IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation

Mike Jones <Michael.Jones@microsoft.com> Wed, 16 July 2014 13:54 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910FF1B27D7 for <oauth@ietfa.amsl.com>; Wed, 16 Jul 2014 06:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgnPXRjqcssm for <oauth@ietfa.amsl.com>; Wed, 16 Jul 2014 06:54:25 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29A8B1B288A for <oauth@ietf.org>; Wed, 16 Jul 2014 06:54:24 -0700 (PDT)
Received: from BY2PR03CA029.namprd03.prod.outlook.com (10.242.234.150) by BLUPR03MB565.namprd03.prod.outlook.com (10.141.77.15) with Microsoft SMTP Server (TLS) id 15.0.990.7; Wed, 16 Jul 2014 13:54:23 +0000
Received: from BY2FFO11FD033.protection.gbl (2a01:111:f400:7c0c::141) by BY2PR03CA029.outlook.office365.com (2a01:111:e400:2c2c::22) with Microsoft SMTP Server (TLS) id 15.0.990.7 via Frontend Transport; Wed, 16 Jul 2014 13:54:22 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD033.mail.protection.outlook.com (10.1.14.218) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Wed, 16 Jul 2014 13:54:22 +0000
Received: from TK5EX14MBXC294.redmond.corp.microsoft.com ([169.254.3.103]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0195.002; Wed, 16 Jul 2014 13:54:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@MIT.EDU>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
Thread-Index: AQHPmqNjTLUtygPATEaoV9K+QkTus5uWWTqAgAAPVUaAAJbWEIAKle1ggADzlQCAABeGAIAAAP0AgAACRICAAAIDwIAADxmAgAACZHA=
Date: Wed, 16 Jul 2014 13:54:12 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439ADCB58E@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <53BBDBEE.703@gmx.net>, <BE6275F6-27D0-4A7A-ABA2-18B571BFDF18@oracle.com> <4E1F6AAD24975D4BA5B16804296739439ADA02B7@TK5EX14MBXC294.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439ADA1766@TK5EX14MBXC294.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739439ADAB98C@TK5EX14MBXC294.redmond.corp.microsoft.com> <53C65120.4020302@gmx.net> <53C664DC.50907@mit.edu> <53C665B0.7040708@gmx.net> <53C66797.1040509@mit.edu> <4E1F6AAD24975D4BA5B16804296739439ADCB3B3@TK5EX14MBXC294.redmond.corp.microsoft.com> <53C675F1.9080102@mit.edu>
In-Reply-To: <53C675F1.9080102@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(438002)(164054003)(199002)(13464003)(55885003)(51704005)(24454002)(189002)(377454003)(479174003)(55846006)(95666004)(79102001)(86612001)(81342001)(87936001)(2171001)(85852003)(44976005)(77982001)(4396001)(2656002)(106466001)(80022001)(106116001)(81156004)(93886003)(47776003)(64706001)(20776003)(66066001)(21056001)(86362001)(99396002)(54356999)(76176999)(50986999)(15395725005)(92726001)(92566001)(6806004)(50466002)(83072002)(31966008)(26826002)(83322001)(15202345003)(19580405001)(104016003)(19580395003)(107886001)(107046002)(69596002)(68736004)(81542001)(97736001)(76482001)(46102001)(77096002)(74662001)(74502001)(85306003)(33656002)(15975445006)(23676002)(84676001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB565; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0274272F87
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/bkmweZMaNw8c1SmvA8WdNvJwGdY
Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2014 13:54:28 -0000

OK - looking back at the parameter name change example, I agree that this was first discussed in the OAuth WG and was adopted by both specs at about the same time, so I agree that that's an example of information flowing in the other direction.  (I doubt that anyone will assert IPR about a parameter name change, so I suspect that instance was innocuous.)  When some of the same people were in two working groups doing highly related things, I suppose some of that was bound to happen, despite the best of intentions.  However, it's still my assertion that the core inventions in Connect Registration were independently developed, syntax tweaks made later for compatibility reasons aside.

Be that as it may, and having thought about it some more, I'm not going to stand in the way of acknowledging UMA in the OAuth Registration spec if people believe that that's the right thing to do.  People who know me know that I'm all in favor of giving credit where credit is due.  I'd thought that all the UMA content had been replaced, but if I'm wrong about that, so be it.

What would be the right reference for the UMA registration specification in the acknowledgement?

				-- Mike

-----Original Message-----
From: Justin Richer [mailto:jricher@MIT.EDU] 
Sent: Wednesday, July 16, 2014 5:54 AM
To: Mike Jones; Hannes Tschofenig; oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation

It's quite true that the OIDC draft predates -00 of the IETF draft, and I'm sorry if that was unclear from what I said as I was not intending to misrepresent the history. And it's true that the UMA draft predates both of these by a fair whack and at the very least provided inspiration in how to accomplish this task, and in fact draft -00 was a straight copy of UMA. As Mike mentions below, draft -01 (when I took over the editor
role) incorporates a lot of text from the OIDF draft alongside the UMA text, which is why that document has eight authors on it.

However it's not true that information didn't flow both ways, or that everything from UMA was eventually expunged. It's fairly clear if you look at the document history that there was a lot of back and forth. The JSON formatting in the IETF draft, for example, exists in -00 and came from UMA, was switched to form encoding from in -01 (from OIDC), and with lots of discussion here in the WG (both before and after the
change) was switched back to JSON in -05. At that time, there was a discussion in the OIDF working group of whether to adopt the JSON formatting as well in order to maintain compatibility, and OIDF decided to do so. There were other instances where parameter names and other ideas began in the IETF and moved to OIDF's spec, like changing "issued_at" to the more clear "client_id_issued_at". These were breaking changes and not entered into lightly, and I was there for those discussions and still contend that OIDF made the right call.

If the OIDF wants to frame that decision as "we decided independently to do a thing for the greater good" as opposed to "we adopted ideas from outside", then it's free to do so for whatever legal protection reasons it likes. It's perfectly fine with me that the OIDF represent itself and its documents how it sees best. But it's not OK with me to discount or misrepresent the history and provenance of the ideas and components of this IETF document in the IETF and I'd like to include the modified statement I posted below in the introduction text of the next revision.

