W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: [W3C Web Crypto WG] Rechartering discussion - Gemalto contribution

From: Siva Narendra <siva@tyfone.com>
Date: Mon, 2 Feb 2015 13:41:06 -0800
Message-ID: <CAJhTYQy7S7X5RxMDfHc0s+Yno==Pp=0y_Cysd3g7_vwOdBrXpA@mail.gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Cc: Ryan Sleevi <sleevi@google.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, Brad Hill <hillbrad@fb.com>, GALINDO Virginie <Virginie.Galindo@gemalto.com>, Lu HongQian Karen <karen.lu@gemalto.com>, Wendy Seltzer <wseltzer@w3.org>, "public-web-security@w3.org" <public-web-security@w3.org>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, POTONNIEE Olivier <Olivier.Potonniee@gemalto.com>, "PHoyer@hidglobal.com" <PHoyer@hidglobal.com>


*Siva G. Narendra Ph.D. CEO - Tyfone, Inc.Portland | Bangalore |
Taipeiwww.tyfone.com <http://www.tyfone.com>*
*Voice: +1.661.412.2233*

On Mon, Feb 2, 2015 at 1:35 PM, Harry Halpin <hhalpin@w3.org> wrote:

> On 02/02/2015 10:26 PM, Ryan Sleevi wrote:
> > On Mon, Feb 2, 2015 at 1:10 PM, Harry Halpin <hhalpin@w3.org> wrote:
> >
> >>
> >>
> >> On 02/02/2015 10:00 PM, Siva Narendra wrote:
> >>> Hi Ryan  --- IPR related to GP is dangerous compared to what? FIDO is
> not
> >>> immune to IPR -- is it?
> >>>
> >>> At least in the case of GP it is mature to enough to know who owns
> what.
> >>> According to this document attached (and available online here
> >>> <
> >>
> http://fidoalliance.org/assets/downloads/FIDO_IPR_-_Counsel_Approved.pdf>)
> >>> it is clear that FIDO is concerned about IPR just as much as any other
> >>> standards would be.
> >>>
> >>> Irrespective, it is precisely this unknown that would make it more
> >>> dangerous to limit the web to one protocol with unproven IPR that might
> >>> ultimately stifle innovation.
> >>
> >> Note that as regards both FIDO and GP, W3C Rec-track standardization is
> >> a good thing from an IPR perspective and we should not let IPR concerns
> >> block the right set of specs being produced.
> >>
> >
> > Harry,
> >
> > My point is not to block, but to merely show that a GP-based system is
> > *known* to be explicitly less-friendly towards standardization.
> >
> > That is, GP holders can (and do, as noted by that page) hold crucial
> > patents for GP and are allowed to assert those, whereas FIDO Alliance
> > members expressly grant license to implement FIDO specs.
> >
> >
> >> The reason a *Working Group* is useful is due to the stronger patent
> >> commits to the charter and final specs once they hit W3C Recommendation
> >> status, as relevant patents are bound to be committed by member
> >> companies and invited experts to the final document under a royalty-free
> >> licesning. If not, we have a mature patent exclusion and patent advisory
> >> group process I'm sure Wendy and Rigo can describe in detail if needed.
> >> It would be problematic to bind to IPR in any normative way, which is
> >> one reason the W3C is rather strict with its normative referencing
> >> policy - as painful as that makes creating the specs sometimes.
> >
> >
> >> A Community Groups offer a much weaker form of IPR protection, which is
> >> one reason why a Working Group would be preferred in this space.  As one
> >> of the initiators of the Community Group process inside W3C a few years
> >> back, I can explain in detail if needed, but effectively it requires
> >> only individual level IPR commits, not company wide.
> >>
> >
> > And given such exploratory, unbounded efforts, which so far have
> crucially
> > misunderstood or maligned core web security features, it would be far
> > useful for a CG to form and explore the space, and then bring forward to
> WG
> > and reveal whatever IPR issues may exist IF and ONLY IF such a proposal
> can
> > sensibly address security.
> >
> > However, it's far more important to keep it simple - GP is a
> > known-encumbered technology. A proposal that says "We can use GP" is thus
> > knowingly encouraging encumbered technology, whose members are not part
> of
> > the WG and may not be bound. FIDO MAY be encumbered, but to the extent
> that
> > it is members of FIDO Alliance, a W3C acceptable RF grant has already
> been
> > made. So the only risk is of external parties, and that risk exists for
> > _any_ W3C spec. Unlike GP, which is clearly restricted.
> >
> For non-W3C members in FIDO (NokNok come to mind) and in GP, we have
> processes and legally binding agreements to get the proper patent
> commits from 3rd-party members. So again, the only block from a patent
> perspective is if a non-W3C member in either FIDO or GP didn't join W3C
> or fill out the necessary paperwork. We can even start that paperwork
> process *now* (as lawyers tend to take a while) by sending both the
> relevant parts of FIDO and this new Gemalto submission through the W3C
> member submission process.
> I'm not sure how useful a CG is if FIDO and Gemalto already have more
> mature-ish proposals. The problem is to see how these use-cases can work
> together in a way that respects the privacy and security features of the
> Web Security Model while also allowing access to user-controlled
> hardware tokens that have not been part of the Web yet.  If that wasn't
> the case, yes, then a CG would make perfect sense.
> Regardless, I think we should assume all parties are operating in good
> faith as regards IPR and be aware that W3C has strict, and even tedious
> processes here, but we can make it work. I'd like to see the discussion
> focus on Brad's points a bit more but try to aim at the Gemalto proposal
> in a constructive manner rather than say 'throw proposal away' - as we
> do not have any alternative proposals actually on table formally yet.
>   cheers,
>      harry
Received on Monday, 2 February 2015 21:41:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 February 2015 21:41:54 UTC