UNITED STATES PATENT AND TRADEMARK OFFICE
`
`BEFORE THE PATENT TRIAL AND APPEAL BOARD
`
`In re
`Inter Partes Review of
`
`U.S. Patent N0.: 7,921,211
`Inventors: Larson er al.
`
`Trial Number: IPR2013- 00378
`
`Issue Date: April 5, 2011
`Title: Agile Network Protocol for Secure Communications using Secure Domain
`Names
`
`Attorney Docket No. 3959/5004
`
`Attn: Mail Stop PATENT BOARD
`Patent Trial and Appeal Board
`United States Patent and Trademark Office
`
`PO Box 1450
`
`Alexandria, Virginia 22313—1450
`
`Declaration of Russell Housley Regarding U.S. Patent No. 7,921,211
`
`1, Russell Housley, do hereby declare and state, that all statements made
`
`herein of my own knowledge are true and that all statements made on information
`
`and belief are believed to be true; and further that these statements were made with
`
`the knowledge that willful false statements and the like so made are punishable by
`
`fine or imprisonment, or both, under Section 1001 of Title 18 of the United States
`
`Code.
`
`Dated:
`
`
`
`Z / TUL/jc 20/3
`
`Z4.” /%M¢é3
`f
`
`Page 1 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC_Page 1 of 98
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 1 of 98
`
`

`

`I, Russell Housley, declare as follows:
`
`I.
`
`INTRODUCTION
`
`A. Engagement
`
`1.
`
`I have been retained by New Bay Capital, LLC as an expert witness in
`
`the above-captioned proceeding. I submit this declaration in support of the Petition
`
`for Inter Partes Review of claims 36, 37, 47 and 51 of United States Patent No.
`
`7,921,211 (“the ‘211 Patent – Ex. 1001), filed in the United States Patent and
`
`Trademark Office on behalf of New Bay Capital, LLC.
`
`B. Background and Qualifications
`
`2.
`
`I am the founder and owner of Vigil Security, LLC, which I founded
`
`in 2002 to help customers design and implement diligently watchful security
`
`solutions. I provide consulting on security protocols, security architectures, and
`
`Public Key Infrastructure (PKI). Over the last ten years, I have performed security
`
`and vulnerability analyses of various communications architectures and security
`
`policies based on known threats and proposed certification criteria.
`
`3.
`
`Since March 2013, I have served as the chair of the Internet Activities
`
`Board (IAB), which is a voting member of the IAB as well as a non-voting
`
`member of the Internet Engineering Steering Group (IESG), a voting member of
`
`the IETF Administrative Oversight Committee (IAOC), and a Trustee for the IETF
`
`Page 2 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 2 of 98
`
`

`

`Trust. Since May 2013, I have served as a member of the Internet Research
`
`Steering Group (IRSG).
`
`4.
`
`From March 2007 to March 2013, I served as the chair of the Internet
`
`Engineering Task Force (IETF). I managed the open and transparent technical
`
`standards process for the Internet.
`
`5.
`
`From March 2003 to March 2007, I served as the IETF Security Area
`
`Director, making me a member of the IESG. As such, I provided leadership to
`
`many working groups that were developing security standards for the Internet,
`
`including the Public Key Infrastructure using X.509 (PKIX), IP Security (IPsec),
`
`Transport Layer Security (TLS), Secure MIME (S/MIME), Domain Keys
`
`Identified Mail (DKIM), Long-Term Archive and Notary Services (LTANS), and
`
`Multicast Security (MSEC) working groups.
`
`6.
`
`Prior to accepting the Area Director position, I chaired the IETF
`
`Secure MIME (S/MIME) Working Group, and I contributed to several cornerstone
`
`Internet PKI standards (including RFC 5280). In November 2004, I was recognized
`
`by the IEEE 802.11 working group for my contributions to IEEE 802.11i-2004,
`
`which fixes the severe security shortcoming of the Wired Equivalent Privacy
`
`(WEP). I provided major contributions to several security protocols, including the
`
`Cryptographic Message Syntax (CMS), SDNS Security Protocol 4 (SP4), SDNS
`
`Page 3 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 3 of 98
`
`

`

`Message Security Protocol (MSP), IEEE 802.10b Secure Data Exchange (SDE)
`
`Protocol, and IEEE 802.10c Key Management Protocol.
`
`7.
`
`I have worked in the computer and network security field since 1982.
`
`Before starting Vigil Security, I worked at the Air Force Data Services Center
`
`(AFDSC), Xerox Special Information Systems (XSIS), SPYRUS, and RSA
`
`Laboratories. My security research and standards interests include security
`
`protocols, certificate management, cryptographic key distribution, and high
`
`assurance design and development practices. I have been active in many security
`
`standards organizations, and my recent focus has been on the Internet Engineering
`
`Task Force (IETF).
`
`8.
`
`I have served as the Chair of CertiPath Policy Management Authority,
`
`where I assisted with the transition from SHA-1 to SHA-256. I also provided
`
`technical and policy advice to the WiMAX Forum Policy Authority for the PKI
`
`that is used to authenticate WiMAX Devices and the separate PKI that is used to
`
`authenticate the AAA servers within a WiMAX network.
`
`9.
`
`I am a consultant to the U.S. Government. I helped with Crypto
`
`Modernization activities, especially in the areas of secure firmware loading, trust
`
`anchor management, public key infrastructure, and key management infrastructure.
`
`10.
`
`I am a member of the Advisory Board for the Georgetown Center for
`
`Secure Communications (GCSC) at Georgetown University, the Security and
`
`Page 4 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 4 of 98
`
`

`

`Software Engineering Research Center (S2ERC) at Georgetown University, and
`
`the Center for Information Assurance at the University of Dallas, Graduate School
`
`of Management. I am a technical advisor to Penango.
`
`11.
`
`I received a Bachelor of Science in computer science from Virginia
`
`Tech in 1982, and I received a Master of Science degree in computer science from
`
`George Mason University in 1992.
`
`12.
`
`I am the co-author of two books: Implementing Email and Security
`
`Tokens: Current Standards, Tools, and Practices, published by John Wiley & Sons
`
`in 2008, and Planning for PKI – Best Practices Guide for Deploying Public Key
`
`Infrastructure, published by John Wiley & Sons in 2001.
`
`13.
`
`I am the inventor of five U.S. Patents:
`
` US Patent 6,003,135: Modular security device
`
` US Patent 6,088,802: Peripheral device with integrated security
`functionality
`
` US Patent 6,904,523: Method and system for enforcing access to a
`computing resource using a licensing attribute certificate
`
` US Patent 6,981,149: Secure, easy and/or irreversible customization of
`cryptographic device
`
` US Patent 7,356,692: Method and system for enforcing access to a
`computing resource using a licensing attribute certificate.
`
`14. A copy of my curriculum vitae, which describes in further detail my
`
`qualifications, responsibilities, employment history, and publications is attached to
`
`this declaration as Appendix A.
`
`Page 5 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 5 of 98
`
`

`

`C. Compensation and Prior Testimony
`
`15.
`
`I am being compensated at my normal consulting rate for my work
`
`and testimony in this matter. I also am being reimbursed for reasonable and
`
`customary expenses associated with my work and testimony in this matter. My
`
`compensation is not contingent on the outcome of this matter or the specifics of my
`
`testimony and in no way affects the substance of my statements in this Declaration.
`
`16.
`
`17.
`
`I have no financial interest in Petitioner or in the ‘211 Patent.
`
`I have never testified in Federal District Court, but I testified in the
`
`U.S. International Trade Commission on January 13, 2012. I was deposed on May
`
`31, 2005 for a civil action in the U.S. District Court for the Eastern District of
`
`Virginia, Alexandria division.
`
`D. Information Considered
`
`18. My opinions are based on my years of education, research and
`
`experience, as well as my investigation and study of relevant materials. In forming
`
`my opinions, I have reviewed and understand the materials referred to herein or
`
`listed in Appendix B.
`
`E. Availability for Cross-Examination
`
`19.
`
`In signing this Declaration, I recognize that the Declaration will be
`
`filed as evidence in a contested case before the Patent Trial and Appeal Board of
`
`the United States Patent and Trademark Office. I also recognize that I may be
`
`Page 6 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 6 of 98
`
`

