Revised OpenSAML proposal

[Scott Cantor <ca...@osu.edu>]

A revised proposal with the references to WS-Sec removed by general consent of the parties involved.

--- Scott

--- 

Proposal for OpenSAML, A Web Services Subproject (via Incubator)

28 January 2003,
Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)

(0) rationale

To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as part of the Shibboleth project
(http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at http://www.opensaml.org. Both a Java
and C++ library are being provided and maintained, with a goal of feature parity and API commonality between them.

There is also a JSR 155 - Web Services Security Assertions (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their
words) define a set of APIs, exchange patterns and implementation to securely (integrity and confidentiality) exchange assertions
between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either instead of or in addition to the
existing API. This is analagous to the migration in Xerces to JAXP when it became appropriate.

The ws.apache.org PMC expressed a great deal of interest in the work in order to ramp up their activities quickly, and appears to be
eager to contribute to the success of the subproject.

(0.1) criteria

Meritocracy: Design decisions have been made in consultation with the Shibboleth development team.

Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed, have been playing with the code in their
projects.

Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development team, and a few other
contributions, some from Apache contributors.

Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects before turning elsewhere, due to
compatibility of licensing terms and code quality and support.

Scope: SAML and functionality to simplify the use of SAML in areas of interest. 

(0.2) warning signs

Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have looked at OpenSAML as a possible
starting point.

Inexperience: The primary author has been coding the system for about 14 months, and has 5+ years experience on web security
software, primarily in C and C++. Most of that code has been made publically available and has been shared explicitly with other
institutions. Other Shibboleth developers have contributed Unix systems programming, project organization, and Java experience to
the project, and they have open source experience as well.

Homogeneous Developers: Primarily one developer to this point, though suggestions from other developers have influenced design.
Project expected to support layered functionality contributed by other interested parties once core API stablity is reached. IRC has
been used extensively to discuss issues.

Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and most of the development has been
contract work, but the entire source base has been open source from the beginning.

No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make use of and serve the forthcoming WS
projects.

Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a stable of developers, extend work into
web services, possibly explore implications of SAML and Shibboleth models for SSO and identity federation within other Apache
projects.

(1) scope of the subproject

The purpose of this subproject is to create and maintain an implementation of the SAML standard, as defined by the OASIS SSTC, via
libraries that support the messages, bindings, and profiles in the standard. This might eventually include reference implementations
of SAML authorities for testing or development use (or more if there's interest). This subproject might include an implementation of
the JSR-155 yet-to-be-published API for SAML in Java.

(2) identify the initial source from which the subproject is to be populated 

http://www.opensaml.org

(3) identify the ASF resources to be created 

(3.1) mailing list(s) 
opensaml-user 
opensaml-dev 


(3.2) CVS repositories 
ws-opensaml (currently there is a cvs at cvs.internet2.edu)

(3.3) Bugzilla 

(currently, there is a bugzilla at bugzilla.internet2.edu)

(4) identify the initial set of committers 

Scott Cantor (cantor.2@osu.edu)

Walter Hoehn (wassa@columbia.edu)

Derek Atkins (warlord@mit.edu)

Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)

Mark Wilcox (mark.wilcox@webct.com)

(5) identify apache sponsoring individual 

Davanum Srinivas (dims@yahoo.com)

(6) open issues for discussion

Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free)?

RE: Revised OpenSAML proposal

[Krishna Sankar <ks...@cisco.com>]

Dims,

	Sorry for the delay in responding - am still traveling.

	As the role of JSR 155 spec lead, I applaud and support this
effort. The JSR155 team would work with the proposed initiative. We also
plan to seek more synergies like RI et al in the near future.

