security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1. 2submission to the SSTC)
- From: Michael McIntosh <mikemci@us.ibm.com>
- To: "Mishra, Prateek" <pmishra@netegrity.com>
- Date: Tue, 25 Nov 2003 14:42:04 -0500
During the call today Prateek asked
that I submit this question via email.
According to recent email and discussion:
The Liberty Alliance IPR policy requires its members to grant licenses
to Necessary Claims, with default licensing terms being Royalty Free. Members
may withdraw from this default grant by filing a Necessary Claims Disclosure
Notice (NCDN). Five of the Liberty participants have chosen to file
NCDNs.
My understanding is that these licensing
terms apply to Liberty implementations. They do not explicitly mention
implementations of specifications derived from Liberty (such as SAML 2.0).
Have the OASIS Members that have submitted
these specifications asked for or received any statements from the other
Liberty members regarding their intentions regarding licensing terms for
their IP? Is it expected (or stated anywhere) that the same terms granted
for Liberty implementations will apply to SAML implementations?
Thanks,
Mike
| "Mishra, Prateek" <pmishra@netegrity.com>
11/25/2003 11:04 AM
|
To:
"'Hal Lockhart'" <hlockhar@bea.com>
cc:
security-services@lists.oasis-open.org
Subject:
RE: [security-services] Liberty IPR
Issues (was: Liberty ID-FF 1. 2 submission
to the SSTC) |
Hal,
We can certainly include a discussion about your concerns in this call.
It
would be great we could come up with one or two specific questions that
the
Chairs or others could then take forward and report back to the TC.
- prateek
-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com]
Sent: Monday, November 24, 2003 5:09 PM
To: Conor P. Cahill; Anthony Nadalin
Cc: security-services@lists.oasis-open.org
Subject: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1.2
submission to the SSTC)
I share Tony's concerns that the nature of the IPR applying to the Liberty
submission is not clear enough. Five companies are listed on the link
provided by Tony on the Liberty Web site. (BTW, I looked in vain for this
link, I don't know how Tony managed to find it.)
The claims of Time Warner and Fidelity are listed as RF.
The claims of Citigroup and Catavault are listed as RAND and unfortunately
their description of what their patents cover is too broad to be useful.
The claim from Sony is most troublesome. It simply says "Please contact
Sony
Corporation.for any further details." It is not clear to me that this
is
even RAND. Perhaps the Liberty rules imply this, but then I don't know
why
the 1st two companies filed necessary claims for RF. Obviously there is
no
indication as to what the Sony claims might cover.
I would like to propose that the Chairs take an action to work with the
submitters and seek some clarification on the portions of the specs that
these claims address.
I note that Sony (Corporation of America) and Fidelity are OASIS members
and
therefore have agreed to the OASIS IPR policy. As far as I can tell the
other three organizations are not OASIS members.
Finally to respond to Connor's points:
> First off, with respect to version 1.2 of ID-FF, the IPR claims have
not
> changed vs version 1.1 which has already been accepted by the SSTC.
That may be so, but little material from Liberty was incorporated into
SAML
1.1. Certainly claims from these companies were not listed as a part of
our
submission to OASIS. If it had been, I believe that there would have been
some no votes. I believe that some organizations have pledged to vote
against any specs with non-RF (or RANDZ if you prefer) claims against them.
I know we had some negative votes against XACML 1.0 for this reason.
Before we proceed on SAML 2.0 I would like to have a clearer idea if we
are
standardizing features with IP encumberances or not.
> Finally, does anyone out there really think that you can develop
> something more complex than main(){printf("hello world\n");}
that isn't
> impacted by someone's (typically not one of the author's) IP? I
think
> NOT. That isn't to say that we should ignore IP, but rather
that we
> can't assume that anything we do will be RF, even if *ALL* of the
> authors agree to make it RF.
I stipulate that this is technically true, but I don't think we have done
nearly enough to try to learn the scope of these claims. SAML 1.1 is
believed to be encumbered by no more than the RSA mutual-RF claim and I
have
not heard any vendor complain of "stealth IP" applying to SAML
1.0 or 1.1.
The Liberty submission may comply with the literal wording of the OASIS
IPR
policy, but it is far from the spirit of "full disclosure."
Hal
> -----Original Message-----
> From: Conor P. Cahill [mailto:concahill@aol.com]
> Sent: Monday, November 17, 2003 9:02 AM
> To: Anthony Nadalin
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Liberty ID-FF 1.2 submission to the
> SSTC
>
>
>
>
> Anthony Nadalin wrote on 11/16/2003, 9:45 PM:
> >
> > As I read this and the Liberty site there are 5 companies
that claim
> > IP on the specifications, this puts a unknown burden companies
in the
> > SS-TC that wish to see RF.
>
> First off, with respect to version 1.2 of ID-FF, the IPR claims have
not
> changed vs version 1.1 which has already been accepted by the SSTC.
>
> Secondly, many of the IPR claims are RF (or at least reciprical RF
which
> is sometimes referred to as RANDZ) and those that aren't RF are RAND.
>
> Finally, does anyone out there really think that you can develop
> something more complex than main(){printf("hello world\n");}
that isn't
> impacted by someone's (typically not one of the author's) IP? I
think
> NOT. That isn't to say that we should ignore IP, but rather
that we
> can't assume that anything we do will be RF, even if *ALL* of the
> authors agree to make it RF.
>
> Conor
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.
To unsubscribe from this mailing list (and be removed from the roster of
the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.
To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]