Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation

Mike,

See comments below:

On 16 July 2014 15:54, Mike Jones <Michael.Jones@microsoft.com> wrote:

> OK - looking back at the parameter name change example, I agree that this
> was first discussed in the OAuth WG and was adopted by both specs at about
> the same time, so I agree that that's an example of information flowing in
> the other direction.  (I doubt that anyone will assert IPR about a
> parameter name change, so I suspect that instance was innocuous.)  When
> some of the same people were in two working groups doing highly related
> things, I suppose some of that was bound to happen, despite the best of
> intentions.  However, it's still my assertion that the core inventions in
> Connect Registration were independently developed, syntax tweaks made later
> for compatibility reasons aside.
>
> Be that as it may, and having thought about it some more, I'm not going to
> stand in the way of acknowledging UMA in the OAuth Registration spec if
> people believe that that's the right thing to do.  People who know me know
> that I'm all in favor of giving credit where credit is due.  I'd thought
> that all the UMA content had been replaced, but if I'm wrong about that, so
> be it.
>

That is fine - if the content has been removed then just don't give the
credit - I'm fine both ways.

>
> What would be the right reference for the UMA registration specification
> in the acknowledgement?
>

This is the latest doc that was ever produced, as far as I am aware of:
http://tools.ietf.org/html/draft-oauth-dyn-reg-v1-03

