RE: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1. 2 submission to the SSTC)

["Philpott, Robert" <rphilpott@rsasecurity.com>]

Folks - Preface to my comments: IANAL- and sorry this is long-winded...

Tony sent out the pointer to the WSS IPR page, but I think he should have
referred to item 2 on that page instead of item 1 when discussing
implementation.  As a couple of folks have pointed out, item 1 in the WSS IP
declaration refers only to permission for the WSSTC to create derivative
works from WS-Security without copyright issues.

So far, (I believe) this is the only part that SSTC has in place for
ID-FF... i.e. the rights for the TC to create a derivative work from the
Liberty ID-FF specs.  I don't feel we have any problem here (although Tony
may still disagree).

Now... Item 2 in the WSS IP declaration states:

"2. Each Author commits to grant a non sub-licenseable, non-transferable
license to third parties, under royalty-free and other reasonable and
non-discriminatory terms and conditions, to certain of their respective
patent claims that such Author deems necessary to implement required
portokions of the WS-Security specification, provided a reciprocal license
is granted."

This promises that the "authors" of the original WSS spec that was
contributed to WSSTC will grant RF-reciprocal license rights to anyone
implementing the OASIS TC spec for any IP claims ***that the Authors have***
that are needed to implement the specs.  Note that this DOES NOT MEAN that
ALL companies that have IP claims needed to implement WSS are going to do
this.  It JUST applies to the authors of the original WSS spec that was
contributed (or presumably the authors' respective companies - even though
that's not really what it says).  

Other companies MAY have IP needed to implement WSS that they don't want to
offer RF-reciprocal.  When those are known, implementers will need to obtain
licensing on whatever terms the claim holders wish to use.  So far, RSA has
made a claim, although it is RF-reciprocal also.  Are there others? Who
knows? ContentGuard is the only other company that I know of that has made
any statement to WSSTC regarding IP (and they claim they have none needed to
"practice" what's in a specific version of the WSSTC's specs).  So I think
Tony's statements have been factually correct w.r.t. the Authors of the
original WSS spec submission.  But he can't claim that there won't be any IP
issues for implementing WSS.

Now w.r.t. to SSTC, the submitters of the ID-FF specs to SSTC have NOT made
any statement regarding licensing to IP claims required to implement any
derivative works we create.

To be completely consistent with what happened for the original WSS spec
contribution, the contributors of the ID-FF specs [Jason Rouault (HP), Jeff
Hodges (Sun), Frederick Hirsch (Nokia), and myself (RSA)] would need to make
a statement that we are willing to grant RF-reciprocal licensing to any IP
claims needed to implement the SAML spec's that include ID-FF or derivative
works of the ID-FF contribution.  This does not mean that we would be
claiming that ALL companies with IP are granting RF-reciprocal rights.  "We"
can't do that, of course (just like the original WSS authors can't do it in
WSSTC).  

As one of the contributors of the ID-FF specs to SSTC, I am willing to make
a statement that RSA will offer RF-reciprocal licensing for implementing
SAML that includes derivative ID-FF content.  If the other contributors also
do this, then I believe we will have done exactly as was done in WSS.

Again, this does NOT address any IP claims that other companies may have for
implementing the derivative works.  The known ones are listed on the Liberty
site and have been mentioned in this email thread.  If those companies'
claims are going to be problematic for implementers of future SAML specs,
then we (SSTC) will need to be careful about moving ahead and actually
including that technology in the spec. 

Again - IANAL!, but that's my viewpoint on this matter.

Rob Philpott 
RSA Security Inc. 
The Most Trusted Name in e-Security 
Tel: 781-515-7115 
Mobile: 617-510-0893 
Fax: 781-515-7020 
mailto:rphilpott@rsasecurity.com 


> -----Original Message-----
> From: Eve L. Maler [mailto:eve.maler@sun.com]
> Sent: Wednesday, December 03, 2003 11:33 AM
> To: Anthony Nadalin
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1.
> 2 submission to the SSTC)
> 
> Anthony Nadalin wrote:
> >>I did read the document.  Please show the wording that you think
> provides the derivative rights.
> >
> > Its pretty clear, in "Each Author grants permission to OASIS and OASIS
> > members the right to copy, display, perform, modify and distribute the
> Web
> > Services Security ("WS-Security") draft specification and to authorize
> > others to do the foregoing, in any medium without fee or royalty, for
> the
> > purpose of further developing the WS-Security specification in the WSSTC
> as
> > set forth in the draft WSS TC charter". I suggest you take this to your
> IP
> > folks or are you asking for derivative rights for what the WSS-TC
> creates ?
> 
> This has to do with copyright (the text of the specification as
> submitted), not patent licensing.  Are you saying that this is what has
> not been secured in the case of the Liberty contributions?  If so, I
> don't think it's true:
> 
> http://www.oasis-open.org/committees/security/ipr.php
> "Our Liberty Alliance Agreements grant, with board approval, copyright
> licenses needed to prepare derivative works, among other activities, as
> required by the OASIS IPR Policy, section 3.1(1)."
> 
> 	Eve
> --
> Eve Maler                                        +1 781 442 3190
> Sun Microsystems                            cell +1 781 354 9441
> Web Products, Technologies, and Standards    eve.maler @ sun.com
> 
> 
> To unsubscribe from this mailing list (and be removed from the roster of
> the OASIS TC), go to http://www.oasis-
> open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.