Re: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1.2submission to the SSTC)

["Eve L. Maler" <eve.maler@sun.com>]

On seeing Tony's original queries, I did some research with
Liberty folks on the IPR situation.  Conor has provided some
information already in response to Hal's message; following is
additional info that puts things into the OASIS context a bit
more.  Bill Smith of Liberty has agreed to be available for
questions if we discuss this in today's call.

The OASIS IPR policy[1] puts a priority on disclosure of the
existence of intellectual property rights, with efforts made by
OASIS to secure openly specified RAND terms where these have not
already been offered.  It should be noted that there is no
requirement that such terms be offered or received.  The Liberty
contributions are fully in compliance with this policy.

The Liberty Alliance IPR policy[2] goes considerably farther than
OASIS's, requiring its members to grant licenses to Necessary
Claims, with default licensing terms being Royalty Free.  Members
may withdraw from this default grant by filing a Necessary Claims
Disclosure Notice (NCDN) and instead offer RAND terms.  Five of
the approximately 150 Liberty participants have chosen to file
NCDNs[3][4][5][6][7], with three for issued patents and two for
pending applications.  RF terms have been specified in each case
where a patent has been issued.  RAND terms -- the minimum
required -- have been specified in each case where a patent is
pending (Catavault and Citigroup), though it is unclear whether
those patents will ever issue or in what form they might issue
(relevant claims might be refused).  Confidentiality provisions
prevent more detailed disclosure at this time.

To summarize, approximately 148 Liberty members are committed to
offer Royalty Free licenses to their Necessary Claims.  Two
participants have offered RAND licenses to Necessary Claims based
on pending patents that may never issue. A total of five
participants have issued NCDNs.  Rather than placing an "unknown
burden" on implementors, Liberty provides considerable assurance
regarding licensing terms.

Thus, the situation is much the same for the Liberty
contributions as for SAML 1.0, which has a disclosure from RSA
Security, Inc. (which indeed offers royalty-free licensing
terms[8] despite any assertions to the contrary).  For that
matter, the contributions are very much in the same situation as
other OASIS technologies such as XACML, where a disclosure from
IBM indicates that in princple it will offer RAND licensing terms
should its pending patent applications in this area issue[9].


[1] http://www.oasis-open.org/who/intellectualproperty.php
[2] http://www.projectliberty.org/specs/ipr.html
[3] http://www.projectliberty.org/specs/AOLTable.html
[4] http://www.projectliberty.org/specs/Fidelitytable.html
[5] http://www.projectliberty.org/specs/Sonytable.html
[6] http://www.projectliberty.org/specs/Catavaulttable.html
[7] http://www.projectliberty.org/specs/Citigrouptable.html
[8] http://www.oasis-open.org/committees/security/ipr.php
[9] http://www.oasis-open.org/committees/xacml/ipr.php


Conor P. Cahill wrote:

> 
> Hal Lockhart wrote on 11/24/2003, 5:08 PM:
> 
>  > I share Tony's concerns that the nature of the IPR applying to the
>  > Liberty submission is not clear enough. Five companies are listed
>  > on the link provided by Tony on the Liberty Web site. (BTW, I
>  > looked in vain for this link, I don't know how Tony managed to
>  > find it.)
> 
> There is a link for it on the specifications index page 
> (http://www.projectliberty.org/specs/index.html).
> 
>  > The claims of Time Warner and Fidelity are listed as RF.
> 
> Yes.
> 
>  > The claims of Citigroup and Catavault are listed as RAND and
>  > unfortunately their description of what their patents cover
>  > is too broad to be useful.
> 
> Both of these are related to patent applications, not issued patents, so 
> there is no way to reasonalby discover what will be covered since they 
> don't have any issued claims yet (and there's no guarantee that they will).
> 
>  > The claim from Sony is most troublesome. It simply says "Please
>  > contact Sony Corporation.
> 
> I agree that it would be useful for this to be clarified further.
> 
>  > I note that Sony (Corporation of America) and Fidelity are OASIS
>  > members and therefore have agreed to the OASIS IPR policy. As far
>  > as I can tell the other three organizations are not OASIS members.
> 
> Two points here:
> 
> a) Membership in the Liberty alliance (which requires companies
>     to disclose IPR as part of the approval process for Liberty
>     specifications) does not mean that the company is a
>     "contributor" of the specification to OASIS.  In other words,
>     these specifications were contributed by specific members and
>     not the entire organization.
> 
> b) I do believe that AOl is a member of OASIS (hence my participation).
> 
>  > The Liberty submission may comply with the literal wording of the
>  > OASIS IPR policy, but it is far from the spirit of "full disclosure."
> 
> The problem here is one for lawyers.  Liberty was made aware of some 
> real and some potential IPR that the holders claimed applies to some of 
> the work done by Liberty.  In some cases, Liberty received nothing more 
> than that (a statement that says "hey, we think something you're doing 
> is covered by our patent application").  In other cases Liberty recevied 
> more detailed analysis by the company as well as a statement as to the 
> licensing terms.  Liberty has reported the information that it has received.
> 
> Note that Liberty has not done any analysis of the claims for validity, 
> nor has there been any legal review, internal or external, of the claims 
>   (and neither does OASIS or any other standards body that I am aware of 
> -- unless, of course, litigation has been instigated by one of the parties).
> 
> So, Liberty has reported on what the potential claims have been. 
> Outside of those claims, the Liberty member agreement requires RF/RANDZ 
> from all members to all implementors -- something that is much stronger 
> than OASIS' IPR policies.
> 
> Conor
-- 
Eve Maler                                        +1 781 442 3190
Sun Microsystems                            cell +1 781 354 9441
Web Products, Technologies, and Standards    eve.maler @ sun.com