From: David RR Webber
Sent: Monday, May 01, 2006 9:19 PM
Cc: Chairs OASIS; Frederick
Hirsch; John Messing
Subject: RE: [chairs] Patent
As a TC chair I've not had to cover IP on a spec' so I'm a
little surprised to find that this is not more formally addressed in the
OASIS specifications requirements.
I would expect something akin to:
a) All licensing requirements clearly stipulated as part of the body of
the specifications in a specific document section (beyond just the normal OASIS
[RSP] As IP issues can arise at any time, including after
the spec has been approved, I feel that putting such info in the spec is not a
good idea since it could end up being incomplete unless you rev the spec. The
current document template refers people to the IPR page on the TC web site and,
IMO, that should remain the authoritative, single place to go look for IP
claims and the required licensing for those claims. If the web site is not clear,
especially on the licensing process, TC administration should address it with
the IP claimants and get it corrected. But I personally don’t want
to see this stuff going in the specs.
b) Addendum entry that references points of contacts for members that
are asserting license claims
[RSP] As I said, IMO, the web site is sufficient.
c) Reference to a ZIP file stored in the TC documents area that
contains a copy of each actionable license from each such member.
[RSP] This MIGHT be a reasonable thing to do, but since
companies sometimes change their contract and licensing forms or update license
wording, they might not want to do this, and it runs the risk of becoming
incomplete as well. Also, since some IP might be asserted by companies
that are not OASIS members, you’d not likely get them to provide such a
file to include in the ZIP file.
I don’t believe the web site says this, but if other
non-member IP claims are known, there probably SHOULD be a place on the TC IPR
page to at least mention that and hopefully list who they are. I’ll
also point out that the IPR pages could be organized a bit better. Just
putting some links at the top to each of the individual declarations would be
helpful. As it is now, it’s just a set of letters appended to each other
and you have to just scroll through them.
We could then go one step further and note that members who waive the
right to include such entries a) thru c) - are therefore providing a RF license
for any relevant IP they may adjudge to be applicable either currently or
If this is not the case - I would suggest we ask the BOD to review this
urgently and create policy - before we get more IP related specifications out
there that are not clearly delimited.
[RSP] I certainly don’t feel that it’s not clear
who has made IP claims on SAML (they’re all on the web page at http://www.oasis-open.org/committees/security/ipr.php);
the TC process is quite clear about soliciting claim info from members and getting
those declarations posted. However, the licensing process in the Fidelity
statement IS currently ambiguous. This was actually pointed out to them recently
and we’ve been working with them to get that fixed (it’s almost
done). The licensing process for the AOL and RSA claims however are quite
clear. AOL uses a defensive suspension provision (i.e. you don’t
have to do anything to get an RF/RAND license, but if you bring any IP claims
against them, you lose that license). The current RSA process states that
implementers MUST download/sign/return a license from the RSA web site (link is
provided). Note that this will be changing very shortly as we have
submitted a new letter to OASIS in the past few days that changes our process
to a defensive suspension provision, ala the AOL declaration.
IMO, if there are TC’s with encumbered specs that don’t
have clear info on their TC IPR page for users of the specs, then that is a
problem that TC administration should address with the TC. I don’t
think we need additional, multiple places to put the info where the possibility
arises for one (i.e. the specs, a ZIP file) to become out-of-date.
It’s always a technology adopter’s responsibility
to find out whether they are using someone else’s IP, and if so, properly
licensing that IP. The current OASIS process is clear on how to locate
that info. OASIS can and should make sure that the info is clear on the
licensing process for each claim, but that’s a relatively minor admin
issue IMO. Once the claims and licensing process are declared,it’s the
responsibility of the IP holder to monitor industry use of their IP and ensure
that users are licensed. Otherwise, I believe they run the risk of losing their
rights to the IP because they didn’t attempt to defend their claims –
obviously IANAL so take this with a grain of salt J)
-------- Original Message --------
Subject: RE: [chairs] Patent license friction...
From: "Wachob, Gabe" <email@example.com>
Date: Mon, May 01, 2006 2:11 pm
To: "John Messing" <firstname.lastname@example.org>, "David RR
Cc: "Chairs OASIS" <email@example.com>,
Thanks for the perspective. I think my point may not have been made
very clearly - my point was merely that in many cases, these specs
require users/implementers/etc to take an affirmative step to request
and execute separate license from one or more patent-holding members.
I'd be surprised if most users of SAML actually go through the steps
of executing these licenses. And a big problem for large organizations
like Visa is that each one of these licenses has to be tracked and
reviewed by attorneys, etc. That sucks! We are left in a position where
we either use specs without executing proper licenses (and thereby
running the risk of *willful* infringement which runs up greater
damages) or going to a number of different companies to execute a number
of different licenses, each of which has to be reviewed and tracked
I'm not saying we can solve this problem here but there are two items
I am bringing up:
a) I don't know if people are really aware of the need to execute these
licenses in many cases. My previous email suggested that there isn't
nearly enough clarity for casual reviewers on what the licensing terms
are for these specifications and what the mechanics are for acquiring
and executing these licenses.
b) OASIS *can* begin to address the issue by suggesting (or at least
pushing large IP holder members to agree on) more uniform licensing
terms and licenses for patent holders wishing to contribute to RF/RAND
efforts. Additionally, the more licenses are unilateral (ie executed by
virtue of using the spec instead of being executed by virtue of signing
and returning to the licensor), the better, from an implementers point
If vendors (who tend to be the ones holding the IP) want users to
adopt specs and standards, I would argue its in the vendors' interest to
make IP licensing as easy as possible... Especially where the intent is
*not* to create revenues streams or exert control over a technology area
I would note that this is not unique to OASIS - a quick check of IETF
has many similar disclosures and promises to license (if you contact
each individual licensor) on its IPR disclosures page.
> -----Original Message-----
> From: John Messing [mailto:firstname.lastname@example.org]
> Sent: Friday, April 28, 2006 6:21 AM
> To: David RR Webber (XML)
> Cc: Chairs OASIS; Wachob, Gabe; Frederick Hirsch
> Subject: RE: [chairs] Patent license friction...
> Hi David and Gabe:
> The below-referenced U.S.
patent was awarded in 2005 to Sun
> as assignee for "Single sign-on framework with trust-level mapping to
> authentication requirements"
> I think Gabe's original question is complicated by the period in which
> an OASIS standard was approved: one must keep in mind whether it
> occurred under a legacy IPR mode or one of the newer IP modes that are
> designed to be adopted by TC's by no later than next year.
> The American Bar Association's Science and Technology Law
> Section has a
> committee that is working on the relationship between patents and
> standards work.
> Currently IMHO there is no easy or simple answer to Gabe's inquiry.
> John Messing
> > -------- Original Message --------
> > Subject: RE: [chairs] Patent license friction...
> > From: "David RR Webber (XML)" <email@example.com>
> > Date: Thu, April 27, 2006 8:43 pm
> > To: Frederick Hirsch <firstname.lastname@example.org>
> > Cc: Chairs OASIS <email@example.com>, "ext
> > <firstname.lastname@example.org>
> > Gabe,
> > Of course the other option is to have TC work that
> precludes patented
> > material.
> > I still do not see any IPR policy that specifically
> supports that option
> > - other than the legacy policy.
> > To my knowledge the BOD - despite Patricks assertions that
> OASIS would -
> > still has made no effort to accommodate the OSI concerns in
> this regard
> > nor arranged any conference calls or interactions with OSI
> to move toward
> > having OASIS TC work able to comply to OSI licensing needs.
> > For the life of me I cannot see anything in SAML that anyone could
> > legitimately claim to have a patented invention around.
> But then again
> > people have patents on the menu key sequence for bank ATMs
> - clearly a
> > ground breaking invention - key pad sequences. Would be
> interesting to
> > know exactly what about SAML is using such a unique
> mechanism that it is
> > a patented system?
> > Assuming the patent may fall under the
> > category - hopefully the SAML TC can re-factor their work
> so that it does
> > not rely on any dubious or questionable patents in the
> first place...
> > DW
> > -------- Original Message --------
> > Subject: Re: [chairs] Patent license friction...
> > From: Frederick Hirsch <email@example.com>
> > Date: Thu, April 27, 2006 5:51 pm
> > To: "ext Wachob, Gabe" <firstname.lastname@example.org>
> > Cc: Frederick Hirsch <email@example.com>, "Chairs
> > <firstname.lastname@example.org>
> > Gabe
> > I believe the SSTC is operating under the legacy IPR policy. TCs
> > under the current (new) policies incur much clearer and well-
> > understood obligations, which should go a long way toward reducing
> > friction and confusion.
> > In general I believe the reason law tends to be difficult
> is that it
> > is difficult to clearly state in language precise rules where the
> > concerns of various parties are met. The new OASIS policy
> attempts to
> > do this as clearly as possible, specifying the "features"
> > license that may be used in the different IPR modes,
> providing more
> > clarity on the licenses that may be obtained.
