A take on Microsoft, OSP and Open Source

Here is how Martin LaMonica from CNET interpets the Open Specification Promise:

The software giant on Tuesday published the Microsoft Open Specification Promise, a document that says that Microsoft will not sue anyone who creates software based on Web services technology, a set of standardized communication protocols designed by Microsoft and other vendors.

What's new…
Microsoft has promised not to sue anyone who creates software based on Web services technology covered by patents it owns.

Bottom Line
The move reflects how Microsoft has had to come to terms with open-source products and development models.

Reaction to the surprise news was favorable, even from some of Microsoft's rivals.

“The best thing about this is the fundamental mind shift at Microsoft. A couple of years ago, this would have been unthinkable. Now it is real. This is really a major change in the way Microsoft deals with the open-source community,” said Gerald Beuchelt, a Web services architect working in the Business Alliances Group in Sun Microsystems’ chief technologist's office.

Microsoft has never sued anyone for patent infringement related to Web services. But its pledge not to assert the patents alleviates lingering concerns among developers who feared potential legal action if they incorporate Web services into their code, said analysts and software company executives.

Open-source developers, for example, should have fewer worries about writing open-source Web services products. Also, other software companies could create non-Windows products that interoperate with Microsoft code via Web services.

The move reflects how Microsoft has had to come to terms with open-source products and development models.

When Linux began to take hold in the late 1990s, company executives seemed shaken by the shared code foundations of the open-source model. CEO Steve Ballmer famously called Linux a “cancer,” while founder Bill Gates derided the “Pacman-like” nature of open-source licensing models.

Other Microsoft executives, such as Windows development leader Jim Allchin, have in years past painted open source as “an intellectual property destroyer.”

But in the past two years, Microsoft has stepped up its Shared Source program, in which it gives free access to source code under terms similar to those in popular open-source licenses. It has also said it will make Windows-based products work better with those from other vendors, including Linux and other open-source software.

Standards in play
To be sure, Microsoft, which spends more than $6 billion a year on research and development, remains committed to generating proprietary intellectual property. In some cases, that means commercial licensing, rather than opening up access to others.

“In the future, I am sure we will take positions on IP (intellectual property) that will not be so agreeable to various constituencies,” wrote Jason Matusow, Microsoft's director of standards affairs, in his blog.

In the case of Web services, having a pledge not to assert patents around these protocols–which are the communications foundation of Vista, the next version of Windows due early next year–helps drive adoption of those standards in the marketplace, said analysts and software company executives.

Open-source projects, in particular, have become powerful forces within the industry for establishing standards, both de facto and those sanctioned by standards bodies.

“I expect that more and more vendors will realize that a software standard cannot be successful if the relevant patents are incompatible with open-source licenses and principles,” said Cliff Schmidt, vice president of legal affairs at the Apache Software Foundation, which hosts several open-source projects.

Patent pledges of various forms have become more common, he noted. Sun recently said that it would not assert patents relating to the SAML (Security Assertion Markup Language) standard and the OpenDocument Format. IBM gave open-source communities access to 500 patents last year.

More to come?
Microsoft's Matusow said that the Open Specification Promise is part of the company's efforts to “think creatively about intellectual property.”

For the Open Specification Promise, the company sought input from open-source legal experts, including Red Hat's deputy general counsel Mark Webbink and Lawrence Rosen, an open-source software lawyer at Rosenlaw & Einschlag in Northern California.

Matusow said Microsoft is still a big believer in intellectual property but added that the company has chosen a “spectrum approach” to it, which ranges from traditional IP licensing to more permissive usage terms that mimic open-source practices.

“That is the point of a spectrum approach. Any–and I do mean any–commercial organization today needs to have a sophisticated understanding of intellectual property and the strategies you may employ with it to achieve your business goals,” he said.

The current Open Specification Promise does not specifically cover CardSpace, formerly called InfoCard. But the promise not to assert patents could be extended from current Web services standards, said Michael Jones, Microsoft's director of distributed systems customer strategy and evangelism.

“Licensing additional specifications under these same terms should be much easier to do at this point, but I obviously can't make public commitments yet beyond those we already have buy-off on,” Jones said on a discussion group at OSIS, the open-source identity selector project.

Old concerns
Web services standards are authored by several vendors, often including Microsoft and IBM, and are built into products from many vendors.

IBM lauded the move in a statement on Wednesday. “We've provided open-source friendly licenses for Web services specifications and have made non-assert commitments for a broad set of open-source projects including Linux,” said Karla Norsworthy, vice president for software standards at IBM.

Web services specifications are standardized in the World Wide Web Consortium and in the Organization for the Advancement of Structured Information Standards. Both bodies allow people to license standards either royalty-free or on so-called RAND terms (reasonable and non-discriminatory terms).

But Microsoft's Open Specification Promise goes a bit further. It means that developers at Apache projects, for example, no longer have to worry about Microsoft asserting Web services patents down the road, said Apache's Schmidt.

Similarly, Rosen said that the “OSP is compatible with free and open-source licenses.”

That clarity is a far cry from the early days of Web services, which took shape around 2000, when Microsoft and IBM teamed with others to improve system interoperability using XML-based protocols.

Lingering concerns remained among outside developers and were points of dispute in some Web services standardization efforts.

