RE: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1.2 submission to the SSTC)

["Mishra, Prateek" <pmishra@netegrity.com>]

Hal,

We can certainly include a discussion about your concerns in this call. It
would be great we could come up with one or two specific questions that the
Chairs or others could then take forward and report back to the TC.


- prateek


-----Original Message-----
From: Hal Lockhart [mailto:hlockhar@bea.com] 
Sent: Monday, November 24, 2003 5:09 PM
To: Conor P. Cahill; Anthony Nadalin
Cc: security-services@lists.oasis-open.org
Subject: [security-services] Liberty IPR Issues (was: Liberty ID-FF 1.2
submission to the SSTC)

I share Tony's concerns that the nature of the IPR applying to the Liberty
submission is not clear enough. Five companies are listed on the link
provided by Tony on the Liberty Web site. (BTW, I looked in vain for this
link, I don't know how Tony managed to find it.)

The claims of Time Warner and Fidelity are listed as RF.

The claims of Citigroup and Catavault are listed as RAND and unfortunately
their description of what their patents cover is too broad to be useful.

The claim from Sony is most troublesome. It simply says "Please contact Sony
Corporation.for any further details." It is not clear to me that this is
even RAND. Perhaps the Liberty rules imply this, but then I don't know why
the 1st two companies filed necessary claims for RF. Obviously there is no
indication as to what the Sony claims might cover.

I would like to propose that the Chairs take an action to work with the
submitters and seek some clarification on the portions of the specs that
these claims address.

I note that Sony (Corporation of America) and Fidelity are OASIS members and
therefore have agreed to the OASIS IPR policy. As far as I can tell the
other three organizations are not OASIS members.

Finally to respond to Connor's points:

> First off, with respect to version 1.2 of ID-FF, the IPR claims have not
> changed vs version 1.1 which has already been accepted by the SSTC.

That may be so, but little material from Liberty was incorporated into SAML
1.1. Certainly claims from these companies were not listed as a part of our
submission to OASIS. If it had been, I believe that there would have been
some no votes. I believe that some organizations have pledged to vote
against any specs with non-RF (or RANDZ if you prefer) claims against them.
I know we had some negative votes against XACML 1.0 for this reason.

Before we proceed on SAML 2.0 I would like to have a clearer idea if we are
standardizing features with IP encumberances or not.

> Finally, does anyone out there really think that you can develop
> something more complex than main(){printf("hello world\n");} that isn't
> impacted by someone's (typically not one of the author's) IP?  I think
> NOT.  That isn't to say that we should ignore IP, but rather that we
> can't assume that anything we do will be RF, even if *ALL* of the
> authors agree to make it RF.

I stipulate that this is technically true, but I don't think we have done
nearly enough to try to learn the scope of these claims. SAML 1.1 is
believed to be encumbered by no more than the RSA mutual-RF claim and I have
not heard any vendor complain of "stealth IP" applying to SAML 1.0 or 1.1.

The Liberty submission may comply with the literal wording of the OASIS IPR
policy, but it is far from the spirit of "full disclosure."

Hal

> -----Original Message-----
> From: Conor P. Cahill [mailto:concahill@aol.com]
> Sent: Monday, November 17, 2003 9:02 AM
> To: Anthony Nadalin
> Cc: security-services@lists.oasis-open.org
> Subject: Re: [security-services] Liberty ID-FF 1.2 submission to the
> SSTC
>
>
>
>
> Anthony Nadalin wrote on 11/16/2003, 9:45 PM:
>  >
>  > As I read this and the Liberty site there are 5 companies that claim
>  > IP on the specifications, this puts a unknown burden companies in the
>  > SS-TC that wish to see RF.
>
> First off, with respect to version 1.2 of ID-FF, the IPR claims have not
> changed vs version 1.1 which has already been accepted by the SSTC.
>
> Secondly, many of the IPR claims are RF (or at least reciprical RF which
> is sometimes referred to as RANDZ) and those that aren't RF are RAND.
>
> Finally, does anyone out there really think that you can develop
> something more complex than main(){printf("hello world\n");} that isn't
> impacted by someone's (typically not one of the author's) IP?  I think
> NOT.  That isn't to say that we should ignore IP, but rather that we
> can't assume that anything we do will be RF, even if *ALL* of the
> authors agree to make it RF.
>
> Conor
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.



To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.