`

`subject to cross-examination in the case and that cross-examination will take place
`
`within the United States. If cross-examination is required of me, I will appear for
`
`cross-examination within the United States during the time allotted for cross-
`
`examination.
`
`II.
`
`ANALYSIS
`
`20.
`
`I have reviewed and understand the specification, claims, and file
`
`history of the ‘211 Patent.
`
`21. Based on personal experience, I can establish that the article entitled
`
`“C-HTTP – The Development of a Secure, Closed HTTP-based Network on the
`
`Internet,” written by Takahiro Kiuchi and Shigekoto Kaihara, was presented to the
`
`public at the Symposium on Network and Distributed Systems Security (SNDSS)
`
`Proceedings in 1996, and the paper was published in the symposium proceedings,
`
`distributed to the participants and made available to the public. At the time, I was
`
`then the Chief Scientist at SPYRUS and I gave a presentation as part of a panel
`
`discussion in session 4 at the SNDSS conference. The C-HTTP paper was
`
`presented in session 3 of the conference.
`
`22. A VPN is a virtual private network. Even though communication
`
`takes place on the public Internet, a VPN encrypts the communication to keep it
`
`private, using an encryption key.
`
`Page 7 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 7 of 98
`
`

`

`23. Domain name services perform the well-established function of
`
`providing an IP address corresponding to a requested domain name. For example, a
`
`request for www.example.com is translated into its corresponding IP address, such
`
`as 192.0.43.10. The IP address is typically a series of numbers forming the address
`
`used by one computer on the Internet to communicate with the desired computer.
`
`24.
`
`The Internet Engineering Task Force (IETF) established domain
`
`names and their use long before 1998. Domain names are often embedded in
`
`URLs. A Uniform Resource Locator (URL) is the syntax and semantics for
`
`location and access of resources via the Internet. (See Appendix C, RFC 1738 page
`
`1) The basic format of a URL is <scheme>:<scheme-specific-part>. For example,
`
`http://www.example.com/index.html is a URL with the domain name
`
`www.example.com embedded therein.
`
`25.
`
`The IETF established the syntax for domain names, and periods or
`
`dots are used to separate a subdomain name from the parent domain name. The
`
`top-level domain name is the component of the domain name that follows the final
`
`period or dot. For example, “com” is the top-level domain name for
`
`www.example.com.
`
`26.
`
`The IETF recognized that “The terms "domain" or "domain name"
`
`are used in many contexts beyond the DNS described here. Very often, the term
`
`Page 8 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 8 of 98
`
`

`

`domain name is used to refer to a name with structure indicated by dots, but no
`
`relation to the DNS.” (See Appendix D, RFC 1034, 2.1 page 1)
`
`27.
`
`I have reviewed Chapter 13, IP Security of XP-002167283 (NB1007),
`
`which was cited by the U.S. Patent and Trademark Office in the prosecution file
`
`history of the parent patent U.S. Pat. No. 7,418,504. The IPsec system of Chapter
`
`13 is described in the RFC documents produced by the IETF listed at the bottom of
`
`page 402. In accordance with IPsec, an IPsec application at the client and an IPsec
`
`application at the target conduct a key exchange to enable private encrypted
`
`communications between them. As shown in Figure 13.1 and page 403, the
`
`application creates the IPsec header and authenticates and encrypts the Secure IP
`
`payload. In IPSec of chapter 13, a domain name service is used to find the
`
`addresses associated with domain names, but a domain name service is not
`
`involved in establishing the secure communication link.
`
`28.
`
`I believe a person of ordinary skill in the art in the field of the ‘211
`
`Patent would be someone who, prior to October 1998, was familiar with TCP/IP
`
`networking principles and IETF activities in the areas of DNS, IP Security, and
`
`Virtual Private Networks. The person of ordinary skill is deemed to have a general
`
`knowledge of all relevant prior art including patents and published patent
`
`applications, books, academic papers, and other publications. The person of
`
`ordinary skill in the art may have at least a Bachelor’s degree in engineering or
`
`Page 9 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 9 of 98
`
`