In 2000, Anne Thomas Manes was the chief technology officer of a Web services start-up called Systinet. The venture capitalist backers of the company were nervous that implementing these newly published specifications, created by other companies, could lead to lawsuits down the road, she said.

Until now, there was still a “niggling concern” that Microsoft would sue people. Back in 2000, Systinet decided to accept the risk of creating software based on specifications created by others, even though they did not have a license, she said.

“We went ahead and did it anyway despite the risk, because we were of the impression that Microsoft and IBM really wanted people to implement it,” she said.

To me it isn't really very surprising that Microsoft is doing everything it can to co-operate with everyone else in the industry on fundamental infrastructure like identity and web service protocols.  It suddenly seems like this is being made into a bigger deal than it really is.  That said, I'm really glad that lingering doubts about our intentions are dissipating.   

Cardspace in the enterprise – part .001

Joris Evers at CNET wrote a piece that captures my presentation to the recent Digital Identity World. 

In a session called “Understanding Cardspace in the Enterprise”, Partrick Harding from Ping Identity went through a series of use cases and scenarios at a very practical and convincing level, and then Ashish Jain gave an amusing and clear demo of how Active and Passive technologies could be used together to solve the Enterprise's identity problems.  I'll try to get links to those presentations for the blog.

To build on this at a more theoretical level, I talked about where all of this is going within a longer term perspective, and in terms of fundamental dynamics. 

The main idea I tried to convey was that if we made access control natural and easy enough that everyone could control it – and understand it – we wouldn't need to delegate nearly as much to layers of professional configuration experts as we do today. 

That isn't to say there shouldn't be corporate oversight or purely automated systems, but if the technology works well enough, oversight can be done in as it is in other fields – by setting behavioral procedures and auditing them.

One thing that Joris didn't pick up on – it seems I wasn't clear enough about it – is that I'm not saying we solve all these problems in Vista.  

We make big strides with information cards, but need to get the access control side of things up to the same standard in terms of visualization and natural interface.  So I hope everyone understands I was expressing a vision that we could begin discussing, not doing a sales pitch for a specific product.

By using technology known as Windows CardSpace, formerly code-named InfoCard, individuals in an organization could grant access to outsiders without having to involve the IT department, Kim Cameron, identity and access architect at Microsoft, said in a presentation Wednesday at the Digital ID World Conference here.

“The main role of information cards in the enterprise is to devolve access control to the resource owners,” Cameron said. “Setting access control policies becomes a naturalistic and intuitive and visual process.”

With today's systems, granting a third party access to a corporate resource has become fraught with red tape, stifling business, Cameron argued. With CardSpace, owners of certain information resources at an organization can easily unlock those to specific outsiders by making their own risk assessment, he said.

“My belief is that trust is local,” Cameron said. “Make the granting of access easy enough so that users can do it, albeit under adult supervision.”

Layers of bureaucracy have arisen from the lack of efficiencies in today's identity management technologies, Cameron said. Typically, any kind of access control is handled by a specific department in an enterprise because the technology is very complex, he said.

“Business people can't actually do directly the kinds of things that they want because it is too hard,” Cameron said. “If we continue to organize this by doing it all in a centralized, bureaucratic way, then you end up with solutions that are increasingly complex.”

CardSpace is a component of the Microsoft .NET Framework version 3.0, which was formerly called WinFX. Microsoft has been promoting the technology as a way to make using digital identities easier and safer and replace username and password as the means of verifying identity on the Internet.

Microsoft envisions the use of CardSpace and granting access in Windows Vista to be as simple as using a Word processor. Vista, the successor to Windows XP, is due to be broadly available in January.  (Kim's note:  this is where I want to make it clear that making access control as simple as we've made identity assertion still requires a lot more research.)

“Nowadays nobody has to go and learn how to do word processing; everybody knows how to do it. That is the kind of approach that will allow us to really have secure controlled access that works for business purposes,” Cameron said.

Microsoft patent non-assertion covenant is remarkable

David Berlind at ZDNet has an interesting analysis

Microsoft has issued a declaration — something it calls the Open Specification Promise — that it won't assert certain Web services patents it holds (or may hold in the future). Martin Lamonica reports:

Microsoft is pledging not to assert its patents pertaining to nearly three dozen Web services specifications–a move designed to ease concerns among developers by creating a legal environment more friendly to open-source software….The software giant published on Tuesday the Microsoft Open Specification Promise (OSP) on its Web site.

This isn't the first time that Microsoft has moved its intellectual property in the open direction (along a spectrum of closed to open), particularly when it pertains to something like Web services that's so fundamental to technology. But in many such cases, there were enough strings attached to keep open source developers from making use of Microsoft's IP even though it was being made available in some open context.  Some of Microsoft's anti-spam technologies come to mind. The licensing language for Microsoft's Office Open XML document format has gone through several iterations over the last two years, each one more open-friendly than the last.  But in this case, Microsoft cut to the chase.  Even Larry Rosen, the open source lawyer that wrote the book on open source licensing, has given the OSP his blessing.  While Microsoft is refraining from directly addressing the open source-angle, Lamonica wrote:

Lawrence Rosen, an open-source software lawyer at Rosenlaw & Einschlag in Northern California, gave open-source developers a green light to work with the Web services standards….”This OSP enables the open-source community to implement these standard specifications without having to pay any royalties to Microsoft or sign a license agreement. I'm pleased that this OSP is compatible with free and open-source licenses,” Rosen said in a statement on Microsoft's OSP site.

