httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Mehan <>
Subject Re: Authentication Needs for Apache: Was Re: Puzzling News
Date Fri, 04 Mar 2005 12:46:41 GMT
Hi. Thanks for this. I've been tied up with a couple of things, so  
please pardon the delay.

As far as this goes, Erik is correct, to a point!-) Just for tightness,  
I want to make this as clear as mud!-)

To my read, and this meshes with others, SAML is open. RSA
have four patents that seem to overlap with parts of SAML, from:

"...RSA believed that these four patents could be relevant to  
practicing certain operational modes of the OASIS Security Assertion  
Markup Language ("SAML") specifications...".

Liberty Alliance took the SAML spec and implemented it with a profile  
that extended it, called the Browser/POST profile (a form post encoded  
in SAML). It is this profile that RSA seem to be claiming 

rather than the SAML spec which is open:

It is most unfortunate that RSA are taking this stance, but SAML and  
another synch method would not be covered by this patent, in my limited  
understanding of the world.

Internet2, for the record, do hold an RSA license which covers all  
users of the app.

On 1 Mar 2005, at 16:51, Erik Abele wrote:

> On 01.03.2005, at 15:52, Sean Mehan wrote:
>> Just a pointer to something that is gaining a bit of ground in  
>> various circles:
>> tech-overview-2.0-draft-03.pdf
>> found at
>> This is about SAML, a vocabulary for exchange of authentication and  
>> authorization data about users trying to access resources. With this  
>> capability built in, one can write policies for users originating  
>> from other sites.
> The problem I see with SAML and it's specs is that RSA holds patents  
> on it and although these patens are made available under a  
> royalty-free license, every end-user must obtain their own licsense  
> from RSA. That alone is a requirement which goes far beyond the  
> requirements of the Apache License and furthermore there are some  
> other constraints (e.g. licensees must grant RSA the same rights to  
> any patents they own).
> Find the details at  
>> There is an implementation of this for what used to be called  
>> (resource) targets, now called SP [service provider]s, which compiles  
>> and runs under apache 1.3/2.0
>> found at
> Hmm, I think both, and are not  
> conforming to RSA's license requirements:
> "The license terms for the RSA Patents will permit end-users to use  
> the Licensed Products. However, in the event that a Licensed Product  
> is a product (such as a toolkit product or operating system service)  
> that is used to develop other products, the license will require the  
> licensee of the RSA Patents to notify users of the Licensed Products  
> that such users must obtain a license directly from RSA for the RSA  
> Patents. RSA is willing to grant such licenses on the same  
> non-exclusive, royalty-free terms described above."
> I don't find any such notice on both pages, just their usual license  
> which is misleading in this case, e.g.  
> IMHO we should avoid touching this sort of stuff...
> Cheers,
> Erik

View raw message