`

`computer science. The person of ordinary skill in the art may have worked in
`
`academia, for a technology company, or for a government.
`
`29.
`
`In the ‘211 patent, col. 51, lines 53-56, refers to a web browser
`
`displaying a secure icon. According to the specification, the icon merely indicates
`
`“that the current communication link to server 3320 is a secure VPN
`
`communication link.” The domain name service systems on the secure network
`
`3311 do not play a role in providing the icon nor do they include code for creating
`
`the icon. Indeed, the icon is produced by a web browser accessing a secure
`
`website, i.e., software quite distinct from the domain name service system
`
`software.
`
`30.
`
`I have read and understood “C-HTTP – The Development of a Secure,
`
`Closed HTTP-based Network on the Internet,” written by Takahiro Kiuchi and
`
`Shigekoto Kaihara (hereinafter referred to as “Kiuchi”).
`
`31. Kiuchi’s system features a C-HTTP name server connected to the
`
`Internet. The Internet is a public communication network. The C-HTTP name
`
`server responds to name service requests by looking up domain names and
`
`returning their IP address if secure communications are permitted. Kiuchi describes
`
`a user in a hospital location sending a request to connect with a computer in a
`
`second location. Each location operates its own private network. To go outside the
`
`network, communications must go through a firewall. Each institution has a proxy
`
`Page 10 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 10 of 98
`
`

`

`on the firewall. The proxy is a computer server that acts as an interface between
`
`the computers within the institution’s private network and the Internet. The proxy
`
`at the requesting computer’s institution is referred to as the client-side proxy and
`
`the proxy at the target computer’s institution is referred to as the server-side proxy.
`
`Kiuchi’s system is illustrated diagrammatically as follows:
`
`32.
`
`The client-side proxy intercepts the request to connect to a domain
`
`name from the user agent; the domain name is embedded in a URL. The client-side
`
`proxy sends the requested domain name, referred to as a hostname, to the C-HTTP
`
`name server to request the IP address of the server-side proxy. The name server
`
`performs a lookup and returns the corresponding IP address only if a secure
`
`connection is permitted with the server-side proxy named in the request. Along
`
`with the IP address, the C-HTTP name server also returns the public key of the
`
`server-side proxy, request Nonce value and response Nonce value.
`
`Page 11 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 11 of 98
`
`

`

`33. Nonce is a mathematical term, which stands for “number used once”
`
`or “number once.” A fresh value is created each time a Nonce value is needed. A
`
`random number is often used as a nonce, which allows for a small possibility of the
`
`same value being used more than once. A Nonce can also be a time stamp or a
`
`counter, which prevents the same value from being used more than once. A fresh
`
`Nonce value is created in the C-HTTP name server, on an as needed basis, for each
`
`response, thereby making the value irreproducible.
`
`34.
`
`The client-side proxy uses the public key and Nonce values to create
`
`a secure communication connection with the server-side proxy. When the server-
`
`side proxy receives the client-side proxy’s IP address, the hostname and public
`
`key, it authenticates the values and generates a connection ID as well as a second
`
`key for response encryption. The hostname is the domain name of the server-side
`
`proxy to which the user wants to communicate. When these are accepted and
`
`checked by the client-side proxy, the secure communication connection is
`
`established. Security between the proxies is made possible by the public key and
`
`Nonce values provided by the C-HTTP name server and security between the user
`
`agent and its proxy are provided by the institution behind its firewall.
`
`35.
`
`If a secure connection with the requested host is not permitted, an
`
`error status is sent back by the name server to the client-side proxy. The client-side
`
`proxy then acts exactly like a conventional DNS proxy server; it sends a standard
`
`Page 12 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 12 of 98
`
`

