Licensing Questions: OpenID and oAuth
5 views
Skip to first unread message
Jonathan Vanasco
Jun 9, 2008, 6:39:47 PM6/9/08
to DataPortability.General
To-date, I've been unable to find any sort of licensing attributed to
the OpenID or oAuth specs.
To the best of my knowledge:
- neither has been explicitly placed in the public domain
- neither has been submitted to IETF, thereby covered by its IP
policy
- neither have released a CC or OSI license with their specs
The only licensing statements I've found in OpenID are in regards to a
non-assertation agreement and transfer of copyright to the OpenID
foundation. The foundation uses the goal "The goal is to release
every part of this under the most liberal licenses possible, so
there’s no money or licensing or registering required to play."
However I see no license on any of the specs, just on the
implementation libraries.
Correct me if I'm wrong here, please... but shouldn't these projects
have some sort of open licensing on their specs ? Microformats, APML,
XFN, FOAF, RSS all explicity use CC licenses on their specs. RDF is
covered by W3C. OPML has what seems to be a CC-noderivs. XMPP is
covered by the IETF's IP policy.
Going by US Copyright and Patent standards, copyright is implicit and
technically rests with the authors/foundations; and technologies may
be patented until 1yr from date of initial public disclosure.
So my questions are:
1. Are there hidden open licenses or public domain placements that
I'm just unaware of ?
2. If there are no explicit open licenses on these:
- what does this mean? It's great that the implementations are
license free, but could they be construed as violations of copyright /
patent / something at a future point ?
- how are two of the most popular 'Open Standards' the only two
without any sort of prominent licensing on their specifications ?
the OpenID or oAuth specs.
To the best of my knowledge:
- neither has been explicitly placed in the public domain
- neither has been submitted to IETF, thereby covered by its IP
policy
- neither have released a CC or OSI license with their specs
The only licensing statements I've found in OpenID are in regards to a
non-assertation agreement and transfer of copyright to the OpenID
foundation. The foundation uses the goal "The goal is to release
every part of this under the most liberal licenses possible, so
there’s no money or licensing or registering required to play."
However I see no license on any of the specs, just on the
implementation libraries.
Correct me if I'm wrong here, please... but shouldn't these projects
have some sort of open licensing on their specs ? Microformats, APML,
XFN, FOAF, RSS all explicity use CC licenses on their specs. RDF is
covered by W3C. OPML has what seems to be a CC-noderivs. XMPP is
covered by the IETF's IP policy.
Going by US Copyright and Patent standards, copyright is implicit and
technically rests with the authors/foundations; and technologies may
be patented until 1yr from date of initial public disclosure.
So my questions are:
1. Are there hidden open licenses or public domain placements that
I'm just unaware of ?
2. If there are no explicit open licenses on these:
- what does this mean? It's great that the implementations are
license free, but could they be construed as violations of copyright /
patent / something at a future point ?
- how are two of the most popular 'Open Standards' the only two
without any sort of prominent licensing on their specifications ?
Gabriel Wachob
Jun 9, 2008, 7:31:37 PM6/9/08
to dataportabi...@googlegroups.com
Have you seen:
and
https://agree2.com/declarations/oauth-non-assertion-covenant
The latter is being updated and there will be a new non-assertion
covenant released RSN - all the parties to the agree2 link will be
executing an agreement that has wording that better suits larger
adopters with tighter legal language requirements.
Chris Messina and I have been helping to shepherd the OAuth IPR stuff,
at my insistence. I was also heavily involved in crafting of the
OpenID IPR policy. If you have further questions, you can shoot them
at me and I will either pass them along or answer in whatever way I can.
-Gabe
Jonathan Vanasco
Jun 10, 2008, 10:22:55 AM6/10/08
to DataPortability.General, gwa...@wachob.com
Gabriel-
Great to see that oAuth is Creative Commons Attribution-ShareAlike
3.0. That completely addresses and invalidates my concerns. Thank
you for sharing that!
Since you're involved in that effort, can I suggest that should you
feature that that licensing item on spec itself and on the web
repository?
The OpenID policies still seem nebulous to me though.
The IPR policy maintains that there is a non-assertion of patent
claims by contributors, and has the OpenID foundation assuming
copyright of submissions and claiming copyright of the final drafts.
At no point on the on site though have i found the actual
specification to be open.
Forgive my naiive lawyerly readings but, all I see are:
- a promise to release things under liberal licences
- many implementations under free licenes
- a non-assertion agreement and IPR policy covering ip submissions of
*contributers* that assigns ownership to the group
But I can't find
- any licensing on the spec itself ( re: consumers, distributors,
etc )
Does that make sense?
