throbber
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`In re Inter Partes Reexamination of
`
`U.S. Patent No. 7,418,504
`
`Larson et al.
`
`Issued: August 26, 2008
`
`For:
`
`AGILE NETWORK PROTOCOL FOR
`SECURE COMMUNICATIONS
`
`USING SECURE DOMAIN NAMES
`
`Control No.: 95/001,788
`
`Group Art Unit:
`
`3992
`
`Examiner: Roland Foster
`
`Confirmation No.: 5823
`
`\/\/\J\./\/\/g/M
`
`DECLARATION OF MICHAEL ALLYN FRATTO UNDER 37 C.F.R. § 1.132
`
`I, MICHAEL ALLYN FRATTO, declare that the following statements are true to the
`best of my knowledge, information, and belief, formed after reasonable inquiry under the
`circumstances.
`
`I.
`
`Background and Expertise
`
`I have been retained by Apple Inc. (“Apple”) to provide my opinions on topics
`I.
`raised in the above-referenced reexamination proceeding (the ‘788 reexamination).
`I am a
`citizen of the United States, and reside in Syracuse, New York. My c.v. is attached as Exhibit A.
`I am being compensated for my time at a rate of $250.00 per hour.
`
`I am presently Editor of the Network Computing magazine and website. In that
`2.
`position, I review and evaluate networking products, including network security products, and
`report on industry developments in the field of networking and network security.
`I also write
`articles about network infrastructure, data center, and network access control items which are
`published on the Network Computing website.
`I also presently serve as an adjunct faculty
`member of School of Information Studies at Syracuse University.
`
`I understand that the ‘788 reexamination involves U.S. Patent No. 7,418,504 (the
`3.
`“’504 patent”), and that VimetX Inc. owns the ’504 patent (“Patent Owner”).
`I have reviewed
`the ‘504 patent as well as the materials listed in Exhibit B.
`
`I understand that the Requestor explained that the earliest date that any of the
`4.
`claims of the ‘504 patent were entitled to benefit was February 15, 2000.
`1 did not see any
`argument in the Response from the Patent Owner disputing this. Accordingly, I have used this
`date to make my assessments of what was known to a person of ordinary skill in the art.
`
`1 am personally familiar with what a person of ordinary skill in the art would have
`5.
`known in February of 2000 about the field of the ‘504 patent.
`I believe a person of ordinary skill
`in the art would have had a master’s degree in computer science or computer engineering and
`approximately two years of experience in computer networking and computer network security.
`
`Page 1 of 19
`
`VIRNETX EXHIBIT 2020
`
`Apple V. Vi1'netX
`IPR2016-003 32
`
`Page 1 of 19
`
`
`
`VIRNETX EXHIBIT 2020
`Apple v. VirnetX
`IPR2016-00332
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`Since before 1999, l have had an extensive background and experience in network
`6.
`security systems, software and related technologies. In my position on the staff of Network
`Computing, I conducted and wrote comparative product reviews of networking and security
`products. I also interviewed IT administrators and executives about networking and security
`issues to understand their needs and the ability of products to address those needs.
`
`By February of 2000, I had personally evaluated, tested and reviewed hundreds of
`7.
`products and technologies related to networking. During the course of a typical review, I would
`first define the set of problems the product was attempting to solve. This required me to
`understand the technologies and standards related to that problem set, and to create a set of
`comparative measures by which to assess the product, its performance and its functionality.
`When I performed a review, I would set up a test network with the product, verify its operation,
`conduct the tests, and ensure the results were accurate. During the period 1997 to 2000, my
`particular focus was on remote networking products including modems, ISDN, and virtual
`private networking products, development of secure and insecure networking standards, and
`network and host-based firewall products.
`
`II.
`
`Solana and Reed Are Printed Publications That Were Available Well Before
`
`February of 2000
`
`I understand that the Patent Owner is challenging that the Solana and Reed papers
`8.
`were publicly distributed I have been told that in order to qualify as a printed publication within
`the meaning of §l02, a reference “must have been sufficiently accessible to the public interested
`in the art” prior to the filing date of the patent.
`
`From my personal experiences, I am aware that research topics developed by
`9.
