Slashdot Mirror
IBM Applies for Password Manager Patent
An anonymous reader writes "As of August 21, IBM has applied for a patent on "A convenient and secure system and method for access to any number of password-protected computer applications, web sites and forms without adding to the user cognitive load and without circumventing the inherent security of such password-protection schemes. An existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet "master" key to unlock the wallet. An application-specific and/or user-specific password is automatically retrieved from the wallet and entered into the password field with no other user action required." This isn't much different from Mozilla's "Master Password"."
Just remember, the only thing the USPTO considers as prior art are previous patents, until the said patent challenged in the courts.
and he called it "Password Safe".
http://plan9.bell-labs.com/sys/doc/auth.html
The Fourth Edition of Plan 9 includes a substantially reworked security architecture, described in the USENIX Security 2002 conference paper [html, ps, pdf] by Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, and Sean Quinlan.
One particular aspect that other operating systems may wish to adopt is our single-signon solution. A process called factotum is used to hold credentials like passwords and public/private keypairs and perform cryptographic operations. Factotum allows clients to speak a variety of cryptographic protocols and therefore legacy application servers can participate in our single-signon system without change and without even knowing it exists.
The factotum has no direct permanent storage, but rather fetches credentials at startup from a secstore server on the network. To authenticate safely with the secstore, Password Authenticated Key-exchange is used; this implies that the user just has to remember and type one password and passive eavsdroppers or even active malicious intermediaries can not launch even a dictionary attack against the system. The credentials are encrypted for storage on secstore, so even an administrator there would have difficulty reading them.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
It looks like the original page was taken down, however you can still see it in google's cache
Maybe you are talking about single sign-on? Secure sign-on is basically the idea that your authentication goes encrypted over the wire (RSA encryption). And by the way, single sign-on is diferent. You only have one password, and all services check a single database (NDS). This is like using LDAP as the authentication backend of several services. Single sign-on has another nice feature, that authentication can happen on the background, so you don't have to retype your user/pass everytime you use a service. Basically single sign-on is one password for all resources or services. So no prior art from Novell I think.
please excuse my apathy
they are talking more about the user interface....
A password field pops up in an application. their software pops up a dialog right over top, and asks you for the master password. It then finds your password and fills in the box.
visually, it makes more sense.
Found more information. Tidbits from May 29th, 1995 mentions the Keychain, it's use, and what it could be used for and just what it happens to be used for now.
And an article Sep 27th, 1993 talks about PowerTalk's upcoming release. So yeah, good luck with that patent IBM.
No, they don't. Because their description is exactly what Apple's Keychain does. Just replace "wallet" with "keychain" in this passage from IBM's own description of their system:
The Keychain has been around since System 7 Pro, which dates back to October of 1993 or thereabouts. Whether Apple patented it or back then not, I don't think they'll have any choice but to contest this IBM patent attempt-- because if it goes through, Apple will have to pay licensing fees to IBM to continue using Keychain in OS X.
~Philly
This "fact", while oft-repeated, is unfortunately completely untrue. The patent office may not do a stellar job of investigating for prior art, but technically any prior art, patented or not, counts.
Please stop repeating this falsehood.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
Seconded. I spent forever explaining how my work was different from the references that I provided, which he understood incompletly. (But I give him huge props for reading them at all, since they're highly technical and involved.)
That was rather frustrating, since he'd likely never have found those references if we didn't include them, when compared to some of the patent silliness I read on Slashdot.
Other patents by the same person
They seem to include such revolutionary ideas as scroll bars and window resizing
Points 10 - 13 explain what it is they are 'inventing' that is different from existing schemes. They list IE's auto complete, and say it has a failing in that anyone using the computer can autocomplete the form (thus it is not very secure), they mention quicken having a very similar method of requiring one master password to complete any password diaglog, but say that it is not ideal because the API is closed for quicken's exclusive use.
The crux of their solution is that they want to make a generic API that allows their 'invention' to provide a password where requested to any application, browser window or similar.
Of course, as other people have already pointed out, this too has already been done. Novell's single-signon pops to my mind, and I'm sure a lot of other people have done this as well.
I not only read the blockquote, I read a fair bit of the Google-cached patent application. The behavior IS the same, you twit, the Keychain is an OS-level service that can be used by anyone who wants to use it in their apps.
When a Keychain-aware Mac application wants a password and I have previously indicated that I want it to use the Keychain services, a Keychain dialog pops up and asks for my Keychain password. Upon correct authentication, the Keychain passes the application-specific password to the requesting application.
Do you think IBM's system will just automatically sniff out instances where it should assert itself? Because I don't-- I think apps will have to be changed to be at least minimally aware of the password wallet service.
~Philly
technically any prior art, patented or not, counts.
No, only published prior art. If you secretly invented it, didn't reveal this to the public, but still can somehow prove it... it won't invalidate the patent.
One time, for example, a student came up with an invention and turned it in for a grade in college. Later on someone else filed for a patent on the same idea. Hearing about this, the college dug out the graded paper from their records, and got everyone involved to swear as to it's veracity. The USPTO acknowledged that yes, the student had invented it first, but the patent would still go to someone else.
If you actually read the patent application, you'll see that they are patenting something much more narrow than you think.
IBM is attempting to patent a UI hack that will detect a signon request from a website or other application, and superimpose their master signon dialog. They are NOT attempting to patent the ideas that are covered by Keychain or Mozilla's autofill. By superimposing their own "widget" exactly where the application specific logon would be, this master signon system preserves the flow of the application UI.
By comparison, the Keychain and autofill solutions can be more intrusive, and can be less secure. IBM's master signon would be entered every time I need to signon. I'd only need to remember one password. By comparison, Keychain and autofill don't require one to log into each application. An office worker can walk away from their desk without locking their screen saver and someone can use their accounts.
For those who tried to follow the (broken) link, I looked this up. It's U.S. published application number 220030159071, which was published on August 12, 2003 and originally filed on Feb. 21, 2002.
This is merely a PUBLISHED PATENT APPLICATION, not a PATENT. There is no indication that the application has as yet been examined. The most that can be said is that IBM has asked to patent what is claimed. Whether it will be allowed, amended, etc., remains to be seen. Anyway, this is claim 1, which is representative of what IBM is going after in this patent:
1. A method within a computing platform of graphically providing a secure field value retrieval and entry, wherein said computing platform includes a display device, a field activation device and a user selection device, said method comprising: displaying a user dialogue to receive a master key value from a user responsive to activation of a field; receiving a computing context indicator regarding the context of said activated field; determining said master key value is a correct master key value; retrieving a field value from a secure field value store which is associated with said computing context, said activated field and a user identification; and automatically entering said retrieved field value into said activated field.
Maybe the examiner will find the good prior art, or maybe even IBM will be good enough to cite it themselves. In any event, what would be NICE, rather than relying merely on the effectiveness of the examiner and the bona fides of the applicant, would be a mechanism to take comments from the public on pending patent applications after they are published and after (or maybe even before) they are examined. This is (more or less) how it works in most other countries (it's called "opposition"), and variations of this approach have been suggested many times in this country and repeatedly shot down or watered down to the point of being useless. Now the Federal Trade Commission is jumping on this as well (it is one of their recebnt suggestions), but it will probably get nowhere because the small inventor lobby (decidedly NOT the IBMs of the world) is too strong.
IBM, as some other poster has pointed out, has been pretty much a model citizen in the patent world.
You have the first part wrong. Prior art need not be published for it to be used to invalidate a patent. The prior art only needs to be "known." See 35 USC 102, particularly subsection (a).
The reason the student's paper is not prior art is not because it wasn't published, but rather because it was secret, and therefore not legally "known" by others in the patent law sense.
You may continue to believe what you read on Slashdot all you like, but it just isn't so. Read some patents, read the citations, and note that you will find cited non-patent prior art. How do you think that gets there? By accident?
And, by the way, there are a kazillion remedies available to you if the USPTO issues a bad patent short of full-scale litigation. If you actually have killer prior art, just file for reexamination, and it would be a matter of course.
Not only are non-patents allowable as prior art, but many companies actually publish technical disclosure documents specifically to serve as prior art for things that they're not interested in patenting or don't feel that they could get a patent in but want to make sure nobody tries to pull a stunt.
IBM is famous for publishing many thousands of these, which are frequently cited by both inventors and patent examiners as prior art, and frequently wielded by IBM to quash bogus patents.
The old IBM Patent server, which later became Delphion, originally provided access to the IBM technical disclosure bulletins as well as US patents. They are now searchable for free at the IP.com Prior Art Database along with disclosures from a number of other large companies. I've only just found out about it, but apparently you can only view summaries and have purchase full documents or to perform advanced searching, but it appears like a useful resource. Also easily browsable by month, which is kinda neat.
I'm sure someone could find an example otherwise (or even has their own horror story), but as I understand it, IBM is probably the one big tech company least guilty of abusing the patent system. Sure, they make a lot of money off of licensing and have been known to throw their weight around from time to time, but they usually seem to play relatively fair unless they're put on the defensive.
My next sig will be ready soon, but friends can beat the rush!
This is FALSE. I guess all you gotta do on slashdot to get modded up is _sound_ authoritative. I wish modders would verify facts before modding people up.
Phil Farnsworth was awarded patent rights to using CRT as the mechanism for electronic television based on some scribble he had made in high school as a 14 year old.
Patents are granted for first to invent, not first to publish.
On the other hand if you invent something and dont patent it within one year, you lose the rights to patent it (that is, nobody will get the patent).