Great to see that oAuth is Creative Commons Attribution-ShareAlike
3.0. That completely addresses and invalidates my concerns. Thank
you for sharing that!
Since you're involved in that effort, can I suggest that should you
feature that that licensing item on spec itself and on the web
repository?
The OpenID policies still seem nebulous to me though.
The IPR policy maintains that there is a non-assertion of patent
claims by contributors, and has the OpenID foundation assuming
copyright of submissions and claiming copyright of the final drafts.
At no point on the on site though have i found the actual
specification to be open.
Forgive my naiive lawyerly readings but, all I see are:
- a promise to release things under liberal licences
- many implementations under free licenes
- a non-assertion agreement and IPR policy covering ip submissions of
*contributers* that assigns ownership to the group
But I can't find
- any licensing on the spec itself ( re: consumers, distributors,
etc )
Does that make sense?
David Recordon
Jun 10, 2008, 12:04:21 PM6/10/08
to DataPortability.General
I've just commented on a blog with the following, hope it helps.
Making sure that these technologies are actually open is incredibly
important so I'm glad that you're making sure to hold our feet to the
fire around it. I've been involved in OpenID since the beginning and
have spent a lot of time the past year helping to ensure that OpenID
is really both "open" and free to implement by anyone. Obviously
there are no guarantees when it comes to IPR, even for every standard
from groups like the IETF, rather it is about doing the best that can
be done.
For OpenID we've spent time working with a large group of community
members -- both big and small -- to develop an IPR policy and process
for OpenID specifications. These are designed to ensure that
contributors do not have any hidden patents over finalized
specifications. You can learn a bit more about some of this finished
work at http://openid.net/2007/12/31/openid-intellectual-property-policy-approved/.
The current finalized OpenID specifications have been covered by non-
assertion agreements executed by various contributors (http://
openid.net/ipr/Non-Assertion-Agreement/executed/) as well as all of
the companies which are members of the OpenID Foundation's board.
This means that individuals to some of the largest companies on the
web have pledged to help ensure that OpenID is free to implement and
not encumbered by patents.
Hopefully this helps provide some insight into what the OpenID
community is doing to help fulfill Brad Fitzpatrick's original
statement, "Nobody should own this. Nobody’s planning on making any
money from this. The goal is to release every part of this under the
something like this exists, and we’re all a part of the community."
I'm happy to provide more information, answer other questions, etc as
I can.
Making sure that these technologies are actually open is incredibly
important so I'm glad that you're making sure to hold our feet to the
fire around it. I've been involved in OpenID since the beginning and
have spent a lot of time the past year helping to ensure that OpenID
is really both "open" and free to implement by anyone. Obviously
there are no guarantees when it comes to IPR, even for every standard
from groups like the IETF, rather it is about doing the best that can
be done.
For OpenID we've spent time working with a large group of community
members -- both big and small -- to develop an IPR policy and process
for OpenID specifications. These are designed to ensure that
contributors do not have any hidden patents over finalized
specifications. You can learn a bit more about some of this finished
work at http://openid.net/2007/12/31/openid-intellectual-property-policy-approved/.
The current finalized OpenID specifications have been covered by non-
assertion agreements executed by various contributors (http://
openid.net/ipr/Non-Assertion-Agreement/executed/) as well as all of
the companies which are members of the OpenID Foundation's board.
This means that individuals to some of the largest companies on the
web have pledged to help ensure that OpenID is free to implement and
not encumbered by patents.
Hopefully this helps provide some insight into what the OpenID
community is doing to help fulfill Brad Fitzpatrick's original
statement, "Nobody should own this. Nobody’s planning on making any
money from this. The goal is to release every part of this under the
most liberal licenses possible, so there’s no money or licensing or
registering required to play. It benefits the community as a whole if
something like this exists, and we’re all a part of the community."
I'm happy to provide more information, answer other questions, etc as
I can.
Jonathan Vanasco
Jun 10, 2008, 5:23:55 PM6/10/08
to DataPortability.General
On Jun 10, 12:04 pm, David Recordon <record...@gmail.com> wrote:
> For OpenID we've spent time working with a large group of community
> members -- both big and small -- to develop an IPR policy and process
> for OpenID specifications. These are designed to ensure that
> contributors do not have any hidden patents over finalized
> specifications. Y
I get that.
What I'm trying to point out is that there is no consumer licensing
*at all* on the OpenID spec.