> > However, within the scope of the OASIS policy it is the right of a
> > patent holder to write their license. Likewise it is not
> > to have more than one means of obtaining a license from a patent
> > holder, although it may be in everyone's interest to make it easier.
> > In the specific example, I would take the "would" to
> indicate that a
> > license will be granted if and when needed, which seems
> > I'd recommend consult your attorney for advice if you
> haven't already
> > done so.
> > However, I believe the current IPR policy is a big step forward
> > toward clarity. However, as you note, it is realistic to expect to
> > contact patent holders for licenses as needed.
> > Thanks
> > regards, Frederick
> > Frederick Hirsch
> > Nokia
> >  http://www.oasis-open.org/who/intellectualproperty.php
> > On Apr 27, 2006, at 4:59 PM, ext Wachob, Gabe wrote:
> > > This is a real basic questions that has been nagging at me for
> > > quite a while.
> > >
> > > Lets say I want to use a OASIS specification (lets take
> SAML 2.0 -
> > > I'm not picking on them - but it makes a good
> illustration). I note
> > > that there are various IPR disclosures at
> > > committees/security/ipr.php - and some of these
> disclosures state
> > > that the patent owners *will* license their Patents for
> the purpose
> > > of SAML. Some express covenants not to assert claims.
> Some point to
> > > blanket licenses on web sites.
> > >
> > > If I were a lawyer I would find this situation a) confusing, b)
> > > scattered and c) potentially dangerous. For example, on
> that page,
> > > Fidelty states that it "would grant to any other person or
> > > entity a royalty-free, nonexclusive, nontransferable,
> license under
> > > Fidelity's NECESSARY CLAIMS to implement the SAML v2.0 OASIS
> > > Standard, and sell, promote or otherwise distribute the
> > > implementation. "
> > >
> > > Note the word "would". I don't see that Fidelty
> > > granted a license. Thus, while they would now have a hard time
> > > enforcing the patent (given theories of estoppel, etc), I don't
> > > believe that Fidelty actually *has* granted a license. It
> > > that I have to go to Fidelty and get a license if I wish to use
> > > SAML. (Not picking on Fidelity - they are just first on
> the list of
> > > disclosers).
> > >
> > > Are people aware of this? Do users of SAML specifications
> > > know that they apparently aren't actually licensed to use the
> > > patents that Fidelity believes it has? Doesn't this (or
> rather, if
> > > lawyers were paying attention, *shouldn't* this) be a concern? I
> > > realize this TC operated under the legacy IPR policy - I
> wonder how
> > > that affects things.
> > >
> > > If a implementer/user of SAML were to actually be careful with
> > > their use of the SAML specs, they'd actually have to contact
> > > Fidelity to execute the license. I think this should be
> > > highlighted! If a contributor wants to contribute, and
> they don't
> > > offer a covenant or other blanket license (or a URL to a blanket
> > > license, etc), this potentially increases the friction
> for adoption.
> > >
> > > In an ideal world, there'd be one patent license that
> every patent-
> > > holder contributor would agree to -- I'm not naive to
> believe that
> > > would happen (or that OASIS could force that to happen),
> but I do
> > > believe in notice. Only as a persistent person who actually read
> > > the entire IPR disclosure page did I notice that to use SAML 2 I
> > > have to somehow negotiate a license with Fidelity.. Most people
> > > aren't going to do this and will be blissfully ignorant.
> > >
> > > I think as a practical matter, most patent holders who are
> > > contributing to OASIS specs don't really want to deal with
> > > individual licensing -- but OASIS IPR policy doesn't
> really push or
> > > guide patent holders to put up blanket unilateral
> licenses -- its
> > > up to each IPR holder to license (or covenant) in what ever way
> > > they want.
> > >
> > > THE PROPOSAL:
> > > I think, in short, that OASIS should guide patent holders
> > > the lowest friction licenses possible by suggesting (not
> > > patent holders to use a standardized license (or at least
> > > that patent holders post a "click-through" or
> > >
> > > -Gabe
> > >
> > > P.S. If I'm wrong about any of the facts, please let me
> know ... I
> > > could have easily missed something.
> > > __________________________________________________
> > > email@example.com
> > > Chief Systems Architect
> > > Technical Innovation and Standards Management
> > > Visa International
> > > Phone: +1.650.432.3696 Fax: +1.650.554.6817
> > >
> > >