cheers 

> -----Original Message-----
> From: Davanum Srinivas [mailto:dims@yahoo.com] 
> Sent: Thursday, January 30, 2003 9:21 AM
> To: general@incubator.apache.org
> Cc: Krishna Sankar; Sandeep Kumar
> Subject: Re: Revised OpenSAML proposal
> 
> 
> CC'ing Sandeep and Krishna - the co-leads for JSR 155. 
> 
> Thanks,
> dims
> 
> --- Scott Cantor <ca...@osu.edu> wrote:
> > A revised proposal with the references to WS-Sec removed by 
> general consent of the parties
> > involved.
> > 
> > --- Scott
> > 
> > --- 
> > 
> > Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> > 
> > 28 January 2003,
> > Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> > 
> > (0) rationale
> > 
> > To support SAML (Security Assertion Markup Language), 
> OpenSAML was developed by Internet2 as
> > part of the Shibboleth project
> > (http://shibboleth.internet2.edu/). The project is 
> currently hosted and managed by Internet2 at
> > http://www.opensaml.org. Both a Java
> > and C++ library are being provided and maintained, with a 
> goal of feature parity and API
> > commonality between them.
> > 
> > There is also a JSR 155 - Web Services Security Assertions
> > (http://www.jcp.org/en/jsr/detail?id=155) in progress that 
> will (in their
> > words) define a set of APIs, exchange patterns and 
> implementation to securely (integrity and
> > confidentiality) exchange assertions
> > between web services based on OASIS SAML. We could 
> implement this JSR over OpenSAML, either
> > instead of or in addition to the
> > existing API. This is analagous to the migration in Xerces 
> to JAXP when it became appropriate.
> > 
> > The ws.apache.org PMC expressed a great deal of interest in 
> the work in order to ramp up their
> > activities quickly, and appears to be
> > eager to contribute to the success of the subproject.
> > 
> > (0.1) criteria
> > 
> > Meritocracy: Design decisions have been made in 
> consultation with the Shibboleth development
> > team.
> > 
> > Community: Aside from Shibboleth, a growing community of 
> developers, mostly from higher ed, have
> > been playing with the code in their
> > projects.
> > 
> > Core Developers: Primary author is Scott Cantor, with 
> assistance from the Shibboleth development
> > team, and a few other
> > contributions, some from Apache contributors.
> > 
> > Alignment: Uses Xerces and Xalan (J and C), xml-security, 
> generally looks to Apache projects
> > before turning elsewhere, due to
> > compatibility of licensing terms and code quality and support.
> > 
> > Scope: SAML and functionality to simplify the use of SAML 
> in areas of interest. 
> > 
> > (0.2) warning signs
> > 
> > Orphaned products: Shibboleth has some momentum, and sundry 
> research projects exist that have
> > looked at OpenSAML as a possible
> > starting point.
> > 
> > Inexperience: The primary author has been coding the system 
> for about 14 months, and has 5+
> > years experience on web security
> > software, primarily in C and C++. Most of that code has 
> been made publically available and has
> > been shared explicitly with other
> > institutions. Other Shibboleth developers have contributed 
> Unix systems programming, project
> > organization, and Java experience to
> > the project, and they have open source experience as well.
> > 
> > Homogeneous Developers: Primarily one developer to this 
> point, though suggestions from other
> > developers have influenced design.
> > Project expected to support layered functionality 
> contributed by other interested parties once
> > core API stablity is reached. IRC has
> > been used extensively to discuss issues.
> > 
> > Reliance on Salaried Developers: Shibboleth is funded by 
> Internet2 at the present time, and most
> > of the development has been
> > contract work, but the entire source base has been open 
> source from the beginning.
> > 
> > No ties to other Apache Products: Extensive reliance on XML 
> and Jakarta projects, should make
> > use of and serve the forthcoming WS
> > projects.
> > 
> > Fascination with Apache Brand: Would like to foster 
> interest in and use of SAML, attract a
> > stable of developers, extend work into
> > web services, possibly explore implications of SAML and 
> Shibboleth models for SSO and identity
> > federation within other Apache
> > projects.
> > 
> > (1) scope of the subproject
> > 
> > The purpose of this subproject is to create and maintain an 
> implementation of the SAML standard,
> > as defined by the OASIS SSTC, via
> > libraries that support the messages, bindings, and profiles 
> in the standard. This might
> > eventually include reference implementations
> > of SAML authorities for testing or development use (or more 
> if there's interest). This
> > subproject might include an implementation of
> > the JSR-155 yet-to-be-published API for SAML in Java.
> > 
> > (2) identify the initial source from which the subproject 
> is to be populated 
> > 
> > http://www.opensaml.org
> > 
> > (3) identify the ASF resources to be created 
> > 
> > (3.1) mailing list(s) 
> > opensaml-user 
> > opensaml-dev 
> > 
> > 
> > (3.2) CVS repositories 
> > ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> > 
> > (3.3) Bugzilla 
> > 
> > (currently, there is a bugzilla at bugzilla.internet2.edu)
> > 
> > (4) identify the initial set of committers 
> > 
> > Scott Cantor (cantor.2@osu.edu)
> > 
> > Walter Hoehn (wassa@columbia.edu)
> > 
> > Derek Atkins (warlord@mit.edu)
> > 
> > Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> > 
> > Mark Wilcox (mark.wilcox@webct.com)
> > 
> > (5) identify apache sponsoring individual 
> > 
> > Davanum Srinivas (dims@yahoo.com)
> > 
> > (6) open issues for discussion
> > 
> > Are there IPR-related concerns with SAML (patents held by 
> RSA but offered royalty free)?
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> > 
> 
> 
> =====
> Davanum Srinivas - http://webservices.apache.org/~dims/
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 