Another sign of acceptance could also be the silence (as of the time I published this blog) from two of the more vocal bloggers when it comes to vetting the openness of Microsoft's announcements. From his blog, IBM's vice president of standards and open source Bob Sutor offered none of his own commentary and instead only linked to two stories about the move: one the aforementioned News.com story by Martin Lamonica and the other a review of the move by intellectual property lawyer Andrew Updegrove (who also serves as counsel to OASIS — the consortium under which a lot of the Web services specifications development takes place). Sun's chief open source officer Simon Phipps has yet to post anything to his blog. Both men are customarily very fast to expose what they view as smoke or mirrors in Microsoft's intellectual property-related announcements. That's not to say such analyses aren't forthcoming. For all I know (I haven't contacted either of them yet), lawyers from both companies could be pouring through the documentation right now, looking for red flags to make hay about.

Royalties (payments that developers must make to patent or copyright holders) are complete dealbreakers when it comes to deciding whether something is open or closed. But what few people know is that signing a license agreement, even if the technology in question is royalty-free, is another.  Requiring the signed execution of license — known as “privity” in lawyer-land — flies in the face of open source because open source allows for sublicensing (the ability to take code that was licensed to you and pass it on without going back to the licensor for permission). 

Users and developers need only agree to the license terms that come packaged with open source code. They don't have to send a signed document back to the licensor. In fact, Microsoft's privity requirement when it comes to its CallerID antispam technology was (and still is, if you ask me) the key stumbling block to the creation of an Internet anti-spam standard. Amongst those orginally charged with investigating the possible creation of such a standard, the open source-“brained” technologists walked away from the initiative when Microsoft's licensing restrictions — mainly the privity requirement — came to light.

All this said, Microsoft's motives for declaring the OSP are relatively transparent. In fact, Microsoft came right out and said as much. Again, according to Lamonica:

In an FAQ on the OSP page, Microsoft said that the move is designed to get more people to use Web services protocols–a set of XML-based standards meant to make products from different vendors work well together….”It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever,” according to the FAQ.

Microsoft, I believe, is being very practical about its future here.  Looking at the .NET net architecture that the company has so heavily invested in — an architecture that's more about Web services than it is anything else — it is absolutely critical for the software giant to get its fair share of the next wave of IT spending, a lot of which will have to do with Web services and componentized software. If intelletual property rights in any way shape or form slow down the adoption of Web services, then everybody in the Web services ecosystem, Microsoft included, loses.  By taking this high road, Microsoft is recognizing that if the Web services ecosystem is allowed to flourish, that the resulting slice of the pie it gets (others will get their slices too) will be far larger than entire pie it might have been entitled to had it kept its patents to itself. 

More importantly, the issuance of this non-assertion covenant is a signal from Microsoft that it is quite prepared to change its colors and its cultures. Provided there are no gotchas (and Larry Rosen's endorsement is usually a pretty good sign their aren't), this is a new Microsoft.  One I really haven't seen yet. One I'm sure the industry will be looking forward to seeing more of.

Sun's Simon Phipps has now posted about the Promise, and he mentions that I didn't send a heads-up email that would have allowed him time to think about the announcement in depth before it was made.  Simon, I really apologize.  This was far from my intent – it was a question of neither hand knowing what the other wasn't doing.  And of the general turbulence of being at DIDW.  So I promise it won't happen again, and look forward to meeting you in person.

In light of this, it's a mark of Simon's magnanimity that his comments were generally very positive.  He made some technical points that can really only be decoded by legal experts – so I will pass them along.

Ben Laurie responds to OSP

Ben Laurie, a major contibutor to internet security through his work at Apache, and now at Google, is generally positive about OSP but has questions: 

“Kim Cameron announced that Microsoft are making it possible for anyone to implement Infocard-compatible systems (and other systems the depend on the same protocols), via the Open Specification Promise.

“First off, let me say that this is a huge step forward – there’s been a great deal of uncertainty around WS-* and friends because of the various patents various companies own. Microsoft taking this step definitely helps.

“But, there are some details that worry me – firstly I am curious why Microsoft have taken the approach of this promise rather than an explicit licence. I’ve talked to various lawyers about it, and the general feeling I get is that they’d be more comfortable with a licence, but they can’t point to anything obviously wrong with the promise approach.”

So I need to make it absolutely clear that if anyone feels more comfortable with a RANDZ (Reasonable and Non-Discriminatory Zero Royalty) License rather than the Open Specification Promise, Microsoft will be happy to provide them with one.  The goal was simply to provide a simple, clear alternative for those who wanted one.  Ben continues:

“Secondly, there’s this definition:

“’Microsoft Necessary Claims’ are those claims of Microsoft-owned or Microsoft-controlled patents that are necessary to implement only the required portions of the Covered Specification that are described in detail and not merely referenced in such Specification. ‘Covered Specifications’ are listed below.

“(my italics). Now, I’ve implemented a lot of software from protocol specifications, and there are two things that are extremely common:

  • “The specifications include many optional parts. These parts will not be covered by Microsoft’s promise.
  • “The specifications reference other specifications for vital parts of their implementation. These parts will not be covered by Microsoft’s promise.

“Now, exactly what affect these considerations have on Microsoft’s promise and implementations of WS-* et al is something I have not had the time or energy to assess – perhaps others with more intimate knowledge of the specs could help me out there? I’d love to hear that, in fact, this is a non-problem.”

It may help to recall what Standards Guru Andy Updegrove says about the phrase “…that are described in detail and not merely referenced in such Specification….”:

“While not usually phrased in this fashion, this is a common limitation intended to clarify that, for example, other standards that may be referenced, or so-called “enabling technologies,” the use of which would be required to use an implementation (e.g., the computer upon which the software is running) are not included.”

But I do understand Ben's question about the required versus optional parts of a specification and will ask our legal people to clarify. 

Ben's next point:

“Another factor to consider is that (as I understand it) Microsoft are not the only people with IP around these standards. Will everyone else be so generous with their IP? Microsoft don’t care, of course, because they have the usual patent mutually assured destruction – but those of us with smaller patent portfolios are not so fortunate.”

So, as always, I guess I’m an optimistic cynic.

Incidentally, another thing Kim has talked about several times is Microsoft allowing exact copies of their user interface. I’m in two minds whether its a good idea to copy it, but this promise doesn’t cover the UI, as far as I can see. I wonder when that piece will be forthcoming?

I really want to make it clear that I have never suggested I would ask Microsoft to allow people to make “exact copies” of our user interface.  And in fact, no one has ever asked to be able to do this.

What we want to be able to do is create a “ceremony” that is recognizable across platforms.  I'm talking about the equivalent of using a steering wheel and brakes in a car.  All cars have them, so even if we like a particular type of car, we can get in another one and drive it.  This doesn't mean the cars are “exact copies” of each other, or even that the steering wheel and brakes look or feel identical. 

As Novell's Dale Olds put it at DIDW, we are talking about sharing a predictable sequence of experiences, not cloned screens.  So in this sense, I think everyone shares Ben's “two-minds” thinking.

First Information Cards for Safari

click to download movie One of the best moments of the DIDW show, for me, came when Ian Brown, an old friend of Chuck Mortimore, showed us his Identity Selector for Safari.

If you don't know Chuck, he single-handedly wrote a Java-based InfoCard Identity Selector that runs inside Firefox on almost any platform.  He gave me a copy, helped me install it on my computer, and it all just works.

Later I'll do a screen capture of Chuck's work since i can run it on my own machine. 

But I don't currently have a Mac – so Ian succumbed to my goading and put together a little video so you could see what he's working on.

That's such good news.  As he says, “For the faint of heart, or for those running those other operating systems, here's a short screencast of the Safari identity selector in action, authN'ing against Kim Cameron's RP…”

Meanwhile, here's what he says about the actual plugin:

This is currently still at the proof of concept stage, and is lacking most of the features found in the official CardSpace selector from Microsoft. At present, only a single self-asserted card can be selected. The “selector” will currently pull the logged in account's personal information from the AddressBook application, and allow you to use that AddressBook entry as a self-asserted InfoCard with various RPs. It should work with existing installs of Safari, and with most relying parties.

The plug-in itself is a wrapper around Chuck Mortimore‘s Java implementation of an InfoCard token generator. For those of you out there using Firefox, check out Chuck's cross-platform Firefox InfoCard selector.

So download the Safari Plug-In below and give it a spin. Send me any feedback at igb at hccp.org

I'll post new releases here as features are added and bugs are fixed.


Currently there are two versions, one for the new Intel-based Apple's, and one for the PowerPC-based machiines. At some point I'll figure out how to get XCode to generate a Universal Binary. (I suppose the PowerPC build might work on the Intel Macs, that's what Rosetta is all about right? But it hasn't been tested on the Intel arch, so YMMV.)

Intel version
PowerPC version


Installation is pretty simple. After downloading the ZIP file, extract the archive. You should now have a file called InfocardPlugin.bundle. Just copy that to the Library/Internet Plug-Ins directory under your home directory. restart Safari, and off you go.

Despite Ian's self-depricating style I think what he and Chuck are doing is amazing.  And it shows what can and will be done.  Meanwhile, Apple People, download Ian's plugin and leave comments on my blog.

Doc Searls on OSP

Doc Searls – true wit, luminary and marketing guru – not to mention Editor of the Linux Journal, on the OSP:

It isn't entirely a joke (or a fair statement) that Microsoft has become a legal department traveling as a software company. Yet there are some upsides. One is that some very smart lawyers at a very large company have had to engage Reality through company technologists brave and determined enough to engage the open source community in constructive collaboration.

With positive results.

That's what has been going on with the corner of Microsoft that has been involved in the Identity Space.

I'm writing this from a room where Microsoft technologists are meeting with friends — and that's what they are now — with Red Hat, Novell, Higgins, XRI/XDI/i-Names and other open source efforts — as well as others from the customer side. They're talking right now about the Microsoft Open Specification Promise. The intention of the promise is to make Microsoft-developed (and -co-developed) technolgies completely useful by open source projects. Or maybe by anybody.

I don't have time to write more at the moment. But I'd like to hear what you think. This is original and well-intended work by honorable people who really want the whole market to work, and not just for one company to muscle everybody else.

It's also a beginning. Times are a-changing. Everybody can help with that.

Check out Kim Cameron's IdentityBlog. Follow links there and at Johannes Ernst's blog.

JP Rangaswami on how the OSP “feels”

A number of people have been writing good things about the Open Specification Promise.  The expression of good will speaks volumes about why I continue to love this milieu, and the people in it.

Your personal support in moving our work forward means a lot to Mike Jones and me.

I'm certain it will influence the way events unfold in the future.

Take a look at this piece by JP Rangaswami, author of Confused of Calcutta. I think he expresses what a lot of people are feeling. 

Ambrose Bierce, in The Devil’s Dictionary, defined a cynic as follows:

A blackguard whose faulty vision sees things as they are, not as they ought to be. Hence the custom among the Scythians of plucking out a cynic’s eyes to improve his vision.

Many years later, Albert Einstein defined common sense as “the collection of prejudices acquired by age eighteen”.

As I grow older, I realise that however hard I try to keep an open mind, and to learn, I land up with anchors and frames and perspective-biases that I don’t always know I have. Which means that sometimes I have to work hard to ensure that I don’t lapse insidiously into cynicism.

So you can understand why I had to work very hard indeed when analysing the Microsoft Open Specification Promise that was published yesterday. If you’re interested in the subject, then please do check out Kim Cameron’s blog hereDoc’s piece at IT Garage (where he asks for your opinion as well) and Phil Windley’s blog here, along with Becker and Norlin’s Digital ID World blog at ZDNet.

Microsoft are not known for their pioneering approaches in the opensource world. Identity is one of the three big issues that affects our ability to deliver the promise of today’s technology (the other two are Intellectual Property/Digital Rights and the “internet”, with or without Stevens’ Tubes). A valid solution for identity pretty much needs Microsoft’s support and that of its legions of lawyers.

And so we come to the Open Specification Promise. My early reactions? I think Kim Cameron and his team have done a brilliant job at pulling this off and getting something workable past the lawyers’ cynosure.

If you want to understand it, and don’t particularly feel like wading through “implication, exhaustion, estoppel or otherwise” (and who could blame you?), then skip the legalese and go straight to the Frequently Asked Questions section. I quote from the FAQs:

  • The Open Specification Promise is a simple and clear way to assure that the broadest audience of developers and customers working with commercial or open source software can implement specifications through a simplified method of sharing of technical assets, while recognizing the legitimacy of intellectual property.
  • We listened to feedback from community representatives who made positive comments regarding the acceptability of this approach.
  • Q: Why did Microsoft take this approach?
  • A: It was a simple, clear way, after looking at many different licensing approaches, to reassure a broad audience of developers and customers that the specification(s) could be used for free, easily, now and forever.
  • Q: How does the Open Specification Promise work? Do I have to do anything in order to get the benefit of this OSP?
  • A: No one needs to sign anything or even reference anything. Anyone is free to implement the specification(s), as they wish and do not need to make any mention of or reference to Microsoft. Anyone can use or implement these specification(s) with their technology, code, solution, etc. You must agree to the terms in order to benefit from the promise; however, you do not need to sign a license agreement, or otherwise communicate your agreement to Microsoft.
  • Q: What is covered and what is not covered by the Open Specification Promise?
  • A: The OSP covers each individual specification designated on the public list posted at http://www.microsoft.com/interop/osp/. The OSP applies to anyone who is building software and or hardware to implement one or more of those specification(s). You can choose to implement all or part of the specification(s). The OSP does not apply to any work that you do beyond the scope of the covered specification(s).

We have a long way to go before we can solve all this. We’re not going to solve all this unless we stop acting like cynics. So let’s get behind Kim Cameron on this and see what happens. That’s what I’m going to do.

An aside: Why can’t legal agreements be written like FAQ sections? Is there a law against it?

That's very generous, JP – although in fairness, I want to give the lawyers – from Microsoft as well as the open source world – full credit for getting behind this and making it real.

Friends, let's not stop until we get to the identity big bang.  Let's all keep our concentration.  Let's knock down the wall between us and the coming virtual reality.  Let's make it possible to know who we're dealing with on the Internet – when that is appropriate.  And let's do all this in a way that cradles our privacy.

Phil Windley at DIDW


Phil Windley at ZDNet has been blogging the DIDW conference, and captures a bit of it here:

This evening, at the reception for Digital ID World, someone asked me what I thought of the conference. I've been to every DIDW since it started (5 years now). I realized that the conversations and talks had changed from “won't it be cool when we…” to “this is what we did to…” That's a big change and shows just how far identity, as a concept separate from security, has come.

At the same time, I look around the show floor and other than the usual big names like Microsoft, Novell, and Oracle there are few repeat companies. Ping and a few others have been here from the start, but most seem to come and go. Part of that's because any company that gets successful gets bought by one of the big guys looking to build out their stack.

One of my favorite sessions today was Dave Nikolesjsin's presentation on citizen-centric identity. Nikolesjsin is the CIO for the Prov. of British Columbia. BC is making real progress building identity systems that have been proofed by in-person visits to government agencies. There are lots of lessons in what BC is doing–not just for other governments, but for any large organization.

The most significant announcement of DIDW was Microsoft's Open Specification Promise. For years, there's been an intellectual property cloud hanging over the OASIS specifications that form a large part of what makes Web services work. Unlike other standards bodies, OASIS doesn't require that technologies built into its specifications be IP-free.

Today's announcement is a huge step by one of the major contributors to the OASIS specifications. Microsoft irrevocably promises not to assert claims against people or companies who distribute products that conform to the specifications. Of course, like any legal agreement, there are terms and conditions. I'm sure some will be waiting to see what isn't there.

Since many of these specifications are at the heart of CardSpace, Microsoft's Internet-scale identity system, the announcement is especially important to other vendors working to interoperate with it. This is also important to Microsoft. If no one builds interoperable identity products for CardSpace, Microsoft will have failed to achieve true Internet-scale identity. Removing the legal threat is an important enabler.

More at Phil's blog here.

Andy Updegrove on the Open Specification Promise

Readers may be interested in Andy Updegrove‘s analysis of the Open Specification Promise (OSP).  He published it today on Standards Blog.  I'm not a legal expert but found the discussion interesting.  The Standards Blog “examines how standards are developed, and their impact on business, society, the world, and the future.”  Frighteningly, it tells us there are currently over 1,000,000! 

Microsoft has just posted the text of a new patent “promise not to assert ” at its Website, and pledges that it will honor that promise with respect to 35 listed Web Services standards. The promise is similar in most substantive respects to the covenant not to assert patents that it issued last year with respect to its Office 2003 XML Reference Schema, with two important improvements intended to make it more clearly compatible with open source licensing. Those changes are to clarify that the promise not to assert any relevant patents extends to everyone in the distribution chain of a product, from the original vendor through to the end user, and to clarify that the promise covers a partial as well as a full implementation of a standard.

I learned about the new covenant from Microsoft yesterday, which provided me an advance copy of the covenant and the FAQ that accompanies it and an opportunity to ask questions about what it is intended to accomplish. I did have a few requests for clarifications that I'll incorporate below which may resolve some of the questions that might occur to you as well.

Overall, I am impressed with the new covenant, and am pleased to see that Microsoft is expanding its use of what I consider to be a highly desirable tool for facilitating the implementation of open standards, in particular where those standards are of interest to the open source community.

By way of general introduction to those not familiar with this type of mechanism, a non-assertion covenant (also sometimes called a “covenant not to sue”, or in this case, a “promise not to assert”) is at minimum a pledge given by a patent owner that someone that implements a standard will not be sued for doing so by the patent owner, subject to certain limitations. In effect, it is similar to the more traditional promise given by companies when they engage in the development of a standard, but with several important differences:

1. Instead of reserving the right to require each implementer to agree to the terms of a license agreement of the patent owner's choosing, the promise is “self-executing,” meaning that the implementer doesn't have to do anything at all, except stay within the conditions of the covenant. Where, as with the new Microsoft promise, it is explicit that no one down stream need obtain a license as well, a key requirement of many of the most popular open source licenses is met as well.   

2. Unlike the usual promise to license on RAND (“reasonable and non-discriminatory”) terms, where the terms themselves are almost never made public in advance, and often never at all, all of the terms in a non-assertion covenant are out in the open, and apply equally to all. When such a promise is made before the standard is approved, that's even better, because there has been an increase in the number of disputes lately relating to whether the terms actually offered by a patent owner that has made a simple RAND promise have in fact been reasonable (for more see this blog entry , as well as this one).

Such covenants and promises, when they go far enough, are essential to the implementation of open source software under the most popular open source licenses, and as you'll see from the Microsoft Web page, it has gone to the trouble of consulting with a number of members of the open source community in advance regarding the specific wording of the new promise, and has secured approving quotes from two of them: a commercial customer (Red Hat) and a respected open source authority (Larry Rosen).

Promises and covenants such as the one that Microsoft has announced today have historically been unusual, but have lately been made more frequently, especially after IBM made a well-publicized promise not to assert 500 patents against open source software. Similar promises followed from Sun Microsystems, Nokia and Oracle, among others.

That being said, of course, the specific details of a non-assertion covenant are extremely important, and the wording of each promise made to date by a vendor has varied, sometimes simply to reflect the favorite phrasing of its legal advisors, but often in important ways as well.

With this as an introduction, let's take a look at the new Microsoft promise, both on an absolute as well as comparative basis. Here's what it says, and what I take it to mean:

Microsoft irrevocably promises…

While there are some ongoing issues that relate to all such covenants, and to regular standard setting promises as well (is the promise binding on someone to whom the vendor sells the patent?), the word “irrevocable” is the important one, and represents the desired pledge that the promise may not be later revoked, although the statement might better have been worded “Microsoft irrevocably promises (except as provided below),” because conditions do apply that would void the promise if violated by someone relying on the promise.

…not to assert any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation….

As noted earlier, the explicit downstream promise is helpful (Necessary Claims will be defined later in the text). But note that the same conditions apply to those downstream as to the original party.

…to the extent it conforms to a Covered Specification (“Covered Implementation”),…

The new promise relates to 35 standards, and may be extended to others in the future. It appears that the promise is a “base level,” because additional assurances may be added with respect to future versions of the same standard. According to the FAQ that accompanies the new language, the phrase “to the extent” is meant to include partial as well as full implementation of a standard, a grant of rights that goes beyond what many standards organizations require as a pre-condition to a patent owner making its patent claims available to implementers.

…subject to the following. This is a personal promise directly from Microsoft to you, and you acknowledge as a condition of benefiting from it…

While the promise is irrevocable, it is not unconditional. In order to enjoy the benefits, an implementer must accept the terms that follow.

…that no Microsoft rights are received from suppliers, distributors, or otherwise in connection with this promise….

This limitation is actually less important than it might at first seem, since the definition of “Microsoft Necessary Claims” that appears later clarifies that Microsoft is, in fact, also pledging rights under patents that it “controls” as well as owns. Presumably this would include third parties to the extent that it is able to do so under license agreements or other rights granted by third parties as well as with respect to patents owned by controlled subsidiaries of Microsoft, but that would be a good subject for an addition to the list of FAQs.

…If you file, maintain or voluntarily participate in a patent infringement lawsuit against a Microsoft implementation of such Covered Specification, then this personal promise does not apply with respect to any Covered Implementation of the same Covered Specification made or used by you….

This provision goes by a number of names, one of which is “defensive revocation,” and represents an exception to the introductory “irrevocable” promise. It is extremely common in standard setting and can have benefits to all implementers, who may benefit indirectly from the revocation of the rights of use of someone that is bringing infringement suits against other implementers. The addition of the new language that runs down the distribution change is helpful in the context of open source, since someone that loses its rights will not result in the loss of someone downstream that does not join in the law suit.

…To clarify, “Microsoft Necessary Claims” are those claims of Microsoft-owned or Microsoft-controlled patents that are necessary to implement…

The inclusion of “Microsoft-controlled” patents is notable, as not all standard setting organizations require a member to disclose or license such claims. Absent this language, implementers would want to be sure to understand the intellectual property rights (IPR) landscape relating to the standard in question if, for example, it was based upon a submission made by Microsoft that included any third-party rights.

… only the required portions of the Covered Specification…

This is the degree to which the great majority of standards organizations require a commitment. However, in a given case, an implement needs to be careful to understand how complete a standard may be, and how the standards organization in question defines “required,” which can be more or less extensive, depending upon the organization.

…that are described in detail and not merely referenced in such Specification….

While not usually phrased in this fashion, this is a common limitation intended to clarify that, for example, other standards that may be referenced, or so-called “enabling technologies,” the use of which would be required to use an implementation (e.g., the computer upon which the software is running) are not included.

…”Covered Specifications” are listed below….

To begin with, the 35 listed Web Services standards.

…This promise is not an assurance either (i) that any of Microsoft’s issued patent claims covers a Covered Implementation or are enforceable or (ii) that a Covered Implementation would not infringe patents or other intellectual property rights of any third party. No other rights except those expressly stated in this promise shall be deemed granted, waived or received by implication, exhaustion, estoppels, or otherwise.

This is the standard “boilerplate” language that keeps lawyers happy.

The FAQ provides additional details, although in a few cases, I found that they raised questions rather than resolved them. Here are two with respect to which I requested clarification, and what I learned:

Q: Does this OSP apply to all versions of the standard, including future revisions?   

A: The Open Specification Promise applies to all existing versions of the specification(s) designated on the public list posted at http://www.microsoft.com/interop/osp/, unless otherwise noted with respect to a particular specification (see, for example, specific notes related to web services specifications).

The key word here is “existing,” which in context means “now existing.” The question thus arises, what about future versions of the same standards?

As with traditional standard setting commitments, patent owners are wary about making open-ended promises, since in an extreme case a competitor could seek to extend a standard to describe part of, or all of a product of a patent owner, going far beyond what had been anticipated by the owner at the time that it made its commitment. Although there are differences from organization to organization, typically when a new version of a standard is approved, a member remains bound by so much of the standard as does not change, but is not bound by any new material that is added to it unless it is then a member, and agrees to do so.

And that is what Microsoft is committing to do, when you read the note at the top of the table of standards to which the pledge applies. For a comparison, see the language in the Sun ODF covenant, which is analyzed here.

I also asked about this FAQ, which I found to be rather opaque:

Q: If a listed specification has been approved by a standards organization, what patent rights is Microsoft providing?   

A: We are providing access to necessary claims consistent with the scope of our commitments in that organization.

Would this mean, for example, that if Microsoft had pledged less to a standards organization, that only the lesser pledge would apply? The response was no, just the opposite. The example given was that if a definiton of “required portions” was more liberal within a given standards organization than another, in each case, the definition of the applicable organization would control. In other words, the Microsoft promise would incorporate the definition of the standards organization in question. Microsoft would also continue to honor the commitments that it made in any organization of which it was a member, and would therefore continue to provide an actual license, if requested, by any implementer that desired one (as some will), to the extent that it had previously committed to do so.

Exactly how open source friendly is the new language? The FAQ is surprisingly cautious on that score, reading as follows:

Q: Is this Promise consistent with open source licensing, namely the GPL? And can anyone implement the specification(s) without any concerns about Microsoft patents?


A: The Open Specification Promise is a simple and clear way to assure that the broadest audience of developers and customers working with commercial or open source software can implement the covered specification(s). We leave it to those implementing these technologies to understand the legal environments in which they operate. This includes people operating in a GPL environment. Because the General Public License (GPL) is not universally interpreted the same way by everyone, we can't give anyone a legal opinion about how our language relates to the GPL or other OSS licenses, but based on feedback from the open source community we believe that a broad audience of developers can implement the specification(s).

On a first read, this seems pretty modest, and it will be quite interesting to see the reactions that the new language draws. If a given specification is not well detailed and will need lots of work in the future, then the pledge will only work well for so long as Microsoft stays involved with that standard. More significantly, the pledge only relates to “compliant” implementations, which does run afoul of the open source right to change anything. From a standards point of view, that serves a purpose, as it furthers the spread of interoperable implementations, which is what standards are all about. That works well from that perspective, but may leave some open source advocates less happy. Still, nearly all standards obligations are so limited, so to the extent that this limitation is regarded as unfortunate, the same objection could be made against nearly other vendor as well.

Be that as it may, I think that this move should be greeted with approval, and that Microsoft deserves to be congratulated for this action. I hope that the standards affected will only be the first of many that Microsoft, and hopefully other patent owners as well, benefit with similar pledges.Note: While I provide legal services to a variety of standard setting organizations (including OASIS, which has set many Web Services standards), the opinions expressed above are mine alone. I have not been consulted by OASIS or any of my other standards clients in connection with the new Microsoft covenant.

Microsoft's Open Specification Promise

Today marks a major milestone for Mike Jones and myself. 

Microsoft announced a new initiative that I hope goes a long way towards making life easier for all of us working together on identity cross-industry.

It's called the Open Specification Promise (OSP).  The goal was to find the simplest, clearest way of assuring that the broadest possible audience of developers could implement specifications without worrying about intellectual property issues – in other words a simplified method of sharing “technical assets”.  It's still a legal document, although a very simple one, so adjust your spectacles:

Microsoft Open Specification Promise

Microsoft irrevocably promises not to assert any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation to the extent it conforms to a Covered Specification (“Covered Implementation”), subject to the following.  This is a personal promise directly from Microsoft to you, and you acknowledge as a condition of benefiting from it that no Microsoft rights are received from suppliers, distributors, or otherwise in connection with this promise.  If you file, maintain or voluntarily participate in a patent infringement lawsuit against a Microsoft implementation of such Covered Specification, then this personal promise does not apply with respect to any Covered Implementation of the same Covered Specification made or used by you.  To clarify, “Microsoft Necessary Claims” are those claims of Microsoft-owned or Microsoft-controlled patents that are necessary to implement only the required portions of the Covered Specification that are described in detail and not merely referenced in such Specification.  “Covered Specifications” are listed below.

This promise is not an assurance either (i) that any of Microsoft’s issued patent claims covers a Covered Implementation or are enforceable or (ii) that a Covered Implementation would not infringe patents or other intellectual property rights of any third party.  No other rights except those expressly stated in this promise shall be deemed granted, waived or received by implication, exhaustion, estoppel, or otherwise.

Covered Specifications (the promise applies individually to each of these specifications)

Web Services  This promise applies to all existing versions of the following specifications.  Many of these specifications are currently undergoing further standardization in certain standards organizations.  To the extent that Microsoft is participating in those efforts, and this promise will apply to the specifications that result from those activities (as well as the existing versions).
WSDL 1.1 Binding Extension for SOAP 1.2
WS-Federation Active Requestor Profile
WS-Federation Passive Requestor Profile
WS-Management Catalog    
WS-RM Policy
Remote Shell Web Services Protocol
WS-Security: Kerberos Binding
WS-Security: SOAP Message Security
WS-Security: UsernameToken Profile
WS-Security: X.509 Certificate Token Profile
SOAP 1.1 Binding for MTOM 1.0    
WS-I Basic Profile
Web Single Sign-On Interoperability Profile
Web Single Sign-On Metadata Exchange Protocol

Note that you don't have to “do anything” to benefit from the promise.  You don't need to sign a license or communicate anything to anyone.  Just implement.  Further, you don't need to mention or credit Microsoft.  And you don't need to worry about encumbering people who use or redistribute or elaborate on your code – they are covered by the same promise. 

The promise is the result of a lot of dialog between our lawyers and many others in the industry.  Sometimes we developers wished progress could have been faster, but these are really complicated issues.  How long does it take to write code?  As long as it takes.  And I think the same notion applies to negotiations of this kind – unless one party arrives at the table with some pre-determined and intransigent proposal.  People on all sides of this discussion had legitimate concerns, and eventually we worked out ways to mitigate those concerns.  I thank everyone for their contribution. 

How have people from various communities reacted to the final proposal?

Lawrence Rosen, the lecturer at Stanford and author of, “Open Source Licensing: Software Freedom and Intellectual Property Law”, said:

“I see Microsoft’s introduction of the OSP as a good step by Microsoft to further enable collaboration between software vendors and the open source community.  This OSP enables the open source community to implement these standard specifications without having to pay any royalties to Microsoft or sign a license agreement. I'm pleased that this OSP is compatible with free and open source licenses.” 

Mark Webbink, Deputy General Counsel at Red Hat, said:

“Red Hat believes that the text of the OSP gives sufficient flexibility to implement the listed specifications in software licensed under free and open source licenses.  We commend Microsoft’s efforts to reach out to representatives from the open source community and solicit their feedback on this text, and Microsoft's willingness to make modifications in response to our comments.”

And from RL “Bob” Morgan, Chair of the Middleware Architeture Committee for Education, and a major force behind Shibboleth:

The Microsoft Open Specification Promise is a very positive development.
In the university and open source communities, we need to know that we can implement specifications freely.  This promise will make it easier for us to implement Web Services protocols and information cards and for them to be used in our communities.

So there it is folks.  I'm impressed that such a short document embodies so much work and progress.