OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

chairs message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [chairs] Patent license friction...

First, IANAL, but I’ve had to work with them a lot over the last 4+ years re: IP issues on SAML…


See my 2 cents below…

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
I-name:  =Rob.Philpott

From: David RR Webber (XML) [mailto:david@drrw.info]
Sent: Thursday, April 27, 2006 11:43 PM
To: Frederick Hirsch
Cc: Chairs OASIS; ext Wachob,Gabe
Subject: RE: [chairs] Patent license friction...




Of course the other option is to have TC work that precludes patented material.

 [RSP] Sure, TC’s can (and probably should) always try to do this. But try as you might, this sometimes just isn’t possible.  And none of us can forget that no matter what IPR policies OASIS makes available and a TC adopts, there can very well be firms that aren’t OASIS members and aren’t participating in a TC’s work that might holds patents applicable to the TC’s work.  Even after the standard is approved and implemented, someone can come forward and try to claim patent infringement.  It’s difficult to design around patents you don’t know about.


I still do not see any IPR policy that specifically supports that option - other than the legacy policy.

[RSP] My point is that I’m not sure something like this can be satisfactorily codified in an official policy option.  Sure, you might say that the TC MUST NOT include any known patented technology, but this seems VERY risky to me and I don’t think I’d waste my time on such a TC. Your TC could go all the way through the development of your standard and go thru your public review only to then find as a result of the public review that someone holds some related IP.  What in the world would you do then?  You’re now in violation of your TC’s IPR policy and have to either start over to work around the IP or just give up.  Seems like a waste of time to me if you could just get the IP holders to offer the IP on an RF basis.


To my knowledge the BOD - despite Patricks assertions that OASIS would - still has made no effort to accommodate the OSI concerns in this regard nor arranged any conference calls or interactions with OSI to move toward having OASIS TC work able to comply to OSI licensing needs.

[RSP] I do think these concerns should be specifically addressed (if they haven’t already – but I don’t recall seeing any announcement).


For the life of me I cannot see anything in SAML that anyone could legitimately claim to have a patented invention around.  But then again people have patents on the menu key sequence for bank ATMs - clearly a ground breaking invention - key pad sequences.  Would be interesting to know exactly what about SAML is using such a unique mechanism that it is a patented system?

[RSP] “Legitimacy” is defined through the patent office (US and others) and by the courts if necessary; not by individuals like you, me, or other technologists participating in the TC’s.  Fairly late in the SAML 1.0 TC’s work, RSA’s chief scientist came to me and said he firmly believed that 2 patents we held were directly applicable to a specific mechanism being used by SAML for web SSO.  I had not known about the patents and it wasn’t intuitively obvious to me at first, but he made a very strong case and convinced me of their applicability. I was then obligated to bring it to the TC’s attention.


If the SSTC had a policy of not including any “known” patented IP, the SSTC would have been forced to stop its work, analyze the IP, and figure out if it was possible to design around it.  Even IF there are those that didn’t believe the patents were relevant, it would take a court case to decide that should RSA continue to insist that they did.  SAML 1.0 could have been delayed perhaps by years since it would have meant fighting the battle against the claims or redesigning SAML to work around them. Instead, RSA “donated” the IP on an RF basis in order to promote the standard’s acceptability to the industry. Later, during SAML 2.0’s development, we incorporated technology contributed by members of the Liberty Alliance which brought some additional IP into play that was claimed by other companies.  All of the companies involved then offered the IP on an RF basis.


Assuming the patent may fall under the not-really-an-invention-at-all category - hopefully the SAML TC can re-factor their work so that it does not rely on any dubious or questionable patents in the first place...

[RSP] That is just NOT going to happen.  It is irrelevant whether everyone might think a patent claim is dubious or has questionable applicability. Redesigning around the IP would be difficult and time-consuming.


IMO, the best solution to this is to work with any companies that believe they hold applicable IP to get them to license that IP on an RF basis.  The OASIS IPR policy makes it explicit up front, and IMO, goes a long way toward helping to solve this issue.  Is it perfect?  Obviously not (as indicated by the OSI issue), but it represents the will of the general OASIS community at the time it was adopted.


W.r.t. SAML, all the companies involved have offered the IP on an RF basis.  IMO, the REAL issue in all of this is the type of license that those companies require adopters of the standard to accept in order to obtain that RF use of the IP. For the RSA patents we declared durin SAML 1.0, we required implementers to download, sign and mail back a license (this was a fairly typical approach at the time).  More recently, companies with IP affecting open standards have been using a “defensive suspension” provision for licensing whereby you are granted rights by the IP holder without having to sign anything, but the rights are revoked if you ever try to claim patent infringement against that IP holder.


Specifically w.r.t. SAML 2.0, AOL offered this type of licensing.  Fidelity “meant” their license to work the same way, but it turns out the legal language was ambiguous.  We have been working to attempt to get this fixed.  RSA just kept their same approach that was in place from SAML 1.x, but we also have been working to change our license to a defensive suspension provision as well (stay tuned).





-------- Original Message --------
Subject: Re: [chairs] Patent license friction...
From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, April 27, 2006 5:51 pm
To: "ext Wachob, Gabe" <gwachob@visa.com>
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, "Chairs OASIS"


I believe the SSTC is operating under the legacy IPR policy. TCs  
under the current (new) policies incur much clearer and well-
understood obligations, which should go a long way toward reducing  
friction and confusion.

In general I believe the reason law tends to be difficult is that it  
is difficult to clearly state in language precise rules where the  
concerns of various parties are met. The new OASIS policy attempts to  
do this as clearly as possible, specifying the "features" of the  
license that may be used in the different IPR modes, providing more  
clarity on the licenses that may be obtained.

However, within the scope of the OASIS policy it is the right of a  
patent holder to write their license. Likewise it is not unreasonable  
to have more than one means of obtaining a license from a patent  
holder, although it may be in everyone's interest to make it easier.

In the specific example, I would take the "would" to indicate that a  
license will be granted if and when needed, which seems reasonable.  
I'd recommend consult your attorney for advice if you haven't already  
done so.

However, I believe the current IPR policy is a big step forward  
toward clarity. However, as you note, it is realistic to expect to  
contact patent holders for licenses as needed.


regards, Frederick

Frederick Hirsch

[1] http://www.oasis-open.org/who/intellectualproperty.php

On Apr 27, 2006, at 4:59 PM, ext Wachob, Gabe wrote:

> This is a real basic questions that has been nagging at me for  
> quite a while.
> Lets say I want to use a OASIS specification (lets take SAML 2.0 -  
> I'm not picking on them - but it makes a good illustration). I note  
> that there are various IPR disclosures at http://www.oasis-open.org/
> committees/security/ipr.php - and some of these disclosures state  
> that the patent owners *will* license their Patents for the purpose  
> of SAML. Some express covenants not to assert claims. Some point to  
> blanket licenses on web sites.
> If I were a lawyer I would find this situation a) confusing, b)  
> scattered and c) potentially dangerous. For example, on that page,  
> Fidelty states that it "would grant to any other person or legal  
> entity a royalty-free, nonexclusive, nontransferable, license under  
> Fidelity's NECESSARY CLAIMS to implement the SAML v2.0 OASIS  
> Standard, and sell, promote or otherwise distribute the resulting  
> implementation. "
> Note the word "would". I don't see that Fidelty actually *has*  
> granted a license. Thus, while they would now have a hard time  
> enforcing the patent (given theories of estoppel, etc), I don't  
> believe that Fidelty actually *has* granted a license. It appears  
> that I have to go to Fidelty and get a license if I wish to use  
> SAML. (Not picking on Fidelity - they are just first on the list of  
> disclosers).
> Are people aware of this? Do users of SAML specifications actually  
> know that they apparently aren't actually licensed to use the  
> patents that Fidelity believes it has? Doesn't this (or rather, if  
> lawyers were paying attention, *shouldn't* this) be a concern? I  
> realize this TC operated under the legacy IPR policy - I wonder how  
> that affects things.
> If a implementer/user of SAML were to actually be careful with  
> their use of the SAML specs, they'd actually have to contact  
> Fidelity to execute the license. I think this should be  
> highlighted! If a contributor wants to contribute, and they don't  
> offer a covenant or other blanket license (or a URL to a blanket  
> license, etc), this potentially increases the friction for adoption.
> In an ideal world, there'd be one patent license that every patent-
> holder contributor would agree to -- I'm not naive to believe that  
> would happen (or that OASIS could force that to happen), but I do  
> believe in notice. Only as a persistent person who actually read  
> the entire IPR disclosure page did I notice that to use SAML 2 I  
> have to somehow negotiate a license with Fidelity.. Most people  
> aren't going to do this and will be blissfully ignorant.
> I think as a practical matter, most patent holders who are  
> contributing to OASIS specs don't really want to deal with  
> individual licensing -- but OASIS IPR policy doesn't really push or  
> guide patent holders to put up blanket unilateral licenses -- its  
> up to each IPR holder to license (or covenant) in what ever way  
> they want.
> I think, in short, that OASIS should guide patent holders towards  
> the lowest friction licenses possible by suggesting (not forcing)  
> patent holders to use a standardized license (or at least suggest  
> that patent holders post a "click-through" or unilateral license).
>    -Gabe
> P.S. If I'm wrong about any of the facts, please let me know ... I  
> could have easily missed something.
> __________________________________________________
> gwachob@visa.com
> Chief Systems Architect
> Technical Innovation and Standards Management
> Visa International
> Phone: +1.650.432.3696   Fax: +1.650.554.6817

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]