Open source != open standards

less than 1 minute read

Robin Wilton astutely points out that Apache’s TSIK incubator project’s roadmap is somewhat off the mark in its description of Infocard in relation to the Liberty Alliance Project specifications (and others):

Some of the initial ideas of TSIK is to implement WS-* standards as they are developed, in particular the ones related to implementation of a federated ID protocol such as Microsoft’s InfoCard. (There are other federated ID protocols, for example, Liberty Alliance, Sxip networks, Identity Commons, LID NetMesh,, but only InfoCard seems to be based on open web services standards.)

This does indeed seem to be a case of “The World Turned Upside Down”. What I find most strange is that there is no mention in this list of the grandaddy of them all - SAML - now in its 2.0 version and as openly standardised as an open standard can be, at OASIS.
Deeply puzzling…



Brian Ewins

SAML has one BIG problem: the RSA patent - see the FAQ on . If this was a 'normal' IETF spec, I could look at the spec, implement it in our product, and we can all get on with our lives. The RSA license, while quite reasonable as these things go, requires me to get the agreement of an officer of my own company (who'll probably want to wait for legal & a board meeting) and an officer of at least one other company (since its an integration technology...and they'll want to wait for legal too...). Because it can't be thrashed out at a technical level, projects wanting to use SAML face a month or so of delay before the paperwork is done... and so something else wins.

And I say this from bitter experience - the only time I've gotten SAML into a real deployment was when it was nothing to do with us: we just provided some integration with a third party who had licensed (and could sublicense) SAML patents for the whole project. Every other time the patent has led us to look at doing something else.

If RSA's license was like Sun's recently-infamous declaration wrt OpenDocument IP ("no paperwork") I reckon SAML would be ubiquitous by now.


Thanks for the comment, Brian. Unfortunately, SAML is by no means unique in this respect - other standards also include the offer of a license. RSA are actually being pretty good in disclosing the license and making it almost trivial to obtain. Have a look at the IPR page for WS-Security. And IETF specs are not immune - as RFC 3979 explains.

Having said that, of course, you are correct - this is a hurdle (albeit pretty low) to SAML implementation. Maybe Sun's recent non-assert covenants will show the way for other vendors...?


As Eve Maler points out here, the RSA patent licensing issue is now resolved:

"RSA’s patent licensing situation has become entirely implicit, with implementors no longer asked to take any action at all to request a royalty-free license — not even filling in a web form, which was how things stood before."

Leave a Comment

Your email address will not be published. Required fields are marked *