There is the non-assertion agreement , which covers contributers and
the foundation. There is licensing on the libraries. There seems to
be no licensing on the spec anywhere.
It seems like every single edge/case scenario was created to ensure
that open licensing could occur -- but there hasn't actually been any
licensing on the specification. The IPR policy talks about 'royalty-
free nature of Specifications' (II 1 a ) and in V1 there is
"""
1. Copyright License. Some Contributions may not be subject to
copyright. To the extent,
however, that a Contribution is or may be subject to copyright, the
Contributor hereby grants a
perpetual, irrevocable (except in case of breach of this license), non-
exclusive, royalty-free,
worldwide license in such copyright to the OpenID Foundation, to other
Contributors, and to
Implementers, to reproduce, prepare derivative works from, distribute,
perform, and display the
Contribution and derivative works thereof solely for purposes of
developing draft Specifications
and implementing Implementers Drafts and Final Specifications.
"""
However none of the specifications actually have licensing that
suggests that.
I could be wrong on this -- Gabriel showed me an offsite licensing
earlier on the oAuth specification. However, to the best of my
knowledge, there exists no actual end-user / Implementor licensing on
the specifications themselves.
It seems like you all meant to do a CC / MIT license, but never
actually did it.
Jonathan Vanasco
Jul 1, 2008, 5:18:41 PM7/1/08
to DataPortability.General
Just to float this back up to the top of the list:
OAuth IS open , even though it doesn't seem that way:
https://agree2.com/declarations/oauth-non-assertion-covenant
"In addition, we hereby license our contribution to the OAuth
specification under the terms of the Creative Commons Attribution-
ShareAlike 3.0 license."
I've placed a GetSatisfaction request so that their team can
actually let people know that its distributable.
OpenID IS NOT open
There is no distribution licensing on the specification, nor a
placement into the public domain.
The patent non-assertion agreement is meaningless to this context
-- the specification is not distributable and that agreement does not
address this.
I hate being the only one making a stink about this -- but right now I
can NOT legally pacakge/distribute the actual specification as a
reference with any code. That's a huge problem / concern. This is
something that could / should be easily fixed.
OAuth IS open , even though it doesn't seem that way:
https://agree2.com/declarations/oauth-non-assertion-covenant
"In addition, we hereby license our contribution to the OAuth
specification under the terms of the Creative Commons Attribution-
ShareAlike 3.0 license."
I've placed a GetSatisfaction request so that their team can
actually let people know that its distributable.
OpenID IS NOT open
There is no distribution licensing on the specification, nor a
placement into the public domain.
The patent non-assertion agreement is meaningless to this context
-- the specification is not distributable and that agreement does not
address this.
I hate being the only one making a stink about this -- but right now I
can NOT legally pacakge/distribute the actual specification as a
reference with any code. That's a huge problem / concern. This is
something that could / should be easily fixed.
Brady Brim-DeForest
Jul 1, 2008, 5:40:09 PM7/1/08
to dataportabi...@googlegroups.com
This is actually a very important question. Glad you bumped it Jonathan.
-Brady
TSchultz55
Jul 2, 2008, 7:37:01 AM7/2/08
to DataPortability.General
John,
So does this mean, for example, that the PHP OpenID libs technically
CAN'T be released under the Apache Software License at this point in
time?
Not fully up to speed with all the legal implications and how they
cascade throughout different pieces of code.
Cheers,
TIm
So does this mean, for example, that the PHP OpenID libs technically
CAN'T be released under the Apache Software License at this point in
time?
Not fully up to speed with all the legal implications and how they
cascade throughout different pieces of code.
Cheers,
TIm
Jonathan Vanasco
Jul 2, 2008, 10:08:49 AM7/2/08
to DataPortability.General
I'm not a lawyer, so I'm not going to speculate on the interplay of
the license and the spec into code -- although I think the effect on
libs would be more of a patent issue, and most of the key interests
have signed a non-assertion agreement on patents.
In terms of the libs themselves -- the PHP OpenID libs (in fact all of
OpenID libs that I've seen) have clear licenses on them -- MIT, BSD,
GPL, etc etc etc
The problem is in the specification itself -- that the PHP and other
OpenID libs can't technically include a copy of the specification
they're meant to implement as a reference ( which is mind numbingly
stupid )
It would take all of 10 minutes for the OpenID foundation to say "this
spec is at-the-least copyright us and redistributable under the CC
Share-Alike License" and drop that license onto the specs and on the
site's IP policies page -- which I'm hoping they finally do.
Reply all
Reply to author
Forward
0 new messages