httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <e...@codefaktor.de>
Subject Re: Authentication Needs for Apache: Was Re: Puzzling News
Date Tue, 01 Mar 2005 16:51:29 GMT
On 01.03.2005, at 15:52, Sean Mehan wrote:

> Just a pointer to something that is gaining a bit of ground in various  
> circles:
>
>
> http://www.oasis-open.org/committees/download.php/11511/sstc-saml- 
> tech-overview-2.0-draft-03.pdf
>
> found at
>
> http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
>
>
> This is about SAML, a vocabulary for exchange of authentication and  
> authorization data about users trying to access resources. With this  
> capability built in, one can write policies for users originating from  
> other sites.

The problem I see with SAML and it's specs is that RSA holds patents on  
it and although these patens are made available under a royalty-free  
license, every end-user must obtain their own licsense from RSA. That  
alone is a requirement which goes far beyond the requirements of the  
Apache License and furthermore there are some other constraints (e.g.  
licensees must grant RSA the same rights to any patents they own).

Find the details at  
http://www.oasis-open.org/committees/security/ipr.php.

> There is an implementation of this for what used to be called  
> (resource) targets, now called SP [service provider]s, which compiles  
> and runs under apache 1.3/2.0
> found at http://shibboleth.internet2.edu/

Hmm, I think both, opensaml.org and shibboleth.internet2.edu are not  
conforming to RSA's license requirements:

"The license terms for the RSA Patents will permit end-users to use the  
Licensed Products. However, in the event that a Licensed Product is a  
product (such as a toolkit product or operating system service) that is  
used to develop other products, the license will require the licensee  
of the RSA Patents to notify users of the Licensed Products that such  
users must obtain a license directly from RSA for the RSA Patents. RSA  
is willing to grant such licenses on the same non-exclusive,  
royalty-free terms described above."

I don't find any such notice on both pages, just their usual license  
which is misleading in this case, e.g.  
http://www.opensaml.org/license.html

IMHO we should avoid touching this sort of stuff...

Cheers,
Erik

Mime
View raw message