`academic researchers are often presented at industry conferences. To present a topic at a
`conference, a researcher typically has to submit a written paper summarizing the topic and his or
`her research for review by the conference representatives, often well before the conference was
`held. The conference organizers select only some of these papers for presentation at the
`conference. The papers selected for presentation are usually distributed before, but no later than
`during the conference, which allows attendees to read them and discuss their findings with the
`presenting researcher. The presented papers are typically then published as a compendium,
`made available for sale, and distributed to research institutions, libraries, and on-line reference
`databases normally available to researchers. The works in these compendia can be found and
`retrieved via a variety of sources such as on-line indexes, library card catalogs, and via citations
`in other publications.
`
`Solana is a printed publication that was publicly distributed and published via this
`10.
`conventional process. In particular, Solana was publicly distributed as part of a compendium
`published by Springer-Verlag in 1998 called “Lecture Notes in Computer Science” (“LNCS”),
`specifically at Volume 1361, pages 37-51.
`I am aware of publications on the Internet that
`identify the publication date of Solana as occurring in 1997. For example, a thesis by Mr. Solana
`entitled “Collaborative domain in intemet environments” cites the Solana paper in its
`Bibliography as follows:
`
`[119] Solana, E. and Harms, J. Flexible Internet Secure Transactions Based on
`Collaborative Domains. Proceedings of the 5th Security Protocols International
`
`Page 2 of 19
`
`Page 2 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`Workshop. Paris 7th - 9th April 1997. Springer-Verlag Lecture notes in computer
`science; Vol. 1361.
`
`As the Springer-Verlag website (www.springer.com) explains, the LNCS series
`11.
`“has established itself as a medium for the publication of new developments in computer science
`and information technology research and teaching - quickly, informally, and at a high level.” It
`further explains that “LNCS has always enjoyed close cooperation with the computer science
`R&D community, with numerous renowned academics, and with prestigious institutes and
`learned societies. Our mission is to serve this community by providing a most valuable
`publication service.” According to the publisher’s website, the book in which Solana was
`published “constitutes the strictly refereed post-workshop proceedings of the 5th International
`Workshop on Security Protocols, held in Paris, France, in April 1997.” Moreover, the
`publisher’s website indicates that the papers in the compendium were presented at the workshop.
`In particular, it notes: “The 17 revised full papers presented address all current aspects of
`security protocols.” Thus, as is customary, the papers of this compendium were distributed to
`the conference attendees and then collected, edited, and published. In short, Solana was formally
`published and publicly available as of the conference date in 1997, and no later than 1998 when
`Volume 1361 of Lecture Notes in Computer Science was formally published. Either way, the
`publication and public dissemination of Solana occurred well before the February 2000 date by
`which the ’504 is to be evaluated. See Exhibit C.
`
`Reed is a printed publication that was distributed as part of the published
`12.
`proceedings of the 12"‘ Armual Computer Security Applications Conference that occurred in
`1996. The Association of Computing Machinery (ACM) website lists the publication date of
`Reed as follows:
`
`Proxies or Anonymous Routing
`
`Authors: M._G..Be.ed
`L
`D_M_Gnldschlaa
`
`1996 Article
`
`nmmimmma ISBN:0-8186-7606-X
`
`- Proceedlng
`ACSAC '96 Proceedings of the 12th Annual Computer Security Applications
`Conference
`Page 95
`IEEE computer saucy vvasnington. oc. USA @1993
`
`—-Iainunmemcs
`' Downloads (8 Weeks); 0
`‘ Downloads (12 Months): 0
`~ Gtabn Count: 22
`
`As its citation indicates, the Reed publication was publicly distributed during the
`13.
`12th Annual Computer Security Applications Conference held in 1996, a fact that is noted on
`page 1 of the publication. The IEEE website confirms that the 12"‘ Armual Computer Security
`Applications Conference was held between December 9-13, 1996. The ACSAC website also
`indicates in program materials for this Conference that Mr. Reed's paper was presented and
`made available to attendees in the session between 3:30 and 5:30 on Wednesday December 11,
`1996 in the Track B session of the conference. http://wvvw.acsac.org/pastconf/1996/wed.html.
`The program materials note that “Paper sessions include refereed papers that describe the latest
`in implementations and applications-oriented research.” See id
`
`Page 3 of 19
`
`Page 3 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`Reed also was distributed to the public in 1996 as part of a formally published
`14.
`treatise published by the IEEE Computer Society entitled “ACSAC ’96 Proceedings of the 12th
`Armual Computer Security Applications Conference” (ISBN:O-8186-7606-X). The IEEE
`Computer Society is a well-known and highly regarded publisher of technical papers in the field
`of computers and computer networking. As the IEEE website explains, in the Computer Society
`subsection, it “has been providing conferences and workshops with professional publishing
`services for over 35 years.” See,
`http://www.ieee.org/publications_standards/publications/authors/conference__proceedings.html.
`The IEEE Computer Society’s website also confirms that its post-conference treaties compiling
`papers presented at its conferences are made publicly available. See Id. at
`http://www.computer.org/portal/web/cscps/faq. The IEEE website also notes that “Proceedings
`published by CPS are submitted for professional indexing.” Id. at
`http://www.computer.org/portal/web/cscps/faq.
`
`Thus, the Reed printed publication was published and publically available as of
`15.
`the conference date and at least by December 31, 1996 when the ACSAC ’96 Proceedings
`treaties was published. Either way, the Reed publication was publicly disseminated well before
`February 15, 2000.
`
`III.
`
`The Request For Comments (“RFCs”) Documents are Printed Publications
`
`On pages 8-9, of the Response, the Patent Owner contends that there is no
`16.
`evidence that several of the RFC documents cited in the Request and the Office Action were
`published on the dates indicated on each of the RFC documents.
`1 disagree.
`
`The Internet Engineering Task Force (IETF) is responsible for the standardization
`17.
`process and governance of Internet protocols and processes. The IETF uses several types of
`documents to publish the work within the IETF and uses an established publication procedure.
`An RFC is a “Request for Comments” publication. The RFC series publication began in 1969.
`http://www.rfc-editor.org/RFCoverview.html. The RFC series is the publication vehicle for
`technical specifications as well as policy documents produced by the IETF, and also the IAB
`(Internet Architecture Board), and the IRTF (lntemet Research Task Force). http://wvvw.rfc-
`editor.org/RFCoverview.html. As the IETF website explains, the RFC series “[c]ontains
`technical and organizational documents about the lntemet, including the technical specifications
`and policy documents produced by the Internet Engineering Task Force.” http://www.rfc-
`editor.org/RFC Editor home page. The RFC editor publishes RFCs online. Id.
`
`The specific process for publication of RFCs as of October 1996 was set forth in
`18.
`Best Current Practice 9 (BCP 9). That document explains that RFC’s are “published through the
`RFC mechanism.” BCP 9 at 7, available at http://tools.ietf.org/html/bcp9. According to that
`mechanism “Each distinct version of an Internet standards-related specification is published as
`part of the ‘Request for Comments’ (RFC) document series. This archival series is the official
`publication charmel for Internet standards documents and other publications of the IESG, lAB,
`and Internet community.” Id. at 5. As further explained, “RFCs can be obtained from a number
`of Internet hosts using anonymous FTP, gopher, World Wide Web, and other Internet document-
`retrieval systems.” Id.
`
`Page 4 of 19
`
`Page 4 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`The IETF website also explains that “Historically, all RFCs were labeled Network
`19.
`Working Group. ‘Network Working Group’ refers to the original version of today’s IETF when
`people from the original set of ARPANET sites and whomever else was interested -- the
`meetings were open -- got together to discuss, design, and document proposed protocols
`[RFC0003].” Section 3.1 of RFC 5741 at 3 available at (http://www.rfc-
`editor.org/rfc/rfc574l .txt).' As firrther explained, the right colurrm of each RFC publication
`contains the name of the author and his or her affiliation, as well as month and year in which that
`the RFC was published and made publicly available. Id. at 3. The RFC number is the number
`“assigned by the RFC Editor upon publication of the document.” Id. at 4.
`
`As further explained by the IETF website “When an RFC is published, an
`20.
`armouncement is sent to ietf-armounce and rfc-dist mailing lists. The canonical URI is of the
`form: http://www.rfc-editor.org/rfc/rfcXXXX.txt.” See http://www.rfc-
`editor.org/pubprocess.html.
`
`The IETF maintains historical archives of all RFCs that have been published
`21.
`through its transparent procedures. The month and year of the armouncement of each RFC
`corresponds to the publication date reported on each RFC.
`In my experience, armouncements
`include a hyperlink to allow viewers of the armouncement to jump directly to the RFC document.
`
`As further noted on the IETF website “Published RFCs never change.”
`22.
`http://www.ietf.org/rfc.html. “When an RFC is updated, it gets a new number.”
`http://www.ietforg/newcomers.html. Thus, if a topic addressed in an RFC results in a new
`version of that standard, protocol or topic, the new version will be published with a different
`RFC number and in a document reflecting the new date of distribution of that document.
`
`The lETF’s process is fully transparent and anyone can join and participate via
`23.
`email lists (where the bulk of the work is done) free of charge. Individuals working in the field
`of computer networking in February of 2000 would be very familiar with the RFC publication
`procedures administered by the IETF, and would know that RFCs are indexed, organized by
`subject matter, published in a regular and transparent manner, and distributed via numerous
`pathways. Indeed, an essential feature of the IETF process is that it is a public and wholly
`transparent process.
`
`Thus, the RFC documents cited in the Request and in the Office action would
`24.
`each have been published during the month and year that is listed in the heading of the RFC in
`accordance with IETF BCP 9. Each of these RFCs also would have been publicly distributed by
`the IETF and armounced via their mailing list during the month and year listed in the heading of
`the RFC, and thus would have been publicly available without restriction as of the date noted on
`the document.
`
`I The top most left line in each RFC identifies the working group within which the RFC was
`discussed, e.g., lntemet Engineering Task Force (IETF), lntemet Architecture Board (IAB),
`lntemet Research Task Force (IRTF), and Independent Submission. Id. at 3-4.
`
`Page 5 of 19
`
`Page 5 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`IV.
`
`Initial Comments on the Claims and Specification of the ’504 Patent
`
`The ’504 claims use the term “domain name service system” (DNS systems) to
`25.
`refer to systems that are able to establish secure communication links.2 This phrase is not used
`in the ’504 patent other than in the claims.
`
`The ’504 claims indicate the DNS systems must be able to (i) store domain names
`26.
`and associated IP addresses of those domain names and (ii) receive domain name queries for
`network addresses. These two functions together constitute the well-known DNS lookup
`functionality that is integral to the domain name system of the Internet. The ’504 patent uses the
`term “DNS server” to refer to this look-up fimctionality. See, e.g., ’504 patent at col.39, ll.7-9.
`(“Conventional Domain Name Servers (DNSs) provide a look-up function that returns the IP
`address of a requested computer or host.”)
`
`The ’504 patent uses a different term, “DNS proxy server,” to refer to the
`27.
`functionality in the DNS system that creates a secure communications link. See, e.g., ’504 patent
`at col.6, ll.11-13 (“a DNS proxy server that transparently creates a virtual private network in
`response to a domain name inquiry”). The ’504 patent also uses different terms when describing
`combinations of DNS server and DNS proxy functionalities. For example, the ’504 patent states
`“a modified DNS server 2602 includes a conventional DNS server function 2609 E a DNS
`proxy 2610.” ’504 patent at col.39, 1.67 — col.40, l.5. Similarly, it says that a “specialized DNS
`server” “traps DNS requests, and if the request is from a special type of user
`the server does
`not return the true IP address of the target node, but instead automatically sets up a virtual private
`network between the target node and the user.” ’504 patent at col.39, ll.46-51. Thus, in the ’504
`patent and its claims, the conventional lookup functionality (i.e., the “DNS server”) is different
`from functionality that establishes secure communication links (i.e., the “DNS proxy server”)
`and both are different from a “DNS system” which has at least these two functionalities.
`
`The claims also require the DNS systems to “comprise an indication that the
`28.
