I disagree with one aspect of Justin's characterization of the history of the
spec and have data to back up my disagreement. The OpenID Connect Dynamic
Registration Specification was not based on draft-ietf-oauth-dyn-reg-00 or the
UMA specification. It was created independently by John Bradley in June 2011
based upon OpenID Connect working group discussions that predated
draft-ietf-oauth-dyn-reg-00, and for which there are working group notes
documenting the OpenID Connect working group decisions prior to the IETF -00
draft. Yes, there's plenty of evidence that the IETF -01 draft copied text
from the early OpenID Connect draft (including in the change history), but the
Connect authors were careful to follow the OpenID Foundation's IPR process and
not incorporate contributions from third parties who hadn't signed an OpenID
IPR Contribution Agreement stating that the OpenID Foundation was free to use
their contributions. (This fills the same role as the IETF Note well, but with
a signed agreement, and ensures that all developers can use the resulting
specifications without IPR concerns based on IPR that may be held by the
contributors.) The OpenID Connect Dynamic Registration draft didn't copy from
the UMA draft or the IETF draft derived from it, so as to maintain the IPR
integrity of the OpenID document. The copying all went in the other direction.
If portions of the UMA draft remained from -00 in the current drafts, I'd be
fine with the UMA attribution, but in practice they don't. The UMA content was
replaced with the OpenID Connect content. (I believe that eventually UMA
decided to drop their old draft and move to registration mechanisms that were
compatible with Connect as well, and stopped using their previous registration
data formats.)
-- Mike
-----Original Message-----
From: Justin Richer [mailto:[email protected]]
Sent: Wednesday, July 16, 2014 4:53 AM
To: Hannes Tschofenig; Mike Jones; [email protected]
Subject: Re: [OAUTH-WG] Dynamic Client Registration: IPR Confirmation
I like the idea of adding some of the text in the introduction, as I agree the
compatibility is an important (and hard-won) accomplishment. I think taking
Mike's text, expanding it, and putting it in the introduction might serve the
overall purpose just fine:
Portions of this specification are derived from the OpenID Connect Dynamic
Registration [OpenID.Registration] specification and from the User Managed
Access [UMA] specification. This was done so that implementations of these
three specifications will be compatible with one another.
These are both informative references, so we can reference the ID for UMA.
-- Justin
On 7/16/2014 7:44 AM, Hannes Tschofenig wrote:
> Interesting background information. Maybe we should then