First, IANAL, but I’ve had to work with them a lot over
the last 4+ years re: IP issues on SAML…
See my 2 cents below…
From: David RR Webber
Sent: Thursday, April 27, 2006
To: Frederick Hirsch
Cc: Chairs OASIS; ext Wachob,Gabe
Subject: RE: [chairs] Patent
Of course the other option is to have TC work that precludes patented
[RSP] Sure, TC’s can (and probably should) always try
to do this. But try as you might, this sometimes just isn’t possible. And
none of us can forget that no matter what IPR policies OASIS makes available
and a TC adopts, there can very well be firms that aren’t OASIS members and
aren’t participating in a TC’s work that might holds patents
applicable to the TC’s work. Even after the standard is approved
and implemented, someone can come forward and try to claim patent infringement.
It’s difficult to design around patents you don’t know about.
I still do not see any IPR policy that specifically supports that
option - other than the legacy policy.
[RSP] My point is that I’m not sure something like
this can be satisfactorily codified in an official policy option. Sure,
you might say that the TC MUST NOT include any known patented technology, but this
seems VERY risky to me and I don’t think I’d waste my time on such
a TC. Your TC could go all the way through the development of your standard and
go thru your public review only to then find as a result of the public review
that someone holds some related IP. What in the world would you do
then? You’re now in violation of your TC’s IPR policy and
have to either start over to work around the IP or just give up. Seems
like a waste of time to me if you could just get the IP holders to offer the IP
on an RF basis.
To my knowledge the BOD - despite Patricks assertions that OASIS
would - still has made no effort to accommodate the OSI concerns in this
regard nor arranged any conference calls or interactions with OSI to move
toward having OASIS TC work able to comply to OSI licensing needs.
[RSP] I do think these concerns should be specifically
addressed (if they haven’t already – but I don’t recall
seeing any announcement).
For the life of me I cannot see anything in SAML that anyone could
legitimately claim to have a patented invention around. But then again
people have patents on the menu key sequence for bank ATMs - clearly a ground
breaking invention - key pad sequences. Would be interesting to know exactly
what about SAML is using such a unique mechanism that it is a patented system?
[RSP] “Legitimacy” is defined through the patent
office (US and others) and by the courts if necessary; not by individuals like
you, me, or other technologists participating in the TC’s. Fairly late
in the SAML 1.0 TC’s work, RSA’s chief scientist came to me and
said he firmly believed that 2 patents we held were directly applicable to a specific
mechanism being used by SAML for web SSO. I had not known about the
patents and it wasn’t intuitively obvious to me at first, but he made a
very strong case and convinced me of their applicability. I was then obligated to
bring it to the TC’s attention.
If the SSTC had a policy of not including any “known”
patented IP, the SSTC would have been forced to stop its work, analyze the IP,
and figure out if it was possible to design around it. Even IF there are
those that didn’t believe the patents were relevant, it would take a
court case to decide that should RSA continue to insist that they did. SAML
1.0 could have been delayed perhaps by years since it would have meant fighting
the battle against the claims or redesigning SAML to work around them. Instead,
RSA “donated” the IP on an RF basis in order to promote the
standard’s acceptability to the industry. Later, during SAML 2.0’s
development, we incorporated technology contributed by members of the Liberty Alliance
which brought some additional IP into play that was claimed by other companies.
All of the companies involved then offered the IP on an RF basis.
Assuming the patent may fall under the not-really-an-invention-at-all
category - hopefully the SAML TC can re-factor their work so that it does not
rely on any dubious or questionable patents in the first place...
[RSP] That is just NOT going to happen. It is
irrelevant whether everyone might think a patent claim is dubious or has
questionable applicability. Redesigning around the IP would be difficult and time-consuming.
IMO, the best solution to this is to work with any companies
that believe they hold applicable IP to get them to license that IP on an RF
basis. The OASIS IPR policy makes it explicit up front, and IMO, goes a
long way toward helping to solve this issue. Is it perfect? Obviously
not (as indicated by the OSI issue), but it represents the will of the general OASIS
community at the time it was adopted.
W.r.t. SAML, all the companies involved have offered the IP
on an RF basis. IMO, the REAL issue in all of this is the type of license
that those companies require adopters of the standard to accept in order to
obtain that RF use of the IP. For the RSA patents we declared durin SAML 1.0,
we required implementers to download, sign and mail back a license (this was a fairly
typical approach at the time). More recently, companies with IP affecting
open standards have been using a “defensive suspension” provision
for licensing whereby you are granted rights by the IP holder without having to
sign anything, but the rights are revoked if you ever try to claim patent
infringement against that IP holder.
Specifically w.r.t. SAML 2.0, AOL offered this type of
licensing. Fidelity “meant” their license to work the same
way, but it turns out the legal language was ambiguous. We have been working
to attempt to get this fixed. RSA just kept their same approach that was
in place from SAML 1.x, but we also have been working to change our license to
a defensive suspension provision as well (stay tuned).
-------- Original Message --------
Subject: Re: [chairs] Patent license friction...
From: Frederick Hirsch <email@example.com>
Date: Thu, April 27, 2006 5:51 pm
To: "ext Wachob, Gabe" <firstname.lastname@example.org>
Cc: Frederick Hirsch <email@example.com>, "Chairs
I believe the SSTC is operating under the legacy IPR policy. TCs
under the current (new) policies incur much clearer and well-
understood obligations, which should go a long way toward reducing
friction and confusion.
In general I believe the reason law tends to be difficult is that it
is difficult to clearly state in language precise rules where the
concerns of various parties are met. The new OASIS policy attempts to
do this as clearly as possible, specifying the "features" of the
license that may be used in the different IPR modes, providing more
clarity on the licenses that may be obtained.
However, within the scope of the OASIS policy it is the right of a
patent holder to write their license. Likewise it is not unreasonable
to have more than one means of obtaining a license from a patent
holder, although it may be in everyone's interest to make it easier.
In the specific example, I would take the "would" to indicate that a
license will be granted if and when needed, which seems reasonable.
I'd recommend consult your attorney for advice if you haven't already
However, I believe the current IPR policy is a big step forward
toward clarity. However, as you note, it is realistic to expect to
contact patent holders for licenses as needed.
On Apr 27, 2006, at 4:59 PM, ext Wachob, Gabe wrote:
> This is a real basic questions that has been nagging at me for
> quite a while.
> Lets say I want to use a OASIS specification (lets take SAML 2.0 -
> I'm not picking on them - but it makes a good illustration). I note
> that there are various IPR disclosures at http://www.oasis-open.org/
> committees/security/ipr.php - and some of these disclosures state
> that the patent owners *will* license their Patents for the purpose
> of SAML. Some express covenants not to assert claims. Some point to
> blanket licenses on web sites.
> If I were a lawyer I would find this situation a) confusing, b)
> scattered and c) potentially dangerous. For example, on that page,
> Fidelty states that it "would grant to any other person or legal
> entity a royalty-free, nonexclusive, nontransferable, license under
> Fidelity's NECESSARY CLAIMS to implement the SAML v2.0 OASIS
> Standard, and sell, promote or otherwise distribute the resulting
> implementation. "
> Note the word "would". I don't see that Fidelty actually *has*
> granted a license. Thus, while they would now have a hard time
> enforcing the patent (given theories of estoppel, etc), I don't
> believe that Fidelty actually *has* granted a license. It appears
> that I have to go to Fidelty and get a license if I wish to use
> SAML. (Not picking on Fidelity - they are just first on the list of
> Are people aware of this? Do users of SAML specifications actually
> know that they apparently aren't actually licensed to use the
> patents that Fidelity believes it has? Doesn't this (or rather, if
> lawyers were paying attention, *shouldn't* this) be a concern? I
> realize this TC operated under the legacy IPR policy - I wonder how
> that affects things.
> If a implementer/user of SAML were to actually be careful with
> their use of the SAML specs, they'd actually have to contact
> Fidelity to execute the license. I think this should be
> highlighted! If a contributor wants to contribute, and they don't
> offer a covenant or other blanket license (or a URL to a blanket
> license, etc), this potentially increases the friction for adoption.
> In an ideal world, there'd be one patent license that every patent-
> holder contributor would agree to -- I'm not naive to believe that
> would happen (or that OASIS could force that to happen), but I do
> believe in notice. Only as a persistent person who actually read
> the entire IPR disclosure page did I notice that to use SAML 2 I
> have to somehow negotiate a license with Fidelity.. Most people
> aren't going to do this and will be blissfully ignorant.
> I think as a practical matter, most patent holders who are
> contributing to OASIS specs don't really want to deal with
> individual licensing -- but OASIS IPR policy doesn't really push or
> guide patent holders to put up blanket unilateral licenses -- its
> up to each IPR holder to license (or covenant) in what ever way
> they want.
> THE PROPOSAL:
> I think, in short, that OASIS should guide patent holders towards
> the lowest friction licenses possible by suggesting (not forcing)
> patent holders to use a standardized license (or at least suggest
> that patent holders post a "click-through" or unilateral
> P.S. If I'm wrong about any of the facts, please let me know ... I
> could have easily missed something.
> Chief Systems Architect
> Technical Innovation and Standards Management
> Visa International
> Phone: +1.650.432.3696 Fax: +1.650.554.6817