Re: Revised OpenSAML proposal

[Davanum Srinivas <di...@yahoo.com>]

CC'ing Sandeep and Krishna - the co-leads for JSR 155. 

Thanks,
dims

--- Scott Cantor <ca...@osu.edu> wrote:
> A revised proposal with the references to WS-Sec removed by general consent of the parties
> involved.
> 
> --- Scott
> 
> --- 
> 
> Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> 
> 28 January 2003,
> Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> 
> (0) rationale
> 
> To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as
> part of the Shibboleth project
> (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at
> http://www.opensaml.org. Both a Java
> and C++ library are being provided and maintained, with a goal of feature parity and API
> commonality between them.
> 
> There is also a JSR 155 - Web Services Security Assertions
> (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their
> words) define a set of APIs, exchange patterns and implementation to securely (integrity and
> confidentiality) exchange assertions
> between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either
> instead of or in addition to the
> existing API. This is analagous to the migration in Xerces to JAXP when it became appropriate.
> 
> The ws.apache.org PMC expressed a great deal of interest in the work in order to ramp up their
> activities quickly, and appears to be
> eager to contribute to the success of the subproject.
> 
> (0.1) criteria
> 
> Meritocracy: Design decisions have been made in consultation with the Shibboleth development
> team.
> 
> Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed, have
> been playing with the code in their
> projects.
> 
> Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development
> team, and a few other
> contributions, some from Apache contributors.
> 
> Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects
> before turning elsewhere, due to
> compatibility of licensing terms and code quality and support.
> 
> Scope: SAML and functionality to simplify the use of SAML in areas of interest. 
> 
> (0.2) warning signs
> 
> Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have
> looked at OpenSAML as a possible
> starting point.
> 
> Inexperience: The primary author has been coding the system for about 14 months, and has 5+
> years experience on web security
> software, primarily in C and C++. Most of that code has been made publically available and has
> been shared explicitly with other
> institutions. Other Shibboleth developers have contributed Unix systems programming, project
> organization, and Java experience to
> the project, and they have open source experience as well.
> 
> Homogeneous Developers: Primarily one developer to this point, though suggestions from other
> developers have influenced design.
> Project expected to support layered functionality contributed by other interested parties once
> core API stablity is reached. IRC has
> been used extensively to discuss issues.
> 
> Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and most
> of the development has been
> contract work, but the entire source base has been open source from the beginning.
> 
> No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make
> use of and serve the forthcoming WS
> projects.
> 
> Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a
> stable of developers, extend work into
> web services, possibly explore implications of SAML and Shibboleth models for SSO and identity
> federation within other Apache
> projects.
> 
> (1) scope of the subproject
> 
> The purpose of this subproject is to create and maintain an implementation of the SAML standard,
> as defined by the OASIS SSTC, via
> libraries that support the messages, bindings, and profiles in the standard. This might
> eventually include reference implementations
> of SAML authorities for testing or development use (or more if there's interest). This
> subproject might include an implementation of
> the JSR-155 yet-to-be-published API for SAML in Java.
> 
> (2) identify the initial source from which the subproject is to be populated 
> 
> http://www.opensaml.org
> 
> (3) identify the ASF resources to be created 
> 
> (3.1) mailing list(s) 
> opensaml-user 
> opensaml-dev 
> 
> 
> (3.2) CVS repositories 
> ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> 
> (3.3) Bugzilla 
> 
> (currently, there is a bugzilla at bugzilla.internet2.edu)
> 
> (4) identify the initial set of committers 
> 
> Scott Cantor (cantor.2@osu.edu)
> 
> Walter Hoehn (wassa@columbia.edu)
> 
> Derek Atkins (warlord@mit.edu)
> 
> Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> 
> Mark Wilcox (mark.wilcox@webct.com)
> 
> (5) identify apache sponsoring individual 
> 
> Davanum Srinivas (dims@yahoo.com)
> 
> (6) open issues for discussion
> 
> Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free)?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


