You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Davanum Srinivas <da...@gmail.com> on 2005/06/23 17:22:45 UTC
IBM and WS-Security
Jeff,
Let's start fresh. Is IBM willing to allow Apache to write a
WS-Security Implementation?
We already have code, and have participated in interops, but have not
made a release yet (http://ws.apache.org/ws-fx/wss4j/). Current terms
published by IBM (http://www.ibm.com/ibm/licensing/977Q/2112.shtml)
are incompatible with Apache License/Process. I have detailed feedback
almost clause-by-clause for the IBM License (and the Microsoft
License), but that defeats the purpose...It's better for us to specify
what we'd like to see in a modified license from IBM (and Microsoft).
BenL and me were discussing this morning on what to request IBM and
MSFT w.r.t WS-Security license. Here is the list:
1. Users should be able to download our code and run it without further
action on their part (obviously they should be aware of the licence and
comply with it, but should not need to do anything beyond the normal
requirements of the Apache Licence 2.0).
2. The licence should not require implementations to be compliant (as we
agreed, this is an incomprehensible requirement anyway).
3. There should be no restrictions beyond those imposed by Apache
Licence 2.0.
4. Another instance of conflict with AL 2.0 is the requirement for
compliance with U.S. Export laws - this needs to go.
5. Note that the Apache Licence
(http://www.apache.org/licenses/LICENSE-2.0.html) has a clause relating
to patents which may well work in the way you want already - clause 3.
Thanks,
Davanum Srinivas
Vice President, Web services, Apache.
Thanks,
dims
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
Elementary![1]. Thanks.
-- dims
[1] http://en.wikipedia.org/wiki/Sherlock_Holmes
On 6/24/05, Jeffrey Thompson <jt...@us.ibm.com> wrote:
>
>
> Davanum Srinivas <da...@gmail.com> wrote on 06/24/2005 03:13:52 PM:
>
> > Jeff,
> >
> > Thanks. Now i understand the concept of offering license w/o
> > identifying patent claims...BUT i see that the IBM license has a 1
> > year limit (see section 6.1) and MSFT has no limits as long as the
> > patent is applicable to this thing that we are implementing. Is'nt it
> > better to remove the 1 year limit? (or am i reading this wrong)
> >
>
> That one year limit isn't a problem, it's IBM's patent lawyers being . . .
> ah . . . patent lawyers. (No insult to patent lawyers intended. Honestly.)
>
> I think that the one year limit derives from the time limit in the U.S. for
> filing patent applications. In the U.S., you can file a patent application
> for an invention up to one year after the patented invention was first
> published, incorporated into an on-sale product, etc. That's the reason why
> there's always a search for prior art when someone tries to assert a patent
> claim. If you can find a publication that describes the supposed invention
> or on-sale item which implements the invention that existed more than one
> year prior to the filing date, the filing was invalid, and therefore so is
> the patent. It doesn't matter whether the patent holder actually invented
> the invention, whether someone learned it and then published it, or what.
> If its past 1 year, the patent is dead. (I'm sure that there are
> exceptions, but that's the general rule.)
>
> In the case of this license, it only applies to patents that were filed no
> later than a year and a day after WS-Security was published. The reasoning
> is that any patents that were filed after that date don't need to be
> licensed because they are invalid (as WS-Security's publication would have
> predated it by more than a year). Since there have been court cases which
> have held that it is patent abuse to try to license a group of patents, some
> of which are obviously invalid, it makes sense to exclude those. I'm not
> saying that all patent licenses need to include that language, but the
> language makes sense.
>
> Before anyone asks the obvious question, no, IBM is not in the habit of
> filing for obviously invalid patents. But since IBM does a large number of
> patent filings each year, there is the possibility that someone misses
> something and we file one late. In that case, I would hope the examiner
> would catch it, but we all know how overworked they are.
>
> In the end, the one year limitation isn't a problem. All valid patents that
> are necessary for WS-Security would have been filed long before that one
> year period had expired.
>
> > - dims
> >
> <snip>
> >
> > --
> > Davanum Srinivas -http://blogs.cocoondev.org/dims/
>
>
> Jeff
>
> Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
> (notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
> (web) http://www.beff.net/
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Ben Laurie <be...@algroup.co.uk>.
Jeffrey Thompson wrote:
> I think that the one year limit derives from the time limit in the U.S.
> for filing patent applications. In the U.S., you can file a patent
> application for an invention up to one year after the patented invention
> was first published, incorporated into an on-sale product, etc. That's
> the reason why there's always a search for prior art when someone tries
> to assert a patent claim. If you can find a publication that describes
> the supposed invention or on-sale item which implements the invention
> that existed more than one year prior to the filing date, the filing was
> invalid, and therefore so is the patent. It doesn't matter whether the
> patent holder actually invented the invention, whether someone learned
> it and then published it, or what. If its past 1 year, the patent is
> dead. (I'm sure that there are exceptions, but that's the general rule.)
You mean its killable, rather than dead. I'm told that even with prior
art its a tedious and expensive process.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Davanum Srinivas <da...@gmail.com> wrote on 06/24/2005 03:13:52 PM:
> Jeff,
>
> Thanks. Now i understand the concept of offering license w/o
> identifying patent claims...BUT i see that the IBM license has a 1
> year limit (see section 6.1) and MSFT has no limits as long as the
> patent is applicable to this thing that we are implementing. Is'nt it
> better to remove the 1 year limit? (or am i reading this wrong)
>
That one year limit isn't a problem, it's IBM's patent lawyers being . . .
ah . . . patent lawyers. (No insult to patent lawyers intended.
Honestly.)
I think that the one year limit derives from the time limit in the U.S.
for filing patent applications. In the U.S., you can file a patent
application for an invention up to one year after the patented invention
was first published, incorporated into an on-sale product, etc. That's
the reason why there's always a search for prior art when someone tries to
assert a patent claim. If you can find a publication that describes the
supposed invention or on-sale item which implements the invention that
existed more than one year prior to the filing date, the filing was
invalid, and therefore so is the patent. It doesn't matter whether the
patent holder actually invented the invention, whether someone learned it
and then published it, or what. If its past 1 year, the patent is dead.
(I'm sure that there are exceptions, but that's the general rule.)
In the case of this license, it only applies to patents that were filed no
later than a year and a day after WS-Security was published. The
reasoning is that any patents that were filed after that date don't need
to be licensed because they are invalid (as WS-Security's publication
would have predated it by more than a year). Since there have been court
cases which have held that it is patent abuse to try to license a group of
patents, some of which are obviously invalid, it makes sense to exclude
those. I'm not saying that all patent licenses need to include that
language, but the language makes sense.
Before anyone asks the obvious question, no, IBM is not in the habit of
filing for obviously invalid patents. But since IBM does a large number
of patent filings each year, there is the possibility that someone misses
something and we file one late. In that case, I would hope the examiner
would catch it, but we all know how overworked they are.
In the end, the one year limitation isn't a problem. All valid patents
that are necessary for WS-Security would have been filed long before that
one year period had expired.
> - dims
>
<snip>
>
> --
> Davanum Srinivas -http://blogs.cocoondev.org/dims/
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM and WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
Jeff,
Thanks. Now i understand the concept of offering license w/o
identifying patent claims...BUT i see that the IBM license has a 1
year limit (see section 6.1) and MSFT has no limits as long as the
patent is applicable to this thing that we are implementing. Is'nt it
better to remove the 1 year limit? (or am i reading this wrong)
- dims
On 6/24/05, Jeffrey Thompson <jt...@us.ibm.com> wrote:
>
> "William A. Rowe, Jr." <wr...@rowe-clan.net> wrote on 06/24/2005 12:19:32
> PM:
>
> > At 10:21 AM 6/24/2005, Ben Laurie wrote:
> > >William A. Rowe, Jr. wrote:
> > >2. Each Author commits to grant a non sub-licensable, non-transferable
> > >>license to third parties, under royalty-free and other reasonable
> > and non-discriminatory terms and conditions, to certain of their
> > respective patent claims that such Author deems necessary to
> > implement required portions of the WS-Security specification,
> > provided a reciprocal license is granted.
> > >
> > >Because it doesn't say what hoops you have to jump through to
> > obtain that licence (the requirement we have being, essentially,
> > that there should be no hoops for the end user).
> >
> > Exactly. Which is why I ask, if grant of license is offered
> > to the author, are the users of that author's work covered by
> > the grant?
>
> Most every patent grant that I've ever seen is non-transferrable and
> non-sublicensable. As I mentioned before, the concept of patent exhaustion
> would cover distributors and users of a licensee's product. I don't see an
> exposure on that point for Apache. Maybe we should involve Robyn in this
> discussion to make sure that we understand all of Apache's issues.
