Return-Path: <cantor.2@osu.edu>
Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Delivered-To: mailing list general@incubator.apache.org
Received: (qmail 68896 invoked from network); 21 Feb 2003 15:36:15 -0000
Received: from mail-mta6.service.ohio-state.edu (128.146.216.46)
  by daedalus.apache.org with SMTP; 21 Feb 2003 15:36:15 -0000
Received: from SAIDIN ([128.146.242.97]) by mail-mta6.service.ohio-state.edu
 (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002))
 with ESMTP id <0HAO00HBN0OG9F@mail-mta6.service.ohio-state.edu> for
 general@incubator.apache.org; Fri, 21 Feb 2003 10:36:17 -0500 (EST)
Date: Fri, 21 Feb 2003 10:36:17 -0500
From: Scott Cantor <cantor.2@osu.edu>
Subject: RE: OpenSAML VOTE Results (was Re: [VOTE] Accept OpenSAML as part of
 Web Services )
In-reply-to: <3E54D53D.3080801@apache.org>
To: general@incubator.apache.org
Message-id: <008101c2d9be$f9b29840$0100a8c0@SAIDIN>
Organization: The Ohio State University
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook, Build 10.0.4510
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-priority: Normal
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

> On my part this is -1 on these types of terms in general.  
> These terms basically make Apache a free development
> subsidiary of RSA which is just not good.

I'm not sure I follow this line of reasoning. The license language that they are supposedly writing does not connote any such thing.
It says if you want their SAML patent rights for free, you give them your SAML patent rights. It doesn't promise code (which is
hardly an issue for Apache which already lets them use the code), and it doesn't offer other IPR.

Do these terms make Sun a subsidiary of RSA? They have a SAML product out now.

The danger is in the lockdown that occurs if they changed the license such that the terms were no longer acceptable, not in the
initial terms.

The terms aren't done, but this is a moot discussion until they are...I would not advise the PMC to even take a final vote until the
terms are public.

> This is not specific to 
> OpenSAML.  I look forward to a web services security standard which is
> not tied to proprietary licensing.

Then I fear Apache or someone else would need to create one, unfortunately. Neither OASIS nor the W3C appear to be headed in such a
direction, and as others noted, it's impossible to know for certain that you will be free and clear anywhere unless you're prepared
to fight patents in court.

> Is it possible to change the standard as not to infringe on 
> these patents?

If somebody can actually figure out exactly what parts of SAML are covered, then a factoring of the code might be possible. I'm not
particularly inclined to such a direction myself, and I haven't the faintest idea how to read patents, in most cases.

I don't see the standard itself addressing this, no.

-- Scott