As far as this goes, Erik is correct, to a point!-) Just for tightness, I want to make this as clear as mud!-)
To my read, and this meshes with others, SAML is open. RSA http://www.oasis-open.org/committees/security/ipr.php have four patents that seem to overlap with parts of SAML, from:
"...RSA believed that these four patents could be relevant to practicing certain operational modes of the OASIS Security Assertion Markup Language ("SAML") specifications...".
Liberty Alliance took the SAML spec and implemented it with a profile that extended it, called the Browser/POST profile (a form post encoded in SAML). It is this profile that RSA seem to be claiming
http://lists.oasis-open.org/archives/security-services/200205/ msg00046.html
rather than the SAML spec which is open:
http://www.opensaml.org/license.html
It is most unfortunate that RSA are taking this stance, but SAML and another synch method would not be covered by this patent, in my limited understanding of the world.
Internet2, for the record, do hold an RSA license which covers all users of the app.
s
On 1 Mar 2005, at 16:51, Erik Abele wrote:
On 01.03.2005, at 15:52, Sean Mehan wrote:
Just a pointer to something that is gaining a bit of ground in various circles:
http://www.oasis-open.org/committees/download.php/11511/sstc-saml- tech-overview-2.0-draft-03.pdf
found at
http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
This is about SAML, a vocabulary for exchange of authentication and authorization data about users trying to access resources. With this capability built in, one can write policies for users originating from other sites.
The problem I see with SAML and it's specs is that RSA holds patents on it and although these patens are made available under a royalty-free license, every end-user must obtain their own licsense from RSA. That alone is a requirement which goes far beyond the requirements of the Apache License and furthermore there are some other constraints (e.g. licensees must grant RSA the same rights to any patents they own).
Find the details at http://www.oasis-open.org/committees/security/ipr.php.
There is an implementation of this for what used to be called (resource) targets, now called SP [service provider]s, which compiles and runs under apache 1.3/2.0
found at http://shibboleth.internet2.edu/
Hmm, I think both, opensaml.org and shibboleth.internet2.edu are not conforming to RSA's license requirements:
"The license terms for the RSA Patents will permit end-users to use the Licensed Products. However, in the event that a Licensed Product is a product (such as a toolkit product or operating system service) that is used to develop other products, the license will require the licensee of the RSA Patents to notify users of the Licensed Products that such users must obtain a license directly from RSA for the RSA Patents. RSA is willing to grant such licenses on the same non-exclusive, royalty-free terms described above."
I don't find any such notice on both pages, just their usual license which is misleading in this case, e.g. http://www.opensaml.org/license.html
IMHO we should avoid touching this sort of stuff...
Cheers, Erik