`

`domain name service lookup request asking for the corresponding IP address from
`
`a public DNS server. Once the IP address is obtained, a typical non-secure
`
`communication may take place.
`
`36.
`
`In Kiuchi, CSCRG and Hospital are top-level domain names. They are
`
`the final component within the domain name. That is, they appear after the last
`
`period in a domain name. Subordinate components of these domain names specify
`
`an institution in the closed network, such as the coordinating center or the
`
`University of Tokyo hospital.
`
`37.
`
`I understand from Kiuchi’s paper that the C-HTTP name server
`
`includes code for generating Nonce values, code for determining whether a secure
`
`connection is permitted in response to a query, and code for returning a public key,
`
`request Nonce value and response Nonce value in response to a permitted request
`
`for a connection to a secured host. Such program code is indicative of a system that
`
`supports establishing a secure communication link. Indeed, the message from the
`
`C-HTTP name server that sends the public key, IP address and the request and
`
`response Nonce values to a querying computer shows that the name server
`
`supports establishing a secure communication link.
`
`38.
`
`The C-HTTP name server performs name resolution; it returns an IP
`
`address in response to a request to connect with a permitted hostname. Name
`
`resolution is performed by a “lookup” of server-side or client-side proxy
`
`Page 13 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 13 of 98
`
`

`

`information as found in Section 2.3, steps 2) and 4) on page 65 of Kiuchi. The term
`
`“lookup” means the C-HTTP name server looks through a registry of information
`
`including domain names and corresponding IP addresses. Indeed, Kiuchi explicitly
`
`recites at the right hand column on page 68, “A C-HTTP based network is made
`
`available simply by installing proxies on the firewall and registering their
`
`information with the C-HTTP name server.” This means Kiuchi stores domain
`
`names and corresponding IP addresses with the C-HTTP name server.
`
`39. Kiuchi describes computer communications over the Internet. The
`
`appendices in Kiuchi set out in detail specifications for the computer
`
`communication protocol and the functions performed by a C-HTTP name server.
`
`For a server to carry out the communication protocol and the name server
`
`functions, it must be suitably programmed. The functions performed by the
`
`C-HTTP name server take place when the server reads and executes instructions
`
`maintained in a computer memory. The computer memory is a non-transitory
`
`machine-readable medium. This is the normal operation of computers. The
`
`C-HTTP name server, like most every other server communicating on the Internet,
`
`necessarily includes a non-transitory machine-readable medium bearing executable
`
`instructions in the form of computer program code for controlling its functions.
`
`40.
`
`The C-HTTP name server in Kiuchi authenticates the requests for IP
`
`addresses using cryptographic techniques. Kiuchi says so explicitly at page 65,
`
`Page 14 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 14 of 98
`
`

`

`“Both the request to and response from the C-HTTP name server are encrypted and
`
`certified, using asymmetric key encryption and digital signature technology.”
`
`41.
`
`In Kiuchi, the secure communication connection between the client-
`
`side proxy and the server-side proxy is established without user involvement as
`
`made explicit by Kiuchi at page 68, “Negotiations concerning type and
`
`representation of objects are done between an origin server and user agent, using
`
`HTTP/1.0. As for these negotiations, C-HTTP is transparent to both of them....
`
`End-users do not have to employ security protection procedures. They do not even
`
`have to be conscious of using C-HTTP based communications.”
`
`Page 15 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 15 of 98
`
`

