[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] RSA Security IPR statement
Let me make a couple of points regarding patent issues. My comments are offered as one interested in promoting adoption and use of SAML, and in particular promoting its adoption and use in the open-source community. > FYI - Eve and I have discussed a general approach to including a > reference in the specs. A small, simple statement in the spec's will > just refer folks back to the OASIS site. From there, they should be > able to find the description of the process and a link for obtaining the > license. The initial discussion of the possible overlap betwen RSA patents and the SAML specification focussed on the Browser/POST profile. Having read the patents, this profile does seem to be the one part of SAML that is potentially related. Since that time, as far as I can tell, statements have not clearly distinguished between parts of SAML that are potentially covered by this patent and parts that aren't. The current statement of intent linked to on the SSTC page says the patents "may be relevant to practicing certain operational modes". SAML is made up of several different technologies, and as the attestations have shown, different implementations can use some parts and not others. I believe it is in the interest of the SAML community for statements from RSA to be precise about which parts of SAML it believes to be relevant to their patents. Otherwise, implementors will be left to wonder, and may avoid SAML due to their uncertainty. > FYI - In case it helps, the license will be very similar to that used by > Entrust for their patent #5,699,431 for CRL management. See > http://www.ietf.org/entrust_license.html While we all appreciate that RSA has chosen to make licenses available at no cost, there is a difference between no-cost and no-hassle. An obvious comparison is with the procedure RSA chose for MD-2, MD-4, and MD-5: http://ietf.org/ietf/IPR/RSA-MD-all which permits use of these algorithms without requiring interaction with RSA. If implementors of MD-5, and users of toolkits implementing it, had to ask for licenses, even at no cost, I think we can agree how much (or how little) MD-5 would be used. As we have said, Internet2 plans to produce and distribute an open-source SAML library. I'm sure TC members are aware of the role of open-source implementations in promoting the adoption of a technology standard. I fear that procedures like those in the cited Entrust license above will simply put off potential adopters of SAML, to the detriment of all of us who have an interest in its wide adoption. I encourage RSA to consider a blanket license for these patents that wouldn't require implementors to register with RSA. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC