Composite certs implementation

[baentsch]

This discussion to document background and ideally, to come agreement if and which proposal to implement and how.

[baentsch]

Also look at discussion in #295

[baentsch]

Implementing external IP to be done by IP owners

In email and conferencing discussions, several IP issues around composite and hybrid certs were mentioned e.g., as documented here.

From the perspective of a contributor to open source, interested in furthering generally available knowledge and technical capabilities, I personally do not feel compelled to --voluntarily-- work on/implement anything that would cause "my" code's users (or myself) grief (or cost).

I understand the rationale/need for corporations to "play the IP game" (if only for "defensive reasons") but as a private person I only want to do/support doing code that is absolutely free of IP claims.

For any proposal with specific IP claims, I'd argue that the owner of the IP shall do the work/provide the code as they also profit from it: ISARA seems to have done exactly this for OpenSSL -- but apparently without giving it back to the community. A commercial decision, probably, that I personally equally "commercially" chose to not use/support.

If anyone can provide arguments against this and/or pointers that indicate actual/impending uptake of any IP-protected hybrid/composite proposal by IETF, please add them here. Thanks.

[opencrypto]

For the Composite Crypto and its enhancements, CableLabs has submitted the IPR statement early on through the IETF website. To make sure everybody is updated on the status of the IPR on that idea, I would like to share the original IPR disclosure from our legal department and some more details that can help people tracking the IPR discussion across the original I-D and the merged I-D documents.

Original IPR statement:

If the IETF document is adopted, including CableLab’s contribution as reflected in this IPR disclosure statement, CableLabs will agree, subject to the following reciprocity commitment, not to assert any patents owned or controlled by CableLabs that are both reflected in this IPR disclosure statement and for which there are no technically feasible or commercially feasible non-infringing alternatives available to implement the standard against any party for the making, using, selling, importing or offering for sale of the compliant portion of a product that implements such standard, provided, however that (i) such party first makes an identical, mutual commitment in writing to CableLabs and its members, before first asserting anywhere a patent against CableLabs or CableLabs’ members, or their compliant products or services any time after the date of this submission; and (ii) CableLabs retains the right to assert patents (including the right to claim past royalties) against any party that asserts anywhere a patent it owns or controls (either directly or indirectly) against CableLabs or any CableLabs’ members or against any of their compliant products or services either alone or in combination with other products.

Additional Details:

I was looking at the statement on the IETF website and I think it disappeared when the original I-D expired (since we merged the drafts, we did not update the original I-D anymore) therefore I think we have to put the statement also in the new document - I thought we already did, but I guess we have not done so.

I asked our legal department to add the IPR statement to the current I-D, and they should be adding the statement shortly. For any further question, our legal contact is Jud Cary (contacts available on request).

[baentsch]

Thanks for this text. Looks longer than a simple "We provide Composite Crypto IP for free to everybody". Also, I am no patent lawyer, so don't want to get into discussions about reciprocity.

So what about this litmus test: Does any of this stop you from subscribing to the OpenSSL contributor agreement and becoming a member of the OpenInnovationNetwork -- or have you already done both?

The former enables you to provide an implementation of Composite certs within the OpenSSL code base -- and protect any user from any IP claims; the latter simply openly documents the commitments stated by email.