=====
Davanum Srinivas - http://webservices.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Revised OpenSAML proposal

[Davanum Srinivas <di...@yahoo.com>]

Nicola,

WS PMC has not voted on it yet. i privately pinged a few folks who seemed receptive. I will let
scott and his team answer the rest of the queries/concerns. As soon as we setup our mailing lists
and archives etc (this weekend), i can initiate a vote.

Thanks,
dims

--- Nicola Ken Barozzi <ni...@apache.org> wrote:
> 
> Davanum Srinivas wrote:
> > Incubator Folks,
> > 
> > We have a proposal, an initial code base, identified committers, a willing web services
> > pmc....What's the next step? Please advise.
> 
> We are walking on new ground here, so I'll step up to reply, but please 
> take this as my personal opinions except on those matters where I won't 
> be corrected.
> 
> There are couple of points I'll like to see done, and then we'll get 
> along with actually starting the creation of the project.
> 
> 
> Acceptance criteria: destination PMC vote
> ------------------------------------------
> 
> I've read the proposal, and the first thing that I note is a *strong* 
> willingness of the WS PMC to accept the project. This is very positive 
> IMHO, and since we are not here to be gatekeepers for proposals already 
> accepted by other PMCs, IMO it constitutes a 'yes' to the acceptance.
> 
> Has the WS PMC voted on this?
> If not, I'd suggest that a vote is done and we will acknowledge the 
> result. If it has been already done, please post here a link to the votes.
> 
> 
> Synergy
> ---------
> 
> I cannot fail to remember that we have another possible candidate in 
> line (Wyona) that uses saml already and has his implementation in Java. 
> I have already asked them about spinning off some of their code to other 
> projects in Apache, and they were very positive about it. This is 
> another positive thing.
> 
> 
> Points to watch
> ----------------
> 
> One active committer is not much... this will be our main point to 
> watch, and see that it gains momentum.
> 
> 
> Blockers?
> -----------
> 
> "Are there IPR-related concerns with SAML (patents held by RSA but 
> offered royalty free)?"
> 
> Can you please elaborate more on this?
> 
> 
> -- 
> Nicola Ken Barozzi                   nicolaken@apache.org
>              - verba volant, scripta manent -
>     (discussions get forgotten, just code remains)
> ---------------------------------------------------------------------
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Revised OpenSAML proposal

[Michael Wechner <mi...@wyona.org>]

RL 'Bob' Morgan wrote:

>On Wed, 29 Jan 2003, Nicola Ken Barozzi wrote:
>
>  
>
>>Synergy
>>---------
>>
>>I cannot fail to remember that we have another possible candidate in
>>line (Wyona) that uses saml already and has his implementation in Java.
>>I have already asked them about spinning off some of their code to other
>>projects in Apache, and they were very positive about it. This is
>>another positive thing.
>>    
>>
>
>You mean wyona.org?  I don't see anything SAMLish in their distribution
>

Well, I guess Nicola was probably mislead by us (wyona.org) mentioning 
to him that we are using something similar to XACML for authorization. 
But I agree very much with Nicola that there are a lot of synergies and 
we certainly don't mind collaborating on this.

I think it would help a lot if we could focus on one 
"Authentication/Authorization Framework",
especially since there seem to be so many within Apache already. At 
least we (wyona.org) don't
want to start another one.

Thanks

Michael



>...
>
>  
>
>>Points to watch
>>----------------
>>
>>One active committer is not much... this will be our main point to
>>watch, and see that it gains momentum.
>>    
>>
>
>We'll have to see, but we've been getting lots of interest in this
>package, and heard about some other implementations as well; and of course
>there are many commercial implementations already from the companies that
>contributed to writing the spec.
>
>  
>
>>Blockers?
>>-----------
>>
>>"Are there IPR-related concerns with SAML (patents held by RSA but
>>offered royalty free)?"
>>
>>Can you please elaborate more on this?
>>    
>>
>
>You never know, but the fact that it is now a full year after they first
>brought up this claim, and they still haven't had enough interest to come
>up with procedures for getting licenses (and why would they, since they're
>free), would lead one to believe that they aren't going to pursue
>enforcing any rights here very aggressively.  As Scott said, there are so
>many nasty patent situations out there, this one seems quite friendly.
>
> - RL "Bob"
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>For additional commands, e-mail: general-help@incubator.apache.org
>
>  
>

Re: Revised OpenSAML proposal

[Davanum Srinivas <di...@yahoo.com>]

Does any one have contacts at RSA? I sent an email to Robert (see
http://lists.oasis-open.org/archives/security-services/200204/msg00110.html), but he is
out-of-office till moday. Found him via the IPR section @
http://www.oasis-open.org/committees/security/

Thanks,
dims

--- robert burrell donkin <ro...@blueyonder.co.uk> wrote:
> On Thursday, January 30, 2003, at 07:08 PM, Nicola Ken Barozzi wrote:
> 
> > robert burrell donkin wrote:
> 
> <snip>
> 
> >> we've see numerous cases recently about companies sitting on IPR and 
> >> then suddenly demanding money as soon as the technology has been widely 
> >> adopted.
> >>  these murky waters are muddied even further given the recent court win 
> >> for rambus (http://www.theregister.co.uk/content/3/29102.html).
> >> maybe apache should make sure that they can get hold of a license for 
> >> this technology before accepting this project.
> >
> > "A" license? What does this mean, that Apache has a license but all users 
> > of it need to ask for one too?  %-|
> 
> i think you'd need to ask an IPR lawyer this.
> 
> the way i see it (but i'm not a lawyer)...
> 
> if rsa really is offering these IP rights royalty free then apache should 
> be able to obtain a license. i suppose whether users will need to ask RSA 
> for a license will depend on the nature of the license under which these 
> rights are offered. if apache can't obtain a license then not only does 
> the ASF risk being sued but it's also clear that (some) users will have 
> difficulties legally using the software we produce.
> 
> maybe someone at the ASF needs to approach RSA officially and find out 
> what their position is.
> 
> - robert
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


=====
Davanum Srinivas - http://webservices.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

RE: Revised OpenSAML proposal

[Scott Cantor <ca...@osu.edu>]

> > "A" license? What does this mean, that Apache has a license but all 
> > users of it need to ask for one too?  %-|
> 
> i think you'd need to ask an IPR lawyer this.

The RSA position up to this point is that vendors of toolkits not only need to get a license, but also notify their customers that
they must acquire one. So Apache gets one to distribute this code, and then provides the notice to users.

The *rumor* is that they may be changing their mind about this special toolkit case, but that's not anything more than rumor.

The fundamental issue is that there is *no* license to get yet. It doesn't exist, the process doesn't exist, etc. We've been
distributing code, Sun has shipping products, RSA and Phaos and others have toolkits, etc. 

So there just isn't much ground to stand on yet.

> maybe someone at the ASF needs to approach RSA officially and 
> find out what their position is.

Many others are already doing this within the SSTC, and we will communicate that we're getting even more anxious on the call next
week.

-- Scott

Re: Revised OpenSAML proposal

[robert burrell donkin <ro...@blueyonder.co.uk>]

On Thursday, January 30, 2003, at 07:08 PM, Nicola Ken Barozzi wrote:

> robert burrell donkin wrote:

<snip>

>> we've see numerous cases recently about companies sitting on IPR and 
>> then suddenly demanding money as soon as the technology has been widely 
>> adopted.
>>  these murky waters are muddied even further given the recent court win 
>> for rambus (http://www.theregister.co.uk/content/3/29102.html).
>> maybe apache should make sure that they can get hold of a license for 
>> this technology before accepting this project.
>
> "A" license? What does this mean, that Apache has a license but all users 
> of it need to ask for one too?  %-|

i think you'd need to ask an IPR lawyer this.

the way i see it (but i'm not a lawyer)...

if rsa really is offering these IP rights royalty free then apache should 
be able to obtain a license. i suppose whether users will need to ask RSA 
for a license will depend on the nature of the license under which these 
rights are offered. if apache can't obtain a license then not only does 
the ASF risk being sued but it's also clear that (some) users will have 
difficulties legally using the software we produce.

maybe someone at the ASF needs to approach RSA officially and find out 
what their position is.

- robert

Re: Revised OpenSAML proposal

[Nicola Ken Barozzi <ni...@apache.org>]

robert burrell donkin wrote:
> On Wednesday, January 29, 2003, at 10:18 PM, RL 'Bob' Morgan wrote:
> 
>> On Wed, 29 Jan 2003, Nicola Ken Barozzi wrote:
> 
> <snip>
> 
>>> Blockers?
>>> -----------
>>>
>>> "Are there IPR-related concerns with SAML (patents held by RSA but
>>> offered royalty free)?"
>>>
>>> Can you please elaborate more on this?
>>
>> You never know, but the fact that it is now a full year after they first
>> brought up this claim, and they still haven't had enough interest to come
>> up with procedures for getting licenses (and why would they, since 
>> they're
>> free), would lead one to believe that they aren't going to pursue
>> enforcing any rights here very aggressively.  As Scott said, there are so
>> many nasty patent situations out there, this one seems quite friendly.
> 
> this worries me.

It worries me too. Can someone please post some links that show the 
claims brought up, the patent in question, and any other pointers?

> we've see numerous cases recently about companies sitting on IPR and 
> then suddenly demanding money as soon as the technology has been widely 
> adopted.
>  these murky waters are muddied even further given the recent court win 
> for rambus (http://www.theregister.co.uk/content/3/29102.html).
> 
> maybe apache should make sure that they can get hold of a license for 
> this technology before accepting this project.

"A" license? What does this mean, that Apache has a license but all 
users of it need to ask for one too?  %-|

-- 
Nicola Ken Barozzi                   nicolaken@apache.org
             - verba volant, scripta manent -
    (discussions get forgotten, just code remains)
---------------------------------------------------------------------

Re: Revised OpenSAML proposal

[robert burrell donkin <ro...@blueyonder.co.uk>]

On Wednesday, January 29, 2003, at 10:18 PM, RL 'Bob' Morgan wrote:

> On Wed, 29 Jan 2003, Nicola Ken Barozzi wrote:

<snip>

>> Blockers?
>> -----------
>>
>> "Are there IPR-related concerns with SAML (patents held by RSA but
>> offered royalty free)?"
>>
>> Can you please elaborate more on this?
>
> You never know, but the fact that it is now a full year after they first
> brought up this claim, and they still haven't had enough interest to come
> up with procedures for getting licenses (and why would they, since they're
> free), would lead one to believe that they aren't going to pursue
> enforcing any rights here very aggressively.  As Scott said, there are so
> many nasty patent situations out there, this one seems quite friendly.

this worries me.

we've see numerous cases recently about companies sitting on IPR and then 
suddenly demanding money as soon as the technology has been widely adopted.
  these murky waters are muddied even further given the recent court win 
for rambus (http://www.theregister.co.uk/content/3/29102.html).

maybe apache should make sure that they can get hold of a license for this 
technology before accepting this project.

- robert

Re: Revised OpenSAML proposal

[RL 'Bob' Morgan <rl...@washington.edu>]

On Wed, 29 Jan 2003, Nicola Ken Barozzi wrote:

> Synergy
> ---------
>
> I cannot fail to remember that we have another possible candidate in
> line (Wyona) that uses saml already and has his implementation in Java.
> I have already asked them about spinning off some of their code to other
> projects in Apache, and they were very positive about it. This is
> another positive thing.

You mean wyona.org?  I don't see anything SAMLish in their distribution
...

> Points to watch
> ----------------
>
> One active committer is not much... this will be our main point to
> watch, and see that it gains momentum.

We'll have to see, but we've been getting lots of interest in this
package, and heard about some other implementations as well; and of course
there are many commercial implementations already from the companies that
contributed to writing the spec.

> Blockers?
> -----------
>
> "Are there IPR-related concerns with SAML (patents held by RSA but
> offered royalty free)?"
>
> Can you please elaborate more on this?

You never know, but the fact that it is now a full year after they first
brought up this claim, and they still haven't had enough interest to come
up with procedures for getting licenses (and why would they, since they're
free), would lead one to believe that they aren't going to pursue
enforcing any rights here very aggressively.  As Scott said, there are so
many nasty patent situations out there, this one seems quite friendly.

 - RL "Bob"

RE: Revised OpenSAML proposal

[Scott Cantor <ca...@osu.edu>]

> Points to watch
> ----------------
> One active committer is not much... this will be our main point to 
> watch, and see that it gains momentum.

As the committer in question, I more than agree. My focus is and will be for a while on Shibboleth, so our goal has been to get to a
stable state so that OpenSAML would have a life of its own if the interest is there.

> Blockers?
> -----------
> "Are there IPR-related concerns with SAML (patents held by RSA but 
> offered royalty free)?"
> 
> Can you please elaborate more on this?

I can't elaborate as much as I'd like, but the relevant OASIS pointer is:
http://www.oasis-open.org/committees/security/rsa-ipr-statement-SAML3b-OASIS-2002-04-22.shtml

The particulars in regard to a library like OpenSAML are that both the distributor of the toolkit (currently Internet2, presumably
the ASF in this context) and any users of the toolkit have to obtain a royalty-free license.

Past discussion with RSA's OASIS SSTC reps (not their lawyers I want to emphasize) are that RSA intends a fax-back type of license.

Recent discussion has not really clarified much, and while I've heard rumors of more liberal terms (possibly none for toolkits),
they are only rumors to me. RSA has yet to define the precise license or the terms, but has been urged to do so by the SSTC. Sun is
already selling one product, for example.

Anyway, I'm not a lawyer and I don't play one on TV. And I'm not about to argue for or against the patent claims (my own opinions
notwithstanding).

But certainly the web services (and web services security) space is full of this stuff, most of it often much less clear than this,
so welcome to the thunderdome.

-- Scott

Re: Revised OpenSAML proposal

[Nicola Ken Barozzi <ni...@apache.org>]

Davanum Srinivas wrote:
> Incubator Folks,
> 
> We have a proposal, an initial code base, identified committers, a willing web services
> pmc....What's the next step? Please advise.

We are walking on new ground here, so I'll step up to reply, but please 
take this as my personal opinions except on those matters where I won't 
be corrected.

There are couple of points I'll like to see done, and then we'll get 
along with actually starting the creation of the project.


Acceptance criteria: destination PMC vote
------------------------------------------

I've read the proposal, and the first thing that I note is a *strong* 
willingness of the WS PMC to accept the project. This is very positive 
IMHO, and since we are not here to be gatekeepers for proposals already 
accepted by other PMCs, IMO it constitutes a 'yes' to the acceptance.

Has the WS PMC voted on this?
If not, I'd suggest that a vote is done and we will acknowledge the 
result. If it has been already done, please post here a link to the votes.


Synergy
---------

I cannot fail to remember that we have another possible candidate in 
line (Wyona) that uses saml already and has his implementation in Java. 
I have already asked them about spinning off some of their code to other 
projects in Apache, and they were very positive about it. This is 
another positive thing.


Points to watch
----------------

One active committer is not much... this will be our main point to 
watch, and see that it gains momentum.


Blockers?
-----------

"Are there IPR-related concerns with SAML (patents held by RSA but 
offered royalty free)?"

Can you please elaborate more on this?


-- 
Nicola Ken Barozzi                   nicolaken@apache.org
             - verba volant, scripta manent -
    (discussions get forgotten, just code remains)
---------------------------------------------------------------------

Re: Revised OpenSAML proposal

[Davanum Srinivas <di...@yahoo.com>]

Incubator Folks,

We have a proposal, an initial code base, identified committers, a willing web services
pmc....What's the next step? Please advise.

Thanks,
dims

--- Scott Cantor <ca...@osu.edu> wrote:
> A revised proposal with the references to WS-Sec removed by general consent of the parties
> involved.
> 
> --- Scott
> 
> --- 
> 
> Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> 
> 28 January 2003,
> Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> 
> (0) rationale
> 
> To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as
> part of the Shibboleth project
> (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at
> http://www.opensaml.org. Both a Java
> and C++ library are being provided and maintained, with a goal of feature parity and API
> commonality between them.
> 
> There is also a JSR 155 - Web Services Security Assertions
> (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their
> words) define a set of APIs, exchange patterns and implementation to securely (integrity and
> confidentiality) exchange assertions
> between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either
> instead of or in addition to the
> existing API. This is analagous to the migration in Xerces to JAXP when it became appropriate.
> 
> The ws.apache.org PMC expressed a great deal of interest in the work in order to ramp up their
> activities quickly, and appears to be
> eager to contribute to the success of the subproject.
> 
> (0.1) criteria
> 
> Meritocracy: Design decisions have been made in consultation with the Shibboleth development
> team.
> 
> Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed, have
> been playing with the code in their
> projects.
> 
> Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development
> team, and a few other
> contributions, some from Apache contributors.
> 
> Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects
> before turning elsewhere, due to
> compatibility of licensing terms and code quality and support.
> 
> Scope: SAML and functionality to simplify the use of SAML in areas of interest. 
> 
> (0.2) warning signs
> 
> Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have
> looked at OpenSAML as a possible
> starting point.
> 
> Inexperience: The primary author has been coding the system for about 14 months, and has 5+
> years experience on web security
> software, primarily in C and C++. Most of that code has been made publically available and has
> been shared explicitly with other
> institutions. Other Shibboleth developers have contributed Unix systems programming, project
> organization, and Java experience to
> the project, and they have open source experience as well.
> 
> Homogeneous Developers: Primarily one developer to this point, though suggestions from other
> developers have influenced design.
> Project expected to support layered functionality contributed by other interested parties once
> core API stablity is reached. IRC has
> been used extensively to discuss issues.
> 
> Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and most
> of the development has been
> contract work, but the entire source base has been open source from the beginning.
> 
> No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make
> use of and serve the forthcoming WS
> projects.
> 
> Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a
> stable of developers, extend work into
> web services, possibly explore implications of SAML and Shibboleth models for SSO and identity
> federation within other Apache
> projects.
> 
> (1) scope of the subproject
> 
> The purpose of this subproject is to create and maintain an implementation of the SAML standard,
> as defined by the OASIS SSTC, via
> libraries that support the messages, bindings, and profiles in the standard. This might
> eventually include reference implementations
> of SAML authorities for testing or development use (or more if there's interest). This
> subproject might include an implementation of
> the JSR-155 yet-to-be-published API for SAML in Java.
> 
> (2) identify the initial source from which the subproject is to be populated 
> 
> http://www.opensaml.org
> 
> (3) identify the ASF resources to be created 
> 
> (3.1) mailing list(s) 
> opensaml-user 
> opensaml-dev 
> 
> 
> (3.2) CVS repositories 
> ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> 
> (3.3) Bugzilla 
> 
> (currently, there is a bugzilla at bugzilla.internet2.edu)
> 
> (4) identify the initial set of committers 
> 
> Scott Cantor (cantor.2@osu.edu)
> 
> Walter Hoehn (wassa@columbia.edu)
> 
> Derek Atkins (warlord@mit.edu)
> 
> Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> 
> Mark Wilcox (mark.wilcox@webct.com)
> 
> (5) identify apache sponsoring individual 
> 
> Davanum Srinivas (dims@yahoo.com)
> 
> (6) open issues for discussion
> 
> Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free)?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com