`domain name service system supports establishing a secure communication link” (claim I).3
`There is no discussion in the ’504 patent of what constitutes an indication that the DNS system
`supports establishing a secure communication link or how to implement this fimctionality.
`
`The way the ’504 claims are written does not require the “indication” function to
`29.
`be implemented in the DNS lookup step (i.e., the “DNS server” function). At a minimum, this
`means that the claimed DNS systems can implement the required “indication” functionality
`independently from the DNS lookup fimctionality. This make sense, because a DNS lookup
`function, like an address book, is simply an information resource service, e.g., it pairs
`information about domain names and their corresponding IP addresses, and delegates name
`resolution for domain names for which it does not have information to other DNS’s, consistent
`with the description of the DNS function in the ’504 patent at col.39, ll.7-13. I also note the
`
`Claims 1-35 define DNS systems and claims 36-59 define media including computer executable code used
`2
`to create DNS systems. Claim 60 defines a process with steps corresponding to ftmctions listed in claims 1 and 36.
`
`The other independent claims (36, 60) indicate that the DNS system must support an indication that the
`3
`DNS system supports establishing a secure communication link.
`
`Page 6 of 19
`
`Page 6 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`$9 66
`“indication” required by the claims is that the “DNS system supports establishing” a secure
`communication link. One of ordinary skill in the art would understand “supports establishing” to
`mean simply “assists” or “facilitates” establishing a secure communication link.
`
`The ’504 patent claims also do not require the DNS systems to implement all of
`30.
`the functionalities listed in the claims on a single computer or within a single process. Instead,
`the ’504 patent makes it clear that a DNS system having these fimctionalities can be made up of
`different machines and/or distinct and separate processes, and that these can be distributed
`services. For example, the ’504 patent states at col.40, 11.44-48, that “It will be appreciated that
`the functions of DNS proxy 2610 and DNS server 2609 can be combined into a single server for
`convenience. Moreover, although element 2602 is shown as combining the fimctions of two
`servers, the two servers can be made to operate independently.” (Emphasis added.) Thus, a
`DNS system according to the claims can be distributed across multiple computer systems, can be
`implemented using elements of the system at remote locations, and can be implemented using
`distinct processes as long as they, in the aggregate, provide the fimctionalities listed in the
`claims. This also is consistent with the network-based nature of these DNS systems, and because
`they operate in compliance with Internet standards.
`
`I note that Dr. Keromytis states in 1] 16 of his Declaration that in one embodiment
`31.
`the “DNS server” itself “supports the establishment of a secure communication link” and that it
`does so “beyond merely returning a requested IP address or public key.” This description
`conflicts with what the ’504 patent is describing. Specifically, his comments are describing the
`features of a modified DNS server in Figure 26, which includes a conventional DNS server
`function (item 2609) ali separate fimctionalities that handle establishing secure communication
`links, which is referred to as the DNS proxy fimction (item 2610). As I explain above, the
`“modified DNS server” corresponds to a “DNS system” in the claims, not the DNS server alone.
`
`I also note that Dr. Keromytis’ description is not consistent with the claim
`32.
`language which does not reguire the DNS server element (i.e., the elements associated with the
`lookup fimction) to perform all of the fimctions of the “specialized DNS server” identified in the
`’504 specification. For example, nothing in the claims require “trapping” or returning non-true
`IP addresses of the target node or of “automatically” setting up anything.
`
`I also disagree with several of Dr. Keromytis’ statements implying that the ’504
`33.
`claims require lookup fimctions to be performed differently than how these lookups are done by
`conventional DNS servers. 1, the claims do not make this distinction — they either simply
`require the systems store domain names and associated IP addresses (e.g., claims 1, 36 and 60) or
`to perform conventional DNS lookups (e.g., claim 15, which states “the domain name service
`system is configured to provide, in response to the query, the network address corresponding to a
`domain name from the plurality of domain names and the corresponding network addresses”).