>
> >
> > And also why RSA's license-by-fax-in-duplicate is barely
> > acceptable, if at all, at the ASF, if that license doesn't then
> > cover all users.
> >
> > If there are extra burdens noted in NOTICE for derivative works,
> > making developers lives harder, I'd be hesitant to graduate such
> > a project. But if there are extra burdens on every user or those
> > redistributing the ASF's work, that's unacceptable.
>
> Regarding the extra burden on Apache for getting a patent license, I
> understand the issue. I would hope that patent holders in general would try
> to make it as painless as possible. The patent non-assert that IBM did a
> few months ago was one way that we thought would reduce the burden and (as
> Geir mentioned) it has its proponents inside IBM as a general policy. There
> are downsides to the non-assert approach which we could get into in more
> depth if people are really interested, but it certainly is a way to make
> things less cumbersome.
>
> In any event, the least cumbersome is to not actually go thru the process of
> obtaining an offered license. There are many reasons why someone might not
> want to execute the license -- the licensor might not have actually
> identified any necessary patent claims (as in the case of IBM with
> WS-Security); or the licensor might have said that there are unidentified
> "patent applications which if they issue as currently drafted . . . . ",
> which is almost the same thing; or the identified patents might be obviously
> invalid; etc. Just because a license is offered, it doesn't mean that
> Apache needs to execute it.
>
> That brings up why a company might offer a license even though they haven't
> identified any necessary patent claims. The most likely reason is that they
> want implementors to be comfortable that if any necessary claims were to be
> discovered, that they would be available on acceptable terms. Unless the
> company actually offers the license, it could be accused if sitting back
> waiting to pounce on any implementors.
>
> >
> > E.g. if 'implementation' license grants don't extend to users
> > and redistribution, without additional effort, then every
> > organization offering us proxy servers for our distribution
> > tree could be violators of those patents.
> >
> > Bill
>
> Something that was said in one of the other notes in this string that I
> would STRONGLY agree with. If Apache becomes aware of an issued patent that
> apparently actually does read on Apache's code, I would hope that Apache
> would do one of 3 things: change the code to avoid the patent, get a
> license, or cease distribution. I'm sure that Apache's lawyers would be
> deeply involved in that decision, but I wouldn't want to see Apache just
> ignore it.
>
>
> Jeff
>
> Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
> (notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
> (web) http://www.beff.net/
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
"William A. Rowe, Jr." <wr...@rowe-clan.net> wrote on 06/24/2005 12:19:32
PM:
> At 10:21 AM 6/24/2005, Ben Laurie wrote:
> >William A. Rowe, Jr. wrote:
> >2. Each Author commits to grant a non sub-licensable, non-transferable
> >>license to third parties, under royalty-free and other reasonable
> and non-discriminatory terms and conditions, to certain of their
> respective patent claims that such Author deems necessary to
> implement required portions of the WS-Security specification,
> provided a reciprocal license is granted.
> >
> >Because it doesn't say what hoops you have to jump through to
> obtain that licence (the requirement we have being, essentially,
> that there should be no hoops for the end user).
>
> Exactly. Which is why I ask, if grant of license is offered
> to the author, are the users of that author's work covered by
> the grant?
Most every patent grant that I've ever seen is non-transferrable and
non-sublicensable. As I mentioned before, the concept of patent
exhaustion would cover distributors and users of a licensee's product. I
don't see an exposure on that point for Apache. Maybe we should involve
Robyn in this discussion to make sure that we understand all of Apache's
issues.
>
> And also why RSA's license-by-fax-in-duplicate is barely
> acceptable, if at all, at the ASF, if that license doesn't then
> cover all users.
>
> If there are extra burdens noted in NOTICE for derivative works,
> making developers lives harder, I'd be hesitant to graduate such
> a project. But if there are extra burdens on every user or those
> redistributing the ASF's work, that's unacceptable.
Regarding the extra burden on Apache for getting a patent license, I
understand the issue. I would hope that patent holders in general would
try to make it as painless as possible. The patent non-assert that IBM
did a few months ago was one way that we thought would reduce the burden
and (as Geir mentioned) it has its proponents inside IBM as a general
policy. There are downsides to the non-assert approach which we could get
into in more depth if people are really interested, but it certainly is a
way to make things less cumbersome.
In any event, the least cumbersome is to not actually go thru the process
of obtaining an offered license. There are many reasons why someone might
not want to execute the license -- the licensor might not have actually
identified any necessary patent claims (as in the case of IBM with
WS-Security); or the licensor might have said that there are unidentified
"patent applications which if they issue as currently drafted . . . . ",
which is almost the same thing; or the identified patents might be
obviously invalid; etc. Just because a license is offered, it doesn't
mean that Apache needs to execute it.
That brings up why a company might offer a license even though they
haven't identified any necessary patent claims. The most likely reason is
that they want implementors to be comfortable that if any necessary claims
were to be discovered, that they would be available on acceptable terms.
Unless the company actually offers the license, it could be accused if
sitting back waiting to pounce on any implementors.
>
> E.g. if 'implementation' license grants don't extend to users
> and redistribution, without additional effort, then every
> organization offering us proxy servers for our distribution
> tree could be violators of those patents.
>
> Bill
Something that was said in one of the other notes in this string that I
would STRONGLY agree with. If Apache becomes aware of an issued patent
that apparently actually does read on Apache's code, I would hope that
Apache would do one of 3 things: change the code to avoid the patent, get
a license, or cease distribution. I'm sure that Apache's lawyers would be
deeply involved in that decision, but I wouldn't want to see Apache just
ignore it.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM and WS-Security
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 10:21 AM 6/24/2005, Ben Laurie wrote:
>William A. Rowe, Jr. wrote:
>2. Each Author commits to grant a non sub-licensable, non-transferable
>>license to third parties, under royalty-free and other reasonable and non-discriminatory terms and conditions, to certain of their respective patent claims that such Author deems necessary to implement required portions of the WS-Security specification, provided a reciprocal license is granted.
>
>Because it doesn't say what hoops you have to jump through to obtain that licence (the requirement we have being, essentially, that there should be no hoops for the end user).
Exactly. Which is why I ask, if grant of license is offered
to the author, are the users of that author's work covered by
the grant?
And also why RSA's license-by-fax-in-duplicate is barely
acceptable, if at all, at the ASF, if that license doesn't then
cover all users.
If there are extra burdens noted in NOTICE for derivative works,
making developers lives harder, I'd be hesitant to graduate such
a project. But if there are extra burdens on every user or those
redistributing the ASF's work, that's unacceptable.
E.g. if 'implementation' license grants don't extend to users
and redistribution, without additional effort, then every
organization offering us proxy servers for our distribution
tree could be violators of those patents.
Bill
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Ben Laurie <be...@algroup.co.uk>.
William A. Rowe, Jr. wrote:
> At 09:22 AM 6/24/2005, Davanum Srinivas wrote:
>
>>William,
>>
>>In this specific case, Microsoft has not divulged which patent(s) if
>>any are infringed upon. In the case of IBM and Verisign, from their
>>legal counsel we know that there are no patents involved on their
>>side. For microsoft's initial response to my question on specific
>>patents, see (http://lists.oasis-open.org/archives/wss/200506/msg00123.html).
>>I think i finally managed to get through to a key decision maker there
>>- Andrew Layman. Hopefully, we will hear something one way or another.
>
>
> Good luck!
>
> http://www.oasis-open.org/committees/wss/ipr.php
>
> FWIW, I don't see how this statement from IBM, Microsoft, and VeriSign
> would not cover us;
>
> 2. Each Author commits to grant a non sub-licensable, non-transferable
> license to third parties, under royalty-free and other reasonable and
> non-discriminatory terms and conditions, to certain of their respective
> patent claims that such Author deems necessary to implement required
> portions of the WS-Security specification, provided a reciprocal license
> is granted.
Because it doesn't say what hoops you have to jump through to obtain
that licence (the requirement we have being, essentially, that there
should be no hoops for the end user).
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
William,
See the actual terms from MSFT and IBM (similar to Sender-ID)
http://www.ibm.com/ibm/licensing/977Q/2112.shtml
http://www.microsoft.com/mscorp/ip/standards/
-- dims
On 6/24/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> At 09:22 AM 6/24/2005, Davanum Srinivas wrote:
> >William,
> >
> >In this specific case, Microsoft has not divulged which patent(s) if
> >any are infringed upon. In the case of IBM and Verisign, from their
> >legal counsel we know that there are no patents involved on their
> >side. For microsoft's initial response to my question on specific
> >patents, see (http://lists.oasis-open.org/archives/wss/200506/msg00123.html).
> >I think i finally managed to get through to a key decision maker there
> >- Andrew Layman. Hopefully, we will hear something one way or another.
>
> Good luck!
>
> http://www.oasis-open.org/committees/wss/ipr.php
>
> FWIW, I don't see how this statement from IBM, Microsoft, and VeriSign
> would not cover us;
>
> 2. Each Author commits to grant a non sub-licensable, non-transferable
> license to third parties, under royalty-free and other reasonable and
> non-discriminatory terms and conditions, to certain of their respective
> patent claims that such Author deems necessary to implement required
> portions of the WS-Security specification, provided a reciprocal license
> is granted.
>
> You would need to note every separately licensed patent within
> the NOTICE file of your project, of course. However, does this
> mean they are not offering royalty-free licensing to users, only
> to developers (implement)? Note it's explicitly a non-transferable
> license.
>
> Content Guard proposed RAND license if they were infringed, which
> isn't acceptable (royalty free is not stated). RSA requires
> a separate licensing contract through their web site, which
> certainly seems to be an excessive term of their grant offer
> (http://www.rsasecurity.com/node.asp?id=2531).
>
> Bill
>
>
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 09:22 AM 6/24/2005, Davanum Srinivas wrote:
>William,
>
>In this specific case, Microsoft has not divulged which patent(s) if
>any are infringed upon. In the case of IBM and Verisign, from their
>legal counsel we know that there are no patents involved on their
>side. For microsoft's initial response to my question on specific
>patents, see (http://lists.oasis-open.org/archives/wss/200506/msg00123.html).
>I think i finally managed to get through to a key decision maker there
>- Andrew Layman. Hopefully, we will hear something one way or another.
Good luck!
http://www.oasis-open.org/committees/wss/ipr.php
FWIW, I don't see how this statement from IBM, Microsoft, and VeriSign
would not cover us;
2. Each Author commits to grant a non sub-licensable, non-transferable
license to third parties, under royalty-free and other reasonable and
non-discriminatory terms and conditions, to certain of their respective
patent claims that such Author deems necessary to implement required
portions of the WS-Security specification, provided a reciprocal license
is granted.
You would need to note every separately licensed patent within
the NOTICE file of your project, of course. However, does this
mean they are not offering royalty-free licensing to users, only
to developers (implement)? Note it's explicitly a non-transferable
license.
Content Guard proposed RAND license if they were infringed, which
isn't acceptable (royalty free is not stated). RSA requires
a separate licensing contract through their web site, which
certainly seems to be an excessive term of their grant offer
(http://www.rsasecurity.com/node.asp?id=2531).
Bill
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
William,
In this specific case, Microsoft has not divulged which patent(s) if
any are infringed upon. In the case of IBM and Verisign, from their
legal counsel we know that there are no patents involved on their
side. For microsoft's initial response to my question on specific
patents, see (http://lists.oasis-open.org/archives/wss/200506/msg00123.html).
I think i finally managed to get through to a key decision maker there
- Andrew Layman. Hopefully, we will hear something one way or another.
Also note that this affects the existing Apache WSS4J project and not
just the TSIK incubation.
If there is FUD in IPR statements to the OASIS TC with no specific
patent # and general statements and an offered license. Can we claim
ignorance? (How about after doing a patent search on the USPTO site?)
Cliff,
one more item on your plate. Need to drive the Reviews for other
Apache projects:
http://wiki.apache.org/general/ReviewsNeeded/
thanks,
-- dims
On 6/24/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> At 09:15 PM 6/23/2005, Davanum Srinivas wrote:
>
> >I was told that Apache will *NEVER* allow such a disclaimer/verbiage
> >on *ANY* project and the incubation was cancelled. See
> >http://marc.theaimsgroup.com/?l=incubator-general&w=2&r=1&s=opensaml
> >for all the gory details.
> >
> >I myself don't know why web services projects are getting this special
> >attention.
>
> Any project that has these sorts of known encumbrances would
> receive special attention (or be canceled outright.) If WS
> have been called out (I don't think they were) then it's only
> because the IP claims have been more widely debated.
>
> Once we know of an encumbrance, the ASF can:
>
> * obtain appropriate (ASL compatible) license/use grants
> from the IP holder
>
> * modify the project to avoid any encumbered use of the IP
>
> * cancel the project
>
> In this project's case, are we aware of a probable conflict
> by a patent from MSFT? In that case, examine that patent to
> determine if we can avoid encumbrance, while asking MSFT for
> permission at the same time. If neither can be satisfied,
> there is no project.
>
> IANAL, but to become aware of and still not review a known patent
> is not going to mitigate excessive damages and penalties. Only
> honest ignorance that such a patent even existed can mitigate
> the claims by the IP holder.
>
> Bill
>
>
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 09:15 PM 6/23/2005, Davanum Srinivas wrote:
>I was told that Apache will *NEVER* allow such a disclaimer/verbiage
>on *ANY* project and the incubation was cancelled. See
>http://marc.theaimsgroup.com/?l=incubator-general&w=2&r=1&s=opensaml
>for all the gory details.
>
>I myself don't know why web services projects are getting this special
>attention.
Any project that has these sorts of known encumbrances would
receive special attention (or be canceled outright.) If WS
have been called out (I don't think they were) then it's only
because the IP claims have been more widely debated.
Once we know of an encumbrance, the ASF can:
* obtain appropriate (ASL compatible) license/use grants
from the IP holder
* modify the project to avoid any encumbered use of the IP
* cancel the project
In this project's case, are we aware of a probable conflict
by a patent from MSFT? In that case, examine that patent to
determine if we can avoid encumbrance, while asking MSFT for
permission at the same time. If neither can be satisfied,
there is no project.
IANAL, but to become aware of and still not review a known patent
is not going to mitigate excessive damages and penalties. Only
honest ignorance that such a patent even existed can mitigate
the claims by the IP holder.
Bill
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Davanum Srinivas <da...@gmail.com>.
Jeff,
Please see below.
On 6/23/05, Jeffrey Thompson <jt...@us.ibm.com> wrote:
>
>
> Davanum Srinivas <da...@gmail.com> wrote on 06/23/2005 11:22:45 AM:
>
> > Jeff,
> >
> > Let's start fresh. Is IBM willing to allow Apache to write a
> > WS-Security Implementation?
>
> Certainly. That was why we contributed it to OASIS and why we made an RF
> patent commitment. As am aside, I'm not aware that we've identified any
> necessary patents for WS-Security.
This is what i expected, Since i could not find anything.
> > We already have code, and have participated in interops, but have not
> > made a release yet (http://ws.apache.org/ws-fx/wss4j/).
> Current terms
> > published by IBM
> (http://www.ibm.com/ibm/licensing/977Q/2112.shtml)
> > are incompatible with Apache License/Process.
>
> I think we have a basic disagreement here. IBM's patent terms are not
> incompatible with Apache's license or Apache's open source model.
Great!!!
> > I have detailed feedback
> > almost clause-by-clause for the IBM License (and the Microsoft
> > License), but that defeats the purpose...It's better for us to specify
> > what we'd like to see in a modified license from IBM (and Microsoft).
>
> Actually, I haven't seen that (I'm not always able to read all of the list
> postings). No need to bore everyone else with repetition, but if you want
> to send it to me off list, I'd appreciate it.
Please see my other email.
> > BenL and me were discussing this morning on what to request IBM and
> > MSFT w.r.t WS-Security license. Here is the list:
> >
> > 1. Users should be able to download our code and run it without further
> > action on their part (obviously they should be aware of the licence and
> > comply with it, but should not need to do anything beyond the normal
> > requirements of the Apache Licence 2.0).
>
> Obviously. At that's what happens under the current licenses. Under the
> doctrine of patent exhaustion, if a maker of a product (here, Apache) is
> licensed to practice a patent when it makes the product, users of that
> product are also covered.
ok. we are on the same page.
> > 2. The licence should not require implementations to be compliant (as we
> > agreed, this is an incomprehensible requirement anyway).
>
> I'm not sure why you are singling out WS-Security on this point. Every Java
> specification license includes compliance requirements and I expect that all
> of the patent licenses pursuant to the W3C Patent Policy are limited to
> "implementations of the recommendation". Is your point that it is not clear
> what "compliant" means in the absence of a test suite, or that the concept
> of compliance is itself incomprehensible. If its the former, take the
> normal meaning -- that the implementation actually implements the spec
> correctly. If its the latter, I'm not sure how to respond.
Yes, "absence of a test suite" is the problem. We can't test compliance.
> > 3. There should be no restrictions beyond those imposed by Apache
> > Licence 2.0.
>
> Again, why are we singling out WS-Security. The Java spec licenses include
> additional restrictions as do pretty much all existing patent licenses for
> standards (W3C or otherwise). The question is whether the additional
> restrictions impose an inappropriate burden on Apache or its licensees.
> There was a germ of a discussion a few months ago (February 05) on this list
> about what Standards are compatible with Apache's approach to life. At that
> time, I wrote in response to a post by Larry Rosen:
>
> --In any event, Apache guidelines would address, in my mind, at least three
> basic questions:
> --
> --1. Can Apache get the standard? If we can't get it, we can't implement
> it.
> --
> --2. Can Apache publish its implementation under Apache's license? This is
> --the most critical. Any standards agreement that prevents open source
> --implementations shouldn't be embraced by Apache.
> --
> --3. Is Apache opening itself or its customers to royalties for necessary
> --patents? This is the hardest to answer. Your definition of open
> standards
> --spent a lot of time talking about the details of the patent licenses, but
> in
> --the end, the question is whether the open source project and its customers
> --qualify for the free license.
>
> The third item is the most relevant to the current conversation. I think
> that this list is still accurate, and as far as I can tell WS-Security meets
> those requirements.
Please see the other email. For example, Section 1.3 talks about
sublicensing as applied to subsidiaries ONLY. which is irrelevant to
ASF's model or open source in general.
> > 4. Another instance of conflict with AL 2.0 is the requirement for
> > compliance with U.S. Export laws - this needs to go.
>
> I don't see an Export law term in the IBM license.
My bad! this line was for MSFT license.
> > 5. Note that the Apache Licence
> > (http://www.apache.org/licenses/LICENSE-2.0.html) has a
> clause relating
> > to patents which may well work in the way you want already - clause 3.
>
> The patent grant in the AL2 performs a completely different function than a
> patent grant that applies to implementations of a Spec and necessarily
> focuses on different issues. When a company contributes CODE to Apache,
> knowing that the code will be licensed liberally to the world, it is
> important to know that that company isn't going to go around and sue the
> licensees of that code for patent infringement just for using that code.
> There are few restrictions on that patent license, but it is tied to the
> code.
>
> For specification related patent licenses, there is no code, or at least not
> yet. The license is necessarily focused on implementations of the Spec.
> Anyone who writes code that implements that Spec is covered, unlike the
> license in AL2 which only covers licensees of the Apache code. So, in some
> ways, the AL2 license is too broad (it covers the code, whatever it is used
> for), and in others, its too narrow (it doesn't cover non-Apache licensed
> code).
Ok. understood.
> I think that this is an important issue for Apache, because it seems to me
> that if Apache applies the rules that it seems you are applying here, most
> (if not all) of the current projects will have problems. In some sense,
> patent licenses that are tied to specifications are orthogonal to the AL2
> license. I don't think you can force them to be parallel, and if you filter
> out all licenses which are not, you will likely end up with a null set of
> specifications to implement.
>
> FYI, I'll be non-connected for most of tomorrow, but will try to respond to
> any comments when I get e-mail access.
I guess, i am being cautious, the IPR statements on the OASIS web site
says, we have to get licenses from IBM/Versign/MSFT and thats what we
are trying to do...I don't know how else to tackle this.
Let me take a more concrete example, one that has bitten us before.
RSA Security has a patent on SAML and they have made public noise
about it. They are forcing OpenSAML project to put up a disclaimer
that says:
"Note that RSA has published their patent licensing terms for SAML
toolkits, and developers using OpenSAML may be subject to the terms
and may evaluate the license at
http://www.rsasecurity.com/solutions/standards/saml/."
I was told that Apache will *NEVER* allow such a disclaimer/verbiage
on *ANY* project and the incubation was cancelled. See
http://marc.theaimsgroup.com/?l=incubator-general&w=2&r=1&s=opensaml
for all the gory details.
I myself don't know why web services projects are getting this special
attention.
Thanks
dims
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM and WS-Security
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Davanum Srinivas <da...@gmail.com> wrote on 06/23/2005 11:22:45 AM:
> Jeff,
>
> Let's start fresh. Is IBM willing to allow Apache to write a
> WS-Security Implementation?
Certainly. That was why we contributed it to OASIS and why we made an RF
patent commitment. As am aside, I'm not aware that we've identified any
necessary patents for WS-Security.
>
> We already have code, and have participated in interops, but have not
> made a release yet (http://ws.apache.org/ws-fx/wss4j/). Current terms
> published by IBM (http://www.ibm.com/ibm/licensing/977Q/2112.shtml)
> are incompatible with Apache License/Process.
I think we have a basic disagreement here. IBM's patent terms are not
incompatible with Apache's license or Apache's open source model.
> I have detailed feedback
> almost clause-by-clause for the IBM License (and the Microsoft
> License), but that defeats the purpose...It's better for us to specify
> what we'd like to see in a modified license from IBM (and Microsoft).
Actually, I haven't seen that (I'm not always able to read all of the list
postings). No need to bore everyone else with repetition, but if you want
to send it to me off list, I'd appreciate it.
> BenL and me were discussing this morning on what to request IBM and
> MSFT w.r.t WS-Security license. Here is the list:
>
> 1. Users should be able to download our code and run it without further
> action on their part (obviously they should be aware of the licence and
> comply with it, but should not need to do anything beyond the normal
> requirements of the Apache Licence 2.0).
Obviously. At that's what happens under the current licenses. Under the
doctrine of patent exhaustion, if a maker of a product (here, Apache) is
licensed to practice a patent when it makes the product, users of that
product are also covered.
>
> 2. The licence should not require implementations to be compliant (as we
> agreed, this is an incomprehensible requirement anyway).
I'm not sure why you are singling out WS-Security on this point. Every
Java specification license includes compliance requirements and I expect
that all of the patent licenses pursuant to the W3C Patent Policy are
limited to "implementations of the recommendation". Is your point that it
is not clear what "compliant" means in the absence of a test suite, or
that the concept of compliance is itself incomprehensible. If its the
former, take the normal meaning -- that the implementation actually
implements the spec correctly. If its the latter, I'm not sure how to
respond.
>
> 3. There should be no restrictions beyond those imposed by Apache
> Licence 2.0.
Again, why are we singling out WS-Security. The Java spec licenses
include additional restrictions as do pretty much all existing patent
licenses for standards (W3C or otherwise). The question is whether the
additional restrictions impose an inappropriate burden on Apache or its
licensees. There was a germ of a discussion a few months ago (February
05) on this list about what Standards are compatible with Apache's
approach to life. At that time, I wrote in response to a post by Larry
Rosen:
--In any event, Apache guidelines would address, in my mind, at least
three basic questions:
--
--1. Can Apache get the standard? If we can't get it, we can't implement
it.
--
--2. Can Apache publish its implementation under Apache's license? This
is
--the most critical. Any standards agreement that prevents open source
--implementations shouldn't be embraced by Apache.
--
--3. Is Apache opening itself or its customers to royalties for necessary
--patents? This is the hardest to answer. Your definition of open
standards
--spent a lot of time talking about the details of the patent licenses,
but in
--the end, the question is whether the open source project and its
customers
--qualify for the free license.
The third item is the most relevant to the current conversation. I think
that this list is still accurate, and as far as I can tell WS-Security
meets those requirements.
>
> 4. Another instance of conflict with AL 2.0 is the requirement for
> compliance with U.S. Export laws - this needs to go.
I don't see an Export law term in the IBM license.
>
> 5. Note that the Apache Licence
> (http://www.apache.org/licenses/LICENSE-2.0.html) has a clause relating
> to patents which may well work in the way you want already - clause 3.
The patent grant in the AL2 performs a completely different function than
a patent grant that applies to implementations of a Spec and necessarily
focuses on different issues. When a company contributes CODE to Apache,
knowing that the code will be licensed liberally to the world, it is
important to know that that company isn't going to go around and sue the
licensees of that code for patent infringement just for using that code.
There are few restrictions on that patent license, but it is tied to the
code.
For specification related patent licenses, there is no code, or at least
not yet. The license is necessarily focused on implementations of the
Spec. Anyone who writes code that implements that Spec is covered, unlike
the license in AL2 which only covers licensees of the Apache code. So, in
some ways, the AL2 license is too broad (it covers the code, whatever it
is used for), and in others, its too narrow (it doesn't cover non-Apache
licensed code).
>
> Thanks,
> Davanum Srinivas
> Vice President, Web services, Apache.
>
> Thanks,
> dims
I think that this is an important issue for Apache, because it seems to me
that if Apache applies the rules that it seems you are applying here, most
(if not all) of the current projects will have problems. In some sense,
patent licenses that are tied to specifications are orthogonal to the AL2
license. I don't think you can force them to be parallel, and if you
filter out all licenses which are not, you will likely end up with a null
set of specifications to implement.
FYI, I'll be non-connected for most of tomorrow, but will try to respond
to any comments when I get e-mail access.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/