`

`TABLE OF APPENDICES
`
`Appendix
`
`Description
`
`A.
`
`B.
`
`C.
`
`D.
`
`Curriculum Vitae (CV) of Russell Housley
`
`List of Materials Considered
`
`RFC 1738
`
`RFC 1034
`
`Page 16 of 16
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 16 of 98
`
`

`

`RUSSELL HOUSLEY
`
`1992
`1982
`
`TECHNICAL SUMMARY
`
`Russell Housley is currently serving as Chair of the Internet Engineering Task Force (IETF). He is
`co-author of Planning for PKI published by John Wiley & Sons. He was a key contributor to the
`Secure Data Network System (SDNS) protocol development group contributing to protocols for
`secure communications, certificate management, and keying material distribution. He co-authored
`the SDNS Security Protocol 4 (SP4) and Message Security Protocol (MSP). He also co-authored
`other security protocols such as the Secure Data Exchange Protocol (SDE) and IEEE 802.10c Key
`Management Protocol. He is editor and key contributor for the IETF Public Key Infrastructure using
`X.509 (PKIX) working group. PKIX is defining the Internet Public Key Infrastructure (PKI). He
`provides technical advice to the Department of Commerce and the Department of Defense on PKI
`and Key Management Infrastructure (KMI). Over the last ten years, he has performed security and
`vulnerability analyses of various communications architectures and security policies based on known
`threats and proposed certification criteria.
`
`EDUCATION
`
`M.S. Computer Science, George Mason University, Fairfax, VA
`B.S. Computer Science, Virginia Polytechnic Institute and State University, Blacksburg, VA
`
`BOOKS
`
`Implementing Email and Security Tokens: Current Standards,
`Turner, Sean and Russ Housley.
`Tools, and Practices. New York: John Wiley & Sons, 2008.
`Housley, Russ, and Tim Polk. Planning for PKI – Best Practices Guide for Deploying Public Key
`Infrastructure. New York: John Wiley & Sons, 2001.
`
`
`PATENTS
`
`US Patent 6,003,135: Modular security device
`US Patent 6,088,802: Peripheral device with integrated security functionality
`US Patent 6,904,523: Method and system for enforcing access to a computing resource using
`
` a licensing attribute certificate
`US Patent 6,981,149: Secure, easy and/or irreversible customization of cryptographic device
`US Patent 7,356,692: Method and system for enforcing access to a computing resource using
`
` a licensing attribute certificate
`
`EMPLOYMENT HISTORY
`
`Vigil Security, LLC, Founder and Owner
`
`Beginning in March 2013, serving as Chair of the Internet Architecture Board (IAB), and beginning
`May 2013, serving as a member of the Internet Research Steering Group (IRSG).
`
`From March 2007 to March 2013, served as Chair of the Internet Engineering Task Force (IETF).
`Managed the open and transparent technical standards process for the Internet.
`
`From March 2003 to March 2007, served as the IETF Security Area Director. Provided leadership to
`many working groups that were developing security standards for the Internet, including the Public
`Key Infrastructure using X.509 (PKIX), IP Security (IPsec), Transport Layer Security (TLS), Secure
`MIME (S/MIME), Domain Keys Identified Mail (DKIM), Long-Term Archive and Notary
`Services (LTANS), and Multicast Security (MSEC) working groups.
`- 1 -
`
`2002 - Present
`
`
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 17 of 98
`
`