`See also, e.g., claims 20, 21 (the DNS system “comprises a domain name database, and wherein
`the domain name database stores the plurality of domain names and the corresponding network
`addresses”). Second, the ’504 description that Dr. Keromytis points to in 111] 17-19 of his
`Declaration makes clear that conventional DNS server fimction is distinct from the elements of
`
`the DNS system that establish the secure communication link. See, e.g., ’504 patent at col.39,
`1.67 — col.41, 1.59 (explaining that the DNS systems (2062) in Figure 26 contain distinct DNS
`server (2609) and a DNS proxy (2610) elements).
`
`Page 7 of 19
`
`Page 7 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`V.
`
`Solana
`
`Dr. Keromytis acknowledges that Solana describes a domain-based security
`34.
`architecture for Internet transactions, but seems to have overlooked or misunderstood several
`important features of the Solana systems and the environments in which they are to be deployed.
`In particular, Dr. Keromytis does not acknowledge in his analysis that systems such as the
`Solana system that are interoperable with Internet standards must inherently have certain
`capabilities, such as communicating in the TCP/IP protocol and performing DNS lookups.
`
`Solana describes a Collaborative Domains security architecture that can be used
`35.
`to handle “a generic Internet transaction (such as a WWW query...) taking place between two
`principals,. .. initiators (. . .the WWW client...) and responders (. . .the WWW server. . .).”
`Solana at 42. WW queries "typically contain domain names that require resolution into IP
`addresses for the query to be acted upon. To be able to handle WWW queries as it states it does,
`the Solana systems must be able to resolve domain names into IP addresses. A person familiar
`with Internet communication standards would recognize that this means that the Solana systems
`must perform DNS lookup functions.
`
`Solana also explains that its systems are designed to work within existing domain
`36.
`structures at the IP level (e.g., the public Internet structure). See Solana at 40-41 (“. . .we assume
`that the criteria to compose domains (for instance, according to security or administrative needs)
`are already established and that a naming convention for domains has been defined”) See also
`id. (indicating that in designing the Solana systems, they “concentrate exclusively on the impact
`that the domain collaboration might have in the provision of flexible and manageable
`mechanisms to secure Internet transactions.”). Thus, conventional domain name resolution
`processing does occurs.
`
`Solana describes an architecture that readily accommodates this required DNS
`37.
`lookup function. For example, Solana indicates that “naming information” is stored in the
`Directory Service (DS) using “existing naming infrastructures (DNS-sec, X.509). . .” Solana at
`43. The “naming information” stored in the DS enables the locating and retrieval of “certificates
`that bind domains to their public keys” which is necessary to enable the secure inter-domain
`communications per the Solana scheme. DNS-sec refers to “DNS Security Extensions”
`(published as RFC 2065 in January of 1997). See Exhibit D. DNS-sec is an add-on to the DNS
`server system and authenticates data by digitally signing records used in a DNS query. DNS-sec
`carmot perform its function as stand-alone software — it must be deployed through a DNS servers
`that conventionally respond to domain-to-IP translation queries. Thus, by indicating that the
`“naming information” is stored in a DNS-sec-based naming infrastructure, Solana necessarily is
`indicating that (i) the DS depicted in Fig. 1 of Solana includes DNS servers that incorporate
`DNS-sec security extensions, and (ii) the “naming information” stored in the DS must include
`both domain names and corresponding IP addresses, as both are used by these DNS servers.
`Also, I note that this explanation is consistent with the depiction of the DS as containing multiple
`servers — this is what the stacked cylinders in Figure 1 on page 43 of Solana are indicating.
`
`Solana also necessarily incorporates DNS server fimctionality based on the design
`38.
`of the DNS systems shown in Figure 1. Specifically, Solana shows an initiator (a user on a
`computer) communicating (e. g. sending a “WWW query”) through an encrypted and
`
`Page 8 of 19
`
`Page 8 of 19
`
`

`
`Reexamination Control No. 95/001,788
`
`Declaration of Michael Allyn Fratto
`
`authenticated charmel to a “Domain Border System” (DBS) element. Id at 43-44. Solana
`explains that the DBS “is the active player in the domain collaboration...” Id. at 43. As shown in
`Figure 1, the DBS receives the communication (e.g., a WWW query), and acts in response to it
`(e.g., by performing authentication, interacting with the LAD, DS, DAK and establishing
`authenticated or encrypted sessions between the principals). In this role, the DBS necessarily
`will perform DNS lookups using DNS servers (e.g., if the WWW query contains a domain name
`instead of an IP address). This description is consistent with the idea that the Solana systems
`integrate mechanisms (e.g., conventional DNS servers) to resolve domain names into IP
`addresses — whether in the DS or in other operational elements of the Solana system, such as the
`Domain Border System (DBS). See, e.g., Solana at 43-44 and Figure 1.
`
`In 1] 25 of his Declaration, Dr. Keromytis states that “Solana explains that the
`39.
`‘naming information’ is stored in the DS in the form of UNIs, which may include “a common
`name, an E-mail address, or a network address.” This is incorrect.
`
`According to Solana, UNI (Uniform Naming Information) consists of a common
`40.
`name (e.g., “Joe Smith”), an email address (e.g., joe@smith.com) or a network address (e.g., an
`IP address or a domain name) that is uniquely associated with a principal involved in a
`transaction being mediated by the Solana system. See Solana at 43 (a UNI is “needed to
`designate principals and domains globally and unequivocally”). For a “WWW query,” the
`principals will be a web client (the initiator) and a web server (the responder), and the UNI will
`be an email address or a network address. Both of these types of UNI will contain enough
`information (a user and a domain) to uniquely identify each principal. Solana explains that UNls
`are stored in a Local Authentication Database (LAD) in table, and have a one-to-one relationship
`to the public key of the principal (e.g., one network address to one public key). See Id (Fig. 1).
`
`Solana also explains that UNI information (e.g., the network address of a
`41.
`principal) may optionally be “published in the Directory Service.” Thus, contrary to what Dr.
`Keromytis is asserting, Solana is ngt saying that “naming information” is published in the DS in
`the form of a UNI as Dr. Keromytis states, and certainly not only in the form of an IP address.
`Instead, Solana explains that while UNI information may be published in the DS, “naming
`information” (including optional IP addresses) is stored in the DS using “existing naming
`infrastructures (DNS-sec, x.509)....” Id.
`
`Dr. Keromytis’ explanations at 111] 23-27 of his Declaration make no sense given
`42.
`how the Solana systems must function. Solana explains that its systems establish domain-to-
`domain relationships to allow principals in different domains to interact with each other without
`having to independently establish secure principal-to-principal relationships for each transaction.
`See, e.g., id. at 42. The Solana DNS systems do this by publishing “naming information” in a
`Directory Service (DS) linking particular domains to certificates that securely bind domains to
`their public keys. Id. at 43. Other domains can access this published information, find the public
`keys of domains using the “naming information,” and then use the public keys to establish a
`secure domain-to-domain communication link. In this scheme, simple logic dictates that the
`domain name will be published as part of the “naming information” in the DS.
`
`This also makes sense because a domain name is a single, fixed identifier for a
`43.
`domain that is used to navigate to the domain via the Internet domain name system. Publishing
`
`Page 9 of 19
`
`Page 9 of 19
`
`

`
`Reexamination Control No. 95/001,788
`Declaration of Michael Allyn Fratto
`
`the domain ngarrne in the DS enables other domains to reliably and efficiently locate the keys
`needed to set up inter-domain relationships. By contrast, publishing my IP addresses in the DS
`as Dr. Keromytis suggests would be illogical. 1, many different IP addresses can be
`associated with a single domain, and these associations may change or be eliminated, so if only
`IP addresses were included in “naming information,” it would not reliably identify domains, and
`if were disassociated from the domain, would render the Solana system inoperative. Second,
`Solana says that information stored as UNI in the LAD is not always published in the DS. lf Dr.
`Keromytis were correct (i.e., that a UNI only can contain an IP address and is the only thing
`published in the DS), situations would arise where Q “naming information” would be published.
`This would make discovery of the public keys needed for the Solana system to work impossible
`(e.g., requesting a certificate by searching for an “unpublished” IP address would fail because
`that information would not be in the DS). Third, publishing IP addresses in the DS to identify
`certificates binding public keys to domains could compromise the security of the Solana system
`(e.g., by exposing IP addresses of principals). Finally, nothing in Solana says that “naming
`

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket