[OAUTH-WG] Copyright and IPR Question regarding IETF OAuth Dynamic Client Registration Specification

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 21 August 2014 12:04 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5287A1A6EF9 for <oauth@ietfa.amsl.com>; Thu, 21 Aug 2014 05:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id fBEWuIA1oXI7 for <oauth@ietfa.amsl.com>; Thu, 21 Aug 2014 05:04:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C098B1A6EF4 for <oauth@ietf.org>; Thu, 21 Aug 2014 05:04:35 -0700 (PDT)
Received: from [] ([]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MLA45-1XKA7L1Su9-000IGc; Thu, 21 Aug 2014 14:04:15 +0200
Message-ID: <53F5E16A.60200@gmx.net>
Date: Thu, 21 Aug 2014 14:09:14 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: cntreras@gmail.com, sob@harvard.edu
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CnIxhjQ8Uc9dwIff3LjMVklNWAC6q0QIN"
X-Provags-ID: V03:K0:twqWKIXMTbe/NFbs87EOEWvtbv0JXxRnnx31GK2sB0ryuCL/2sH LEhSCUbjDXodGF4dYpp/3EI17a3lRF7YsBhcaHdThxiCAlPB2XiJ6M0ch4uiIJvh1rLcBt0 FlzH6v4Go0xowyCSpDjqEn/4L7LrsAMB/ceYV/T0EVZxqNVe3xuPftBR5Ym3X1xExABkX2n vc5zsmmv01qMi/zrZhfKw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vVTpycM50gf2he38Xchdk0YE44k
Cc: Maciej Machulak <m.p.machulak@ncl.ac.uk>, Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] Copyright and IPR Question regarding IETF OAuth Dynamic Client Registration Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Aug 2014 12:04:38 -0000

Hi Jorge, Hi Scott,

we need your advice in the OAuth working group.

We are about to finalize a specification called 'Dynamic Client
Registration' (http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-19)
and this document intentionally harmonizes work done in two other
organizations, namely in Kantara and in the OpenID Foundation. As part
of this harmonization text was copied from specifications developed by
these two organizations. When I did my shepherd write-up the question
about potential copyright and IPR issues surfaced.

Currently, we have put the following text into
draft-ietf-oauth-dyn-reg-19 to reference and acknowledge the work done
in UMA and in the OpenID Foundation concerning the history:

Multiple applications using OAuth 2.0 have previously developed
mechanisms for accomplishing such registrations. This specification
generalizes the registration mechanisms defined by the OpenID Connect
Dynamic Client Registration 1.0 [OpenID.Registration] specification and
used by the User Managed Access (UMA) Profile of OAuth 2.0
[I-D.hardjono-oauth-umacore] specification in a way that is compatible
with both, while being applicable to a wider set of OAuth 2.0 use cases.

The copyright situation with the UMA work might be easier since the UMA
working group decided to publish their material as an IETF draft -
[I-D.hardjono-oauth-umacore]. The OpenID Connect Registration draft (see
http://openid.net/specs/openid-connect-registration-1_0.html) provides
information about the copyright by saying:

The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft or Final
Specification solely for the purposes of (i) developing specifications,
and (ii) implementing Implementers Drafts and Final Specifications based
on such documents, provided that attribution be made to the OIDF as the
source of the material, but that such attribution does not indicate an
endorsement by the OIDF.

I believe we are OK copying text from your specifications but the IPR
situation is unclear to me since the IPR rules of these two
organizations are different to those in the IETF. The IPR policies of
the two organizations are described here:

I put the co-chairs of the Kantara UMA working group (see
http://kantarainitiative.org/confluence/display/uma/Home) and the
chairman of the OpenID Foundation (see
http://openid.net/foundation/leadership/) on CC to help with potential
questions. They are well aware of the IETF work on the dynamic client
registration specification.

Thanks for your help.

Hannes & Derek