OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [security-services] RSA Security IPR statement



Let me make a couple of points regarding patent issues.  My comments are
offered as one interested in promoting adoption and use of SAML, and in
particular promoting its adoption and use in the open-source community.

> FYI - Eve and I have discussed a general approach to including a
> reference in the specs.  A small, simple statement in the spec's will
> just refer folks back to the OASIS site.  From there, they should be
> able to find the description of the process and a link for obtaining the
> license.

The initial discussion of the possible overlap betwen RSA patents and the
SAML specification focussed on the Browser/POST profile.  Having read the
patents, this profile does seem to be the one part of SAML that is
potentially related.  Since that time, as far as I can tell, statements
have not clearly distinguished between parts of SAML that are potentially
covered by this patent and parts that aren't.  The current statement of
intent linked to on the SSTC page says the patents "may be relevant to
practicing certain operational modes".

SAML is made up of several different technologies, and as the attestations
have shown, different implementations can use some parts and not others.
I believe it is in the interest of the SAML community for statements from
RSA to be precise about which parts of SAML it believes to be relevant to
their patents.  Otherwise, implementors will be left to wonder, and may
avoid SAML due to their uncertainty.

> FYI - In case it helps, the license will be very similar to that used by
> Entrust for their patent #5,699,431 for CRL management.  See
> http://www.ietf.org/entrust_license.html

While we all appreciate that RSA has chosen to make licenses available at
no cost, there is a difference between no-cost and no-hassle.  An obvious
comparison is with the procedure RSA chose for MD-2, MD-4, and MD-5:

  http://ietf.org/ietf/IPR/RSA-MD-all

which permits use of these algorithms without requiring interaction with
RSA.  If implementors of MD-5, and users of toolkits implementing it, had
to ask for licenses, even at no cost, I think we can agree how much (or
how little) MD-5 would be used.

As we have said, Internet2 plans to produce and distribute an open-source
SAML library.  I'm sure TC members are aware of the role of open-source
implementations in promoting the adoption of a technology standard.  I
fear that procedures like those in the cited Entrust license above will
simply put off potential adopters of SAML, to the detriment of all of us
who have an interest in its wide adoption.  I encourage RSA to consider a
blanket license for these patents that wouldn't require implementors to
register with RSA.

 - RL "Bob"




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC