for non government uses, NSA is presumably not going to license you, and 
> cutting a deal with patent holders is going to be too arduous for any 
> organization that does not have a menacing team of lawyers in house.
> 
> What is the patent and licensing situation with that product?  Did NSA 
> license you to sell it to anyone?

First, I am not a lawyer, second, I may have misunderstood the 
intent of the laws governing patents issued to US Federal Agencies.

Given these caveats, here is my understanding of the issues. 
First, if asked for by the patent requesting US Federal Agency, a 
patent may be kept secret almost forever if it is deemed to be 
vital to the national security, so even if the patent has expired 
you would not know that it ever existed in the first place. 
Second, the US Patent Office can be asked by a variety of US 
Federal Agencies and and agencies designated to be part of the 
defense of the US to keep a patent secret essentially forever for 
the same national security reasons.

There are a variety of caveats that apply that might limit the 
secrecy provisions but you'd better have a lot of bucks to fight 
it out.

Then there are also requirements in the US Patent law that 
require licensing of US Federally owned patents to promote the 
development of technology and science. There may be some 
interesting conflicts with the secrecy requirements that could be 
exploited. Again you'd better have a lot of money behind you.

There is an interesting quirk in the US Patent law, 35 USC 157 
which states:

> §157. Statutory invention registration
> (a) Notwithstanding any other provision of this title, the Director is authorized to publish a statutory invention registration containing the specification and drawings of a regularly filed application for a patent without examination if the applicant--
> 
>     (1) meets the requirements of section 112 of this title;
>     (2) has complied with the requirements for printing, as set forth in regulations of the Director;
>     (3) waives the right to receive a patent on the invention within such period as may be prescribed by the Director; and
>     (4) pays application, publication, and other processing fees established by the Director.
> 
>     If an interference is declared with respect to such an application, a statutory invention registration may not be published unless the issue of priority of invention is finally determined in favor of the applicant.
> 
> (b) The waiver under subsection (a)(3) of this section by an applicant shall take effect upon publication of the statutory invention registration.
> (c) A statutory invention registration published pursuant to this section shall have all of the attributes specified for patents in this title except those specified in section 183 and sections 271 through 289 of this title. A statutory invention registration shall not have any of the attributes specified for patents in any other provision of law other than this title. A statutory invention registration published pursuant to this section shall give appropriate notice to the public, pursuant to regulations which the Director shall issue, of the preceding provisions of this subsection. The invention with respect to which a statutory invention certificate is published is not a patented invention for purposes of section 292 of this title.

For those wishing to read the details of 35 USC 112, you can find 
it at: http://www.bitlaw.com/source/35usc/112.html, but basically 
it just lays out the specifications required to obtain a patent.

What does this mean and how does it apply to FDE you are probably 
asking yourself, right?

Think of it this way, cryptography, of which FDE is a sub-set, is 
best done out in the open so that it can be vetted by many eyes 
and not be subject to security by obscurity.

Also there is the issue of FOSS and licensing that is tearing 
apart elements of the *nix community as well as outrageous claims 
by SCO, Microsoft, and the like, to ideas that truly should not 
be patented in the best interests of the public at large, partly 
because they were common knowledge prior to the issuance of the 
patent and other reasons I won't go into here.

So, what am I suggesting? Simple, rather than fuss about GPL 2 
vs. GPL 3, or other licensing schemes that attempt to protect the 
publics' interest to a greater or lesser degree, such as the BSD 
licensing scheme, declare your ideas public property via 
publication (costs $20 I believe) by the US Patent Office itself.

Where would this leave us? About where RedHat MySQL, and a bunch 
of other Linux people are right now, nobody pays for the 
algorithm or code itself, but rather pays for the grunt work of 
implementation and maintenance, the far, far bigger part of the 
pie in the long run.

This would also help prevent the stranglehold that the government 
and big business have on information before it gets superseded by 
newer and better ideas.

What would we lose? Short term profits that you have to defend 
tooth and nail against encroachment by others with bigger pockets 
for fear of your ideas being lost to you for exploitation. And 
some lawyers would lose some work that, in the long run, we pay 
for in the cost of the goods and services we buy.

How would this work against NSA and other agencies declaring your 
idea should be kept secret in the interests of national security?

I suspect that NSA does not keep someone at the patent office 
reading every application but rather relies on being notified by 
the patent office when they see something that they might be 
interested in. So this is where the key phrase, "...regularly 
filed application for a patent without examination..." comes into 
play. An innocuous patent application title, along with a 
simplistic summary at the head would evade most scrutiny, thereby 
allowing publication to proceed. Once the toothpaste is out of 
the tube it's really, really hard to put it back as Phil 
Zimmerman proved with PGP. He also proved that even publicly 
known information can be the basis of a good business.

Arshad Noor of StrongAuth is doing exactly this by supporting the 
open standard StrongKey (http://www.strongkey.org/) and it is 
advancing through OASIS to an accepted standard.

StrongKey is the other, vital, half of FDE - recovering that lost 
data when we've misplaced that key somewhere among the millions 
of neurons we have. We know it is there somewhere, but we just 
can't put fingers on it at the moment. Don't you just hate it 
when you ask for a password reset and then remember it *after* 
you clicked send? ;->

Best to you and yours and my you have a bang up Fourth, if you 
are so inclined,

Allen

More information about the FDE mailing list