[wss] Re: WSS IPR Statement?

[Frank Siebenlist <franks@mcs.anl.gov>]

Ok, I'll assume for now that the currently published WSS IPR statement is the valid one - it was probably wishful thinking on my 
part that someone would replace it with an new, easier to read one ;-)

There was some dicussion in the first f2f meeting about the IPR issues that made me believe that the WSS spec and anything that 
would be based on it, would be made available on a RF basis by the submitting companies.
When I read the IPR statement at "http://www.oasis-open.org/committees/wss/documents/ipr_statement.shtml";, it wasn't completely 
clear to me how that all would work. After receiveing some additional comments and questions from our legal counsel, I was hoping to 
get some clarification about the terms and conditions of the license under which this spec and derived technologies, are made 
available to the community.

For reference, the two relevant paragraphs from the WSS IPR statement are:

----
1. Each Author grants permission to OASIS and OASIS members the right to copy, display, perform, modify and distribute the Web 
Services Security ("WS-Security") draft specification and to authorize others to do the foregoing, in any medium without fee or 
royalty, for the purpose of further developing the WS-Security specification in the WSSTC as set forth in the draft WSS TC charter.

2. Each Author commits to grant a non sub-licenseable, non-transferable license to third parties, under royalty-free and other 
reasonable and non-discriminatory terms and conditions, to certain of their respective patent claims that such Author deems 
necessary to implement required portokions of the WS-Security specification, provided a reciprocal license is granted.
----


What follows is a list of observations and questions concerning the statement:


a/ As stated in (1.), the royalty free license seems only for the purpose of development, not
implementation, of WS-Security specifications, and is granted only to OASIS
members.

The WSS-IPR statement is "...In addition to the rights and representations provided for in the OASIS Policy on Intellectual Property 
Rights...".

Could you please clarify what the above statement (1.) adds to the OASIS one?


b/ This statement grants a non sub-licenseble, non-transferable license to third parties.

The organization that I work for is developing a toolkit based on the WS-Security specification. We make this toolkit available to 
anyone as free (as in beer), open source software under a BSD-like license.
Do the terms "non sub-licenseble, non-transferable" mean, that other academic and commercial parties will be unable to build their 
applications and product on top of our toolkit under the same RF conditions?
If so, what is the process to allow these third parties to do so?


c/ The statement reads: "...under royalty-free and other reasonable and non-discriminatory terms and conditions..."

What are these additonal RAND terms and conditions?


d/ "Each Author commits to grant...license to third parties...provided a reciprocal license is granted."

If a third party doesn't have any IP claims in this area, do they still need to provide a reciprocal license?
If so, what is the process to obtain such a license from the Authors, and what are the terms and conditions associated with such a 
license?


e/ The license is granted "...to certain of their respective patent claims that such Author deems necessary to implement..." , but 
there doesn't seem to be any objective criteria for what is necessary.

Could the submitters clarify this statement?


f/ We assume that the ws-security profile specifications (kerberos, username/password, X.509) are part of the WS-Security spec and 
therefor covered by this IPR statement.

This does not include any additional profiles that the community may want to develop and deploy, which would imply that additionally 
defined profiles may not be made available under the same terms and conditions.

The IP issues surrounding subsequent profiles is something we fear as more and more standards, like WS-Security are drafted as 
"frameworks", which by themselves are not very useful to guarantee interoperability without the profile definitions.

Could this be a reason to extend the charter to include more profiles such that the community doesn't have to deal with the 
subsequent associated IPR issues?

Do the submitters currently have plans to publish such additional profiles under different and non-RF terms and conditions?


g/ It's not clear if the OASIS Board of Directors has been formally notified of claimed patent rights.

Could you please clarify.


h/ We assumed that "portokions" is a typo for "portions".

... but with that legal lingo, one can never be sure...


i/ The signators of the IPR statement make no representation that they have the authority to
grant such rights.

Are they empowered to do so by IBM, Microsoft and VeriSign?
(nothing personal ... just a question from our lawyer)


That's all for now.

Thanks, Frank.




Frank Siebenlist wrote:

> Before asking any further questions, I just wanted to confirm that the
> IPR statement at:
>
> "http://www.oasis-open.org/committees/wss/documents/ipr_statement.shtml";
>
> is the correct and most recent one concerning the WS-Security specs.
>
> (I remember there were some discussions about it at the first meeting...)
>
>
> Thanks, Frank.
>
>

-- 
Frank Siebenlist              franks@mcs.anl.gov
The Globus Project - Argonne National Laboratory