`

`
`From 2001 until March 2007, contributed to Wireless Local Area Network (WLAN) security
`solution development in the IEEE 802.11 working group.
`
`Provide consulting on security protocols, security architectures, and Public Key Infrastructure (PKI).
`
`Chair of CertiPath Policy Management Authority: Cross certifying with this Bridge Certification
`Authority for the defense and aerospace industry demonstrates operational excellence in identity
`management and security practices. Assisted with the transition from SHA-1 to SHA-256.
`
`WiMAX Forum Policy Authority: Provide technical and policy advice to the WiMAX Forum for the
`PKI that is used to authenticate a WiMAX Device and the separate PKI that is used to authenticate
`the AAA server within a WiMAX network.
`
`Consultant to U.S. Government: Helping with Crypto Modernization activities, especially in the
`areas of secure firmware loading, trust anchor management, public key infrastructure, and key
`management infrastructure.
`
`Advisor: Member of the Advisory Board for the Georgetown Center for Secure Communications
`(GCSC) at Georgetown University, the Security and Software Engineering Research Center (S2ERC)
`at Georgetown University, and the Center for Information Assurance at the University of Dallas,
`Graduate School of Management. Technical advisor to Penango.
`
`RSA Laboratories, Senior Consulting Architect
`
`Conducted research in PKI, security protocols, and implementation assurance.
`
`Chairman of the Internet Engineering Task Force (IETF) S/MIME Working Group, and author of the
`Cryptographic Message Syntax (CMS). Author of RFC 3369 and RFC 3370, which update previous
`work on RFC 2630.
`
`Editor and key contributor for the IETF Public Key Infrastructure using X.509 (PKIX) working
`group. Co-author of RFC 3279, RFC 3280, and RFC 3281, which updates and extends previous
`work on RFC 2459. Co-author of RFC 3379, which defines requirements for a protocol to provide
`delegated path validation.
`
`Helped develop standards for short-term and long-term security solutions for IEEE 802.11 Wireless
`Local Area Network (WLANs). Previous effort, called WEP, has major flaws. The short-term
`solution must operate on the fielded hardware, but the long-term solution allowed for new hardware
`development. Co-inventor of the Counter with CBC-MAC (CCM) cryptographic mode, which
`provides both authentication and confidentiality using a single key.
`
`’s Export Council Subcommittee on
`Advisor to U.S. Government. Member of the President
`Encryption (PECSENC). Technical advisor to the National Institute for Standards and Technology
`(NIST) on Public Key Infrastructure (PKI) and Key Management Infrastructure (KMI).
`
`Developed a plan to improve the assurance of all RSA Security product development efforts.
`
`SPYRUS, Chief Scientist
`
`Responsible for technical direction of SPYRUS cryptographic token products, PKI products, and
`standards strategy.
`
`
`2001 - 2002
`
`1994 - 2001
`
`
`
`- 2 -
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 18 of 98
`
`

`

`Developed electronic mail security protocol meeting the needs for industry, government, and military
`users by combining capabilities of MSP and S/MIME. Chairman of the Internet Engineering Task
`Force (IETF) S/MIME Working Group, and author of the Cryptographic Message Syntax (CMS),
`RFC 2630. Co-author of SDNS Message Security Protocol Revision 4.0, and editor of the
`companion ACP 120 specification, the Common Security Protocol.
`
`As editor and key contributor for the IETF Public Key Infrastructure using X.509 (PKIX) working
`group, making significant contributions to the definition of the Internet Public Key Infrastructure
`(PKI). Co-author of RFC 2459, RFC 2528, and RFC 2585.
`
`Prior to completing their work in 1999, Vice Chair of the IEEE LAN/MAN Security Working Group
`(IEEE 802.10). Co-author and editor of the Key Management specification (IEEE 802.10c) and
`major contributor to the IEEE 802.10a and 802.10e Local Area Network security standards.
`
`Contributor to American National Standards Institute (ANSI) standards for the security of financial
`systems. Specializing in the areas of certificate management, key management, and cryptography,
`contributed to the X9.41. X9.42, X9.52, X9.55, and X9.57 standards.
`
`’s Export Council Subcommittee on
`Advisor to U.S. Government. Member of the President
`Encryption (PECSENC). Technical advisor to the National Institute for Standards and Technology
`(NIST) on Public Key Infrastructure (PKI) and Key Management Infrastructure (KMI).
`
`Served on the program committee and then the steering committee for the Network and Distributed
`System Security (NDSS) conference.
`
`Vista Laboratory, Manager, Information Security Projects
`
`As a member of the SDNS protocol design team, helped design communications protocols for secure
`communication and over-the-air rekey. Co-author of Security Protocol 4 (SP4) and Message Security
`Protocol (MSP). Made significant contributions to the SDNS Key Management Protocol (KMP).
`
`As a member of the SDNS INFOSEC Working Group, performed security and vulnerability analysis
`of the Defense Messaging System architecture and security policy based on known threats and
`proposed certification criteria.
`
`Co-chair of the IEEE LAN/MAN Security Working Group (IEEE 802.10). Served on the IEEE
`Project 802 Executive Committee. Co-author of the Secure Data Exchange protocol (IEEE 802.10b).
`
`Program manager and chief architect for the Trusted Xerox Network System. Responsible for the
`system design, system implementation, and coordination of the National Computer Security Center
`evaluation. Responsible for an annual budget of $1.2M.
`
`Provided technical support for the Xerox Encryption Unit (XEU) and designed XEU enhancements.
`Designed and developed the Xerox Ethernet Tunnel (XET). The XET enables the XEU to be used in
`WANs and LANs. The tunneling protocol used in the XET was later published in RFC 3378.
`
`As a member of the Privacy and Security Research Group (PSRG), helped design the privacy-
`enhanced electronic mail (PEM) system, including a certificate-based key management scheme.
`Also, helped start the Network and Distributed System Security (NDSS) conference, which has
`become an annual event sponsored by the Internet Society. Served on the first program committee,
`and then co-chair of the program committee in 1994.
`
`US Air Force, Systems Programmer/Analyst
`
`
`1982-1994
`
`1982-1986
`
`
`
`- 3 -
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 19 of 98
`
`

`

`Responsible for security and communications on five Honeywell Multics systems. Performed
`security audits on operating system modifications. Installed multilevel secure LAN between four
`systems using a Network Systems Corporation HYPERchannel and TCP/IP protocols.
`
`Self-employed, Scientific Programming Consultant
`
`Designed, implemented, maintained, and documented interactive graphics software as part of a
`geographic data display system called TACK. Designed general graphics terminal and database
`interfaces. Development and testing was performed using an interactive graphics test bed that was
`used to gather graphics requirements for CAMS II.
`
`1981-1982
`
`
`
`- 4 -
`
`Ex. 1004
`
`New Bay Capital, LLC__Page 20 of 98
`
`

`

`PUBLICATIONS
`RUSSELL HOUSLEY
`
`
`BOOKS
`
`Housley, Russ, and Tim Polk. Planning for PKI – Best Practices Guide for Deploying Public Key
`Infrastructure. New York: John Wiley & Sons, 2001.
`
`Turner, Sean and Russ Housley. Implementing Email and Security Tokens: Current Standards, Tools,
`and Practices. New York: John Wiley & Sons, 2008.
`
`
`PATENTS
`
`US Patent 6,003,135: Modular security device
`US Patent 6,088,802: Peripheral device with integrated security functionality
`US Patent 6,904,523: Method and system for enforcing access to a computing resource using a licensing
` attribute certificate
`US Patent 6,981,149: Secure, easy and/or irreversible customization of cryptographic device
`US Patent 7,356,692: Method and system for enforcing access to a computing resource using
` a licensing attribute certificate
`
`
`PAPERS
`
`Branstad, Dennis, Joy Dorman, Russell Housley, and James Randall. "SP4: A Transport Encapsulation Security
`Protocol." In Tenth National Computer Security Conference Proceedings, September 1987, pp 158-161.
`
`Branstad, Dennis, Joy Dorman, Russell Housley, and James Randall. "SP4: A Transport Encapsulation Security
`Protocol." In Third Aerospace Security Conference Proceedings, December 1987. [Revision of earlier work.]
`
`Housley, Russell. "Encapsulation Security Protocol