W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 02 Feb 2015 22:35:52 +0100
Message-ID: <54CFEDB8.3010603@w3.org>
To: Ryan Sleevi <sleevi@google.com>
CC: Siva Narendra <siva@tyfone.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, Brad Hill <hillbrad@fb.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, POTONNIEE Olivier <Olivier.Potonniee@gemalto.com>, "PHoyer@hidglobal.com" <PHoyer@hidglobal.com>


On 02/02/2015 10:26 PM, Ryan Sleevi wrote:
> On Mon, Feb 2, 2015 at 1:10 PM, Harry Halpin <hhalpin@w3.org> wrote:
> 
>>
>>
>> On 02/02/2015 10:00 PM, Siva Narendra wrote:
>>> Hi Ryan  --- IPR related to GP is dangerous compared to what? FIDO is not
>>> immune to IPR -- is it?
>>>
>>> At least in the case of GP it is mature to enough to know who owns what.
>>> According to this document attached (and available online here
>>> <
>> http://fidoalliance.org/assets/downloads/FIDO_IPR_-_Counsel_Approved.pdf>)
>>> it is clear that FIDO is concerned about IPR just as much as any other
>>> standards would be.
>>>
>>> Irrespective, it is precisely this unknown that would make it more
>>> dangerous to limit the web to one protocol with unproven IPR that might
>>> ultimately stifle innovation.
>>
>> Note that as regards both FIDO and GP, W3C Rec-track standardization is
>> a good thing from an IPR perspective and we should not let IPR concerns
>> block the right set of specs being produced.
>>
> 
> Harry,
> 
> My point is not to block, but to merely show that a GP-based system is
> *known* to be explicitly less-friendly towards standardization.
> 
> That is, GP holders can (and do, as noted by that page) hold crucial
> patents for GP and are allowed to assert those, whereas FIDO Alliance
> members expressly grant license to implement FIDO specs.
> 
> 
>> The reason a *Working Group* is useful is due to the stronger patent
>> commits to the charter and final specs once they hit W3C Recommendation
>> status, as relevant patents are bound to be committed by member
>> companies and invited experts to the final document under a royalty-free
>> licesning. If not, we have a mature patent exclusion and patent advisory
>> group process I'm sure Wendy and Rigo can describe in detail if needed.
>> It would be problematic to bind to IPR in any normative way, which is
>> one reason the W3C is rather strict with its normative referencing
>> policy - as painful as that makes creating the specs sometimes.
> 
> 
>> A Community Groups offer a much weaker form of IPR protection, which is
>> one reason why a Working Group would be preferred in this space.  As one
>> of the initiators of the Community Group process inside W3C a few years
>> back, I can explain in detail if needed, but effectively it requires
>> only individual level IPR commits, not company wide.
>>
> 
> And given such exploratory, unbounded efforts, which so far have crucially
> misunderstood or maligned core web security features, it would be far
> useful for a CG to form and explore the space, and then bring forward to WG
> and reveal whatever IPR issues may exist IF and ONLY IF such a proposal can
> sensibly address security.
> 
> However, it's far more important to keep it simple - GP is a
> known-encumbered technology. A proposal that says "We can use GP" is thus
> knowingly encouraging encumbered technology, whose members are not part of
> the WG and may not be bound. FIDO MAY be encumbered, but to the extent that
> it is members of FIDO Alliance, a W3C acceptable RF grant has already been
> made. So the only risk is of external parties, and that risk exists for
> _any_ W3C spec. Unlike GP, which is clearly restricted.
> 

For non-W3C members in FIDO (NokNok come to mind) and in GP, we have
processes and legally binding agreements to get the proper patent
commits from 3rd-party members. So again, the only block from a patent
perspective is if a non-W3C member in either FIDO or GP didn't join W3C
or fill out the necessary paperwork. We can even start that paperwork
process *now* (as lawyers tend to take a while) by sending both the
relevant parts of FIDO and this new Gemalto submission through the W3C
member submission process.

I'm not sure how useful a CG is if FIDO and Gemalto already have more
mature-ish proposals. The problem is to see how these use-cases can work
together in a way that respects the privacy and security features of the
Web Security Model while also allowing access to user-controlled
hardware tokens that have not been part of the Web yet.  If that wasn't
the case, yes, then a CG would make perfect sense.

Regardless, I think we should assume all parties are operating in good
faith as regards IPR and be aware that W3C has strict, and even tedious
processes here, but we can make it work. I'd like to see the discussion
focus on Brad's points a bit more but try to aim at the Gemalto proposal
in a constructive manner rather than say 'throw proposal away' - as we
do not have any alternative proposals actually on table formally yet.

  cheers,
     harry
Received on Monday, 2 February 2015 21:36:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 February 2015 21:36:05 UTC