  -- Justin

On 7/16/2014 8:34 AM, Mike Jones wrote:
> I disagree with one aspect of Justin's characterization of the history of the spec and have data to back up my disagreement.  The OpenID Connect Dynamic Registration Specification was not based on draft-ietf-oauth-dyn-reg-00 or the UMA specification.  It was created independently by John Bradley in June 2011 based upon OpenID Connect working group discussions that predated draft-ietf-oauth-dyn-reg-00, and for which there are working group notes documenting the OpenID Connect working group decisions prior to the IETF -00 draft.  Yes, there's plenty of evidence that the IETF -01 draft copied text from the early OpenID Connect draft (including in the change history), but the Connect authors were careful to follow the OpenID Foundation's IPR process and not incorporate contributions from third parties who hadn't signed an OpenID IPR Contribution Agreement stating that the OpenID Foundation was free to use their contributions.  (This fills the same role as the IETF Note well, but with a signed agreement, and ensures that all developers can use the resulting specifications without IPR concerns based on IPR that may be held by the contributors.)  The OpenID Connect Dynamic Registration draft didn't copy from the UMA draft or the IETF draft derived from it, so as to maintain the IPR integrity of the OpenID document.  The copying all went in the other direction.
>
> If portions of the UMA draft remained from -00 in the current drafts, 
> I'd be fine with the UMA attribution, but in practice they don't.  The 
> UMA content was replaced with the OpenID Connect content.  (I believe 
> that eventually UMA decided to drop their old draft and move to 
> registration mechanisms that were compatible with Connect as well, and 
> stopped using their previous registration data formats.)
>
> 				-- Mike
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@MIT.EDU]
> Sent: Wednesday, July 16, 2014 4:53 AM
> To: Hannes Tschofenig; Mike Jones; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
>
> I like the idea of adding some of the text in the introduction, as I agree the compatibility is an important (and hard-won) accomplishment. I think taking Mike's text, expanding it, and putting it in the introduction might serve the overall purpose just fine:
>
> Portions of this specification are derived from the OpenID Connect Dynamic Registration [OpenID.Registration] specification and from the User Managed Access [UMA] specification.  This was done so that implementations of these three specifications will be compatible with one another.
>
>
> These are both informative references, so we can reference the ID for UMA.
>
>    -- Justin
>
> On 7/16/2014 7:44 AM, Hannes Tschofenig wrote:
>> Interesting background information. Maybe we should then extend the 
>> note Mike provided to also clarify the relationship with the UMA work 
>> (both in terms to IPR, copyright, and attribution-wise).
>>
>> It would also make sense to state the relationship in the 
>> introduction to highlight the compatibility, which I believe is a big accomplishment.
>>
>> Ciao
>> Hannes
>>
>> On 07/16/2014 01:41 PM, Justin Richer wrote:
>>> I thought I had sent this note already, but I don't see it in the 
>>> archives or in my 'sent' folder:
>>>
>>> If we're going to point to OpenID Connect (which I'm fine with), 
>>> then we should clarify that portions were also taken from the UMA specification.
>>> In fact, draft -00 actually *was* the UMA specification text entirely.
>>> This is also what the OpenID Connect registration specification was
>>> (loosely) based on when it was started.
>>>
>>> In reality, the relationship between these three documents from 
>>> three different SBO's is more complicated: they all grew up together 
>>> and effectively merged to become wire-compatible with each other. 
>>> There were a number of changes that were discussed here in the IETF 
>>> that OpenID Connect adopted, and a number of changes that were 
>>> discussed at OIDF that were adopted here. OIDC also extends the IETF 
>>> draft with a set of OIDC-specific metadata fields and editorial 
>>> language that makes it fit more closely in the OIDC landscape, but make no mistake:
>>> they're the same protocol. In the case of UMA, it's a straight 
>>> normative reference to the IETF document now because we were able to 
>>> incorporate those use cases and parameters directly.
>>>
>>> The trouble is, I'm not sure how to concisely state that all that in 
>>> the draft text, but it's not as simple as "we copied OpenID", which 
>>> is what the text below seems to say.
>>>
>>>    -- Justin
>>>
>>> On 7/16/2014 6:17 AM, Hannes Tschofenig wrote:
>>>> Thanks, Mike.
>>>>
>>>> This is a useful addition and reflects the relationship between the 
>>>> two efforts.
>>>>
>>>> Please add it to the next draft version.
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>> On 07/15/2014 09:46 PM, Mike Jones wrote:
>>>>> So that the working group has concrete language to consider, 
>>>>> propose the following language to the OAuth Dynamic Client Registration specification:
>>>>>
>>>>>    
>>>>>
>>>>> Portions of this specification are derived from the OpenID Connect 
>>>>> Dynamic Registration [OpenID.Registration] specification.  This 
>>>>> was done so that implementations of this specification and OpenID 
>>>>> Connect Dynamic Registration can be compatible with one another.
>>>>>
>>>>>    
>>>>>
>>>>>                                                               -- 
>>>>> Mike
>>>>>
>>>>>    
>>>>>
>>>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Mike 
>>>>> Jones
>>>>> *Sent:* Tuesday, July 08, 2014 7:15 PM
>>>>> *To:* Phil Hunt; Hannes Tschofenig
>>>>> *Cc:* Maciej Machulak; oauth@ietf.org
>>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: IPR 
>>>>> Confirmation
>>>>>
>>>>>    
>>>>>
>>>>> Thinking about this some more, there is one IPR issue that we need 
>>>>> to address before publication.  This specification is a derivative 
>>>>> work from the OpenID Connect Dynamic Registration specification 
>>>>> http://openid.net/specs/openid-connect-registration-1_0.html.
>>>>> Large portions of the text were copied wholesale from that spec to 
>>>>> this one, so that the two would be compatible.  (This is good 
>>>>> thing – not a bad
>>>>> thing.)
>>>>>
>>>>>    
>>>>>
>>>>> This is easy to address from an IPR perspective – simply 
>>>>> acknowledge that this spec is a derivative work and provide proper 
>>>>> attribution.  The OpenID copyright in the spec at 
>>>>> http://openid.net/specs/openid-connect-registration-1_0.html#Notic
>>>>> e s allows for this resolution.  It says:
>>>>>
>>>>>    
>>>>>
>>>>> Copyright (c) 2014 The OpenID Foundation.
>>>>>
>>>>> The OpenID Foundation (OIDF) grants to any Contributor, developer, 
>>>>> implementer, or other interested party a non-exclusive, royalty 
>>>>> free, worldwide copyright license to reproduce, prepare derivative 
>>>>> works from, distribute, perform and display, this Implementers 
>>>>> Draft or Final Specification solely for the purposes of (i) 
>>>>> developing specifications, and (ii) implementing Implementers 
>>>>> Drafts and Final Specifications based on such documents, provided 
>>>>> that attribution be made to the OIDF as the source of the 
>>>>> material, but that such attribution does not indicate an endorsement by the OIDF.
>>>>>
>>>>> Let’s add the reference and acknowledgment in the next version.
>>>>>
>>>>>    
>>>>>
>>>>>                                                               -- 
>>>>> Mike
>>>>>
>>>>>    
>>>>>
>>>>> *From:*Mike Jones
>>>>> *Sent:* Tuesday, July 08, 2014 10:06 AM
>>>>> *To:* Phil Hunt; Hannes Tschofenig
>>>>> *Cc:* John Bradley; Justin Richer; Maciej Machulak; oauth@ietf.org 
>>>>> <mailto:oauth@ietf.org>
>>>>> *Subject:* RE: Dynamic Client Registration: IPR Confirmation
>>>>>
>>>>>    
>>>>>
>>>>> I likewise do not hold any IPR on these specs.
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -----
>>>>>
>>>>> *From: *Phil Hunt <mailto:phil.hunt@oracle.com>
>>>>> *Sent: *‎7/‎8/‎2014 9:11 AM
>>>>> *To: *Hannes Tschofenig <mailto:hannes.tschofenig@gmx.net>
>>>>> *Cc: *Mike Jones <mailto:Michael.Jones@microsoft.com>; John 
>>>>> Bradley <mailto:ve7jtb@ve7jtb.com>; Justin Richer 
>>>>> <mailto:jricher@mitre.org>; Maciej Machulak 
>>>>> <mailto:m.p.machulak@ncl.ac.uk>; oauth@ietf.org 
>>>>> <mailto:oauth@ietf.org>
>>>>> *Subject: *Re: Dynamic Client Registration: IPR Confirmation
>>>>>
>>>>> I confirm I have no IPR disclosures on this document.
>>>>>
>>>>> Phil
>>>>>
>>>>>> On Jul 8, 2014, at 4:54, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>>>>
>>>>>> Hi Phil, John, Maciej, Justin, Mike,
>>>>>>
>>>>>> I am working on the shepherd writeup for the dynamic client 
>>>>>> registration document and one item in the template requires me to 
>>>>>> indicate whether each document author has confirmed that any and 
>>>>>> all appropriate IPR disclosures required for full conformance 
>>>>>> with the provisions of BCP 78 and BCP 79 have already been filed.
>>>>>>
>>>>>> Could you please confirm?
>>>>>>
>>>>>> Ciao
>>>>>> Hannes
>>>>>>
>>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email