OASIS Board Approval of Trademark Waiver for DHS contributions of STIX, TAXII and CybOX specifications (was Agenda thread for 1 April Meeting)

["Frederick.Hirsch@us.fujitsu.com" <Frederick.Hirsch@us.fujitsu.com>]

Eduardo and oasis-board-comment list members:

The OASIS Board approved the trademark waiver for the DHS contributions of STIX, TAXII and CybOX specifications; details are in the message I sent to the CTI public list: https://lists.oasis-open.org/archives/cti/201604/msg00009.html

For convenience the text (but not attachments, see the link for those) are included below.

This relates to the recent board-comment-list discussion regarding the "Board Agenda", see https://lists.oasis-open.org/archives/oasis-board-comment/201603/msg00002.html  for the latest in that thread.

The Board also took notice of the concerns Eduardo raised and has given an action to the Board IPR sub-committee to consider issues related to trademark assignment related to "non-competitive entities".  We also will schedule time in upcoming board meetings to review OASIS transparency, including use of the board-comment list and appropriate sharing of attachments for agendas.

Thanks for bringing these issues to our attention.

Regards Frederick

Frederick Hirsch
Chair, OASIS Board of Directors

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Frederick.Hirsch@us.fujitsu.com
Sent: Monday, April 04, 2016 11:45 AM
To: cti@lists.oasis-open.org
Cc: chet.ensign@oasis-open.org; jamie.clark@oasis-open.org
Subject: [cti] OASIS Board Approval of Trademark Waiver for DHS contributions of STIX, TAXII and CybOX specifications

Members of the Cyber Threat Intelligence (CTI) TC:

The OASIS Board has approved the waiver of its trademark-ownership policy for purposes of the DHS contributions of STIX, TAXII and CybOX specifications, to accept the nonexclusive license instead, so as to accommodate the continuous development of this work without interruption. The OASIS Board considers this waiver exceptional, in light of the perceived urgency of cybersecurity risks mitigated by the project and the inability of the contributor to immediately transfer the trademarks.

However, the Board does wish to caution DHS that there may be significant adoption risks with the retained trademark licenses and "TM" marks in an open standard or open source code. In the current technical environment, open development communities generally expect and receive freely available rights to use and incorporate such works without any concern, conditions, or restrictions. The ability to go forward without licensing or lawyering analysis accounts for the rapid, frictionless adoption and success of many open projects.

OASIS always strives for success and broad adoption of its committees' specifications. Therefore, we did wish to express our concern that the presence of unconventional or unexpected license reservations -- where the user must consider special terms from a specific agency, beyond the routine open standards group terms -- might significantly impair market adoption of this work, particularly internationally, and with other standards organizations.

We understand that the original intent of this project is to promote widespread adoption and use, not only with US federal agencies and their regular vendors, but also in communities and commercial sectors located elsewhere, including parties who may exchange threat data with each other but not the government. For that reason, we call your attention to the risk of negative reactions to anything that (even accidentally or cursorily) looks like parties might be required to seek permission from a US federal agency before using it or coding to it.

For that reason, as a suggestion but not a requirement, we urge DHS to consider re-visiting whatever process would be required to permit a full assignment of the trademark to OASIS, so to bring the work's licensing in line with most other open standards and open source work. That process might run concurrently with the committee's continued development, possibly permitting fewer licensing reservations in future versions. OASIS itself always takes reasonable steps to monitor and protect the names and trademarks of its specifications, so we do not believe that additional powers need to be retained by DHS, in order for the agency to enjoy the protections that may be its concern. We would be happy to work with the Department to explore whatever additional procurement process might be needed, to address the risk that communities and stakeholders outside of your current circle of participants might find the exceptional licensing off-putting.

The motion passed is the following:

"The Board resolves to waive IPR Policy section 5.3.1's requirement that all trademarks used in an OASIS specification shall be owned by OASIS, for the US Department of Homeland Security's contributions of STIX, TAXII and CybOX draft specifications to the OASIS CTI TC, conditioned on the terms of the following documents:  (a) amendment to section 3(d) of the July 15, 2015 "Non-Exclusive License" between DHS and OASIS;  (b) posting of the supplemental "Proposed trademark notice and conditions" from DHS, clarifying implementer and user rights to freely use trademarks;  and (c) modification of the standard OASIS specification IPR notices and disclaimers text, to include the modified special DHS IPR notices and disclaimers;  all as presented to the Board at its March 2016 meeting as negotiated by staff and DHS.”

The three associated documents are attached.

If you have any comment please feel free to send to oasis-board-comment@lists.oasis-open.org or to chet.ensign@oasis-open.org

Thank you for your consideration.

regards, Frederick

Frederick Hirsch
Chair of the OASIS Board of Directors

________________________________

This e-mail and any attached files are only for the use of its intended recipient(s). Its contents are confidential and may be privileged. Fujitsu does not guarantee that this e-mail has not been intercepted and amended or that it is virus free. If you have received this e-mail and are not the intended recipient, please contact the sender by e-mail and destroy all copies of this e-mail and any attachments. / Le présent courriel, ainsi que ses pièces jointes, ne peut être utilisé que par le ou les destinataires auxquels il a été transmis. Les renseignements qu'il contient sont confidentiels, voire même protégés. Fujitsu ne peut garantir que ce courriel n'a pas été intercepté ou modifié, ou qu'il ne contient aucun virus. Si vous avez reçu ce courriel sans en être le destinataire prévu, veuillez communiquer par courriel avec son expéditeur et en détruire toutes les copies et pièces jointes.