Kind regards,
Maciej

>
>                                 -- Mike
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@MIT.EDU]
> Sent: Wednesday, July 16, 2014 5:54 AM
> To: Mike Jones; Hannes Tschofenig; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
>
> It's quite true that the OIDC draft predates -00 of the IETF draft, and
> I'm sorry if that was unclear from what I said as I was not intending to
> misrepresent the history. And it's true that the UMA draft predates both of
> these by a fair whack and at the very least provided inspiration in how to
> accomplish this task, and in fact draft -00 was a straight copy of UMA. As
> Mike mentions below, draft -01 (when I took over the editor
> role) incorporates a lot of text from the OIDF draft alongside the UMA
> text, which is why that document has eight authors on it.
>
> However it's not true that information didn't flow both ways, or that
> everything from UMA was eventually expunged. It's fairly clear if you look
> at the document history that there was a lot of back and forth. The JSON
> formatting in the IETF draft, for example, exists in -00 and came from UMA,
> was switched to form encoding from in -01 (from OIDC), and with lots of
> discussion here in the WG (both before and after the
> change) was switched back to JSON in -05. At that time, there was a
> discussion in the OIDF working group of whether to adopt the JSON
> formatting as well in order to maintain compatibility, and OIDF decided to
> do so. There were other instances where parameter names and other ideas
> began in the IETF and moved to OIDF's spec, like changing "issued_at" to
> the more clear "client_id_issued_at". These were breaking changes and not
> entered into lightly, and I was there for those discussions and still
> contend that OIDF made the right call.
>
> If the OIDF wants to frame that decision as "we decided independently to
> do a thing for the greater good" as opposed to "we adopted ideas from
> outside", then it's free to do so for whatever legal protection reasons it
> likes. It's perfectly fine with me that the OIDF represent itself and its
> documents how it sees best. But it's not OK with me to discount or
> misrepresent the history and provenance of the ideas and components of this
> IETF document in the IETF and I'd like to include the modified statement I
> posted below in the introduction text of the next revision.
>
>   -- Justin
>
> On 7/16/2014 8:34 AM, Mike Jones wrote:
> > I disagree with one aspect of Justin's characterization of the history
> of the spec and have data to back up my disagreement.  The OpenID Connect
> Dynamic Registration Specification was not based on
> draft-ietf-oauth-dyn-reg-00 or the UMA specification.  It was created
> independently by John Bradley in June 2011 based upon OpenID Connect
> working group discussions that predated draft-ietf-oauth-dyn-reg-00, and
> for which there are working group notes documenting the OpenID Connect
> working group decisions prior to the IETF -00 draft.  Yes, there's plenty
> of evidence that the IETF -01 draft copied text from the early OpenID
> Connect draft (including in the change history), but the Connect authors
> were careful to follow the OpenID Foundation's IPR process and not
> incorporate contributions from third parties who hadn't signed an OpenID
> IPR Contribution Agreement stating that the OpenID Foundation was free to
> use their contributions.  (This fills the same role as the IETF Note well,
> but with a signed agreement, and ensures that all developers can use the
> resulting specifications without IPR concerns based on IPR that may be held
> by the contributors.)  The OpenID Connect Dynamic Registration draft didn't
> copy from the UMA draft or the IETF draft derived from it, so as to
> maintain the IPR integrity of the OpenID document.  The copying all went in
> the other direction.
> >
> > If portions of the UMA draft remained from -00 in the current drafts,
> > I'd be fine with the UMA attribution, but in practice they don't.  The
> > UMA content was replaced with the OpenID Connect content.  (I believe
> > that eventually UMA decided to drop their old draft and move to
> > registration mechanisms that were compatible with Connect as well, and
> > stopped using their previous registration data formats.)
> >
> >                               -- Mike
> >
> > -----Original Message-----
> > From: Justin Richer [mailto:jricher@MIT.EDU]
> > Sent: Wednesday, July 16, 2014 4:53 AM
> > To: Hannes Tschofenig; Mike Jones; oauth@ietf.org
> > Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
> >
> > I like the idea of adding some of the text in the introduction, as I
> agree the compatibility is an important (and hard-won) accomplishment. I
> think taking Mike's text, expanding it, and putting it in the introduction
> might serve the overall purpose just fine:
> >
> > Portions of this specification are derived from the OpenID Connect
> Dynamic Registration [OpenID.Registration] specification and from the User
> Managed Access [UMA] specification.  This was done so that implementations
> of these three specifications will be compatible with one another.
> >
> >
> > These are both informative references, so we can reference the ID for
> UMA.
> >
> >    -- Justin
> >
> > On 7/16/2014 7:44 AM, Hannes Tschofenig wrote:
> >> Interesting background information. Maybe we should then extend the
> >> note Mike provided to also clarify the relationship with the UMA work
> >> (both in terms to IPR, copyright, and attribution-wise).
> >>
> >> It would also make sense to state the relationship in the
> >> introduction to highlight the compatibility, which I believe is a big
> accomplishment.
> >>
> >> Ciao
> >> Hannes
> >>
> >> On 07/16/2014 01:41 PM, Justin Richer wrote:
> >>> I thought I had sent this note already, but I don't see it in the
> >>> archives or in my 'sent' folder:
> >>>
> >>> If we're going to point to OpenID Connect (which I'm fine with),
> >>> then we should clarify that portions were also taken from the UMA
> specification.
> >>> In fact, draft -00 actually *was* the UMA specification text entirely.
> >>> This is also what the OpenID Connect registration specification was
> >>> (loosely) based on when it was started.
> >>>
> >>> In reality, the relationship between these three documents from
> >>> three different SBO's is more complicated: they all grew up together
> >>> and effectively merged to become wire-compatible with each other.
> >>> There were a number of changes that were discussed here in the IETF
> >>> that OpenID Connect adopted, and a number of changes that were
> >>> discussed at OIDF that were adopted here. OIDC also extends the IETF
> >>> draft with a set of OIDC-specific metadata fields and editorial
> >>> language that makes it fit more closely in the OIDC landscape, but
> make no mistake:
> >>> they're the same protocol. In the case of UMA, it's a straight
> >>> normative reference to the IETF document now because we were able to
> >>> incorporate those use cases and parameters directly.
> >>>
> >>> The trouble is, I'm not sure how to concisely state that all that in
> >>> the draft text, but it's not as simple as "we copied OpenID", which
> >>> is what the text below seems to say.
> >>>
> >>>    -- Justin
> >>>
> >>> On 7/16/2014 6:17 AM, Hannes Tschofenig wrote:
> >>>> Thanks, Mike.
> >>>>
> >>>> This is a useful addition and reflects the relationship between the
> >>>> two efforts.
> >>>>
> >>>> Please add it to the next draft version.
> >>>>
> >>>> Ciao
> >>>> Hannes
> >>>>
> >>>> On 07/15/2014 09:46 PM, Mike Jones wrote:
> >>>>> So that the working group has concrete language to consider,
> >>>>> propose the following language to the OAuth Dynamic Client
> Registration specification:
> >>>>>
> >>>>>
> >>>>>
> >>>>> Portions of this specification are derived from the OpenID Connect
> >>>>> Dynamic Registration [OpenID.Registration] specification.  This
> >>>>> was done so that implementations of this specification and OpenID
> >>>>> Connect Dynamic Registration can be compatible with one another.
> >>>>>
> >>>>>
> >>>>>
> >>>>>                                                               --
> >>>>> Mike
> >>>>>
> >>>>>
> >>>>>
> >>>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Mike
> >>>>> Jones
> >>>>> *Sent:* Tuesday, July 08, 2014 7:15 PM
> >>>>> *To:* Phil Hunt; Hannes Tschofenig
> >>>>> *Cc:* Maciej Machulak; oauth@ietf.org
> >>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: IPR
> >>>>> Confirmation
> >>>>>
> >>>>>
> >>>>>
> >>>>> Thinking about this some more, there is one IPR issue that we need
> >>>>> to address before publication.  This specification is a derivative
> >>>>> work from the OpenID Connect Dynamic Registration specification
> >>>>> http://openid.net/specs/openid-connect-registration-1_0.html.
> >>>>> Large portions of the text were copied wholesale from that spec to
> >>>>> this one, so that the two would be compatible.  (This is good
> >>>>> thing – not a bad
> >>>>> thing.)
> >>>>>
> >>>>>
> >>>>>
> >>>>> This is easy to address from an IPR perspective – simply
> >>>>> acknowledge that this spec is a derivative work and provide proper
> >>>>> attribution.  The OpenID copyright in the spec at
> >>>>> http://openid.net/specs/openid-connect-registration-1_0.html#Notic
> >>>>> e s allows for this resolution.  It says:
> >>>>>
> >>>>>
> >>>>>
> >>>>> Copyright (c) 2014 The OpenID Foundation.
> >>>>>
> >>>>> The OpenID Foundation (OIDF) grants to any Contributor, developer,
> >>>>> implementer, or other interested party a non-exclusive, royalty
> >>>>> free, worldwide copyright license to reproduce, prepare derivative
> >>>>> works from, distribute, perform and display, this Implementers
> >>>>> Draft or Final Specification solely for the purposes of (i)
> >>>>> developing specifications, and (ii) implementing Implementers
> >>>>> Drafts and Final Specifications based on such documents, provided
> >>>>> that attribution be made to the OIDF as the source of the
> >>>>> material, but that such attribution does not indicate an endorsement
> by the OIDF.
> >>>>>
> >>>>> Let’s add the reference and acknowledgment in the next version.
> >>>>>
> >>>>>
> >>>>>
> >>>>>                                                               --
> >>>>> Mike
> >>>>>
> >>>>>
> >>>>>
> >>>>> *From:*Mike Jones
> >>>>> *Sent:* Tuesday, July 08, 2014 10:06 AM
> >>>>> *To:* Phil Hunt; Hannes Tschofenig
> >>>>> *Cc:* John Bradley; Justin Richer; Maciej Machulak; oauth@ietf.org
> >>>>> <mailto:oauth@ietf.org>
> >>>>> *Subject:* RE: Dynamic Client Registration: IPR Confirmation
> >>>>>
> >>>>>
> >>>>>
> >>>>> I likewise do not hold any IPR on these specs.
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> -
> >>>>> -----
> >>>>>
> >>>>> *From: *Phil Hunt <mailto:phil.hunt@oracle.com>
> >>>>> *Sent: *‎7/‎8/‎2014 9:11 AM
> >>>>> *To: *Hannes Tschofenig <mailto:hannes.tschofenig@gmx.net>
> >>>>> *Cc: *Mike Jones <mailto:Michael.Jones@microsoft.com>; John
> >>>>> Bradley <mailto:ve7jtb@ve7jtb.com>; Justin Richer
> >>>>> <mailto:jricher@mitre.org>; Maciej Machulak
> >>>>> <mailto:m.p.machulak@ncl.ac.uk>; oauth@ietf.org
> >>>>> <mailto:oauth@ietf.org>
> >>>>> *Subject: *Re: Dynamic Client Registration: IPR Confirmation
> >>>>>
> >>>>> I confirm I have no IPR disclosures on this document.
> >>>>>
> >>>>> Phil
> >>>>>
> >>>>>> On Jul 8, 2014, at 4:54, Hannes Tschofenig <
> hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> >>>>>>
> >>>>>> Hi Phil, John, Maciej, Justin, Mike,
> >>>>>>
> >>>>>> I am working on the shepherd writeup for the dynamic client
> >>>>>> registration document and one item in the template requires me to
> >>>>>> indicate whether each document author has confirmed that any and
> >>>>>> all appropriate IPR disclosures required for full conformance
> >>>>>> with the provisions of BCP 78 and BCP 79 have already been filed.
> >>>>>>
> >>>>>> Could you please confirm?
> >>>>>>
> >>>>>> Ciao
> >>>>>> Hannes
> >>>>>>
> >>>>>>
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
Maciej Machulak
email: maciej.machulak@gmail.com
mobile: +44 7999 606 767 (UK)
mobile: +48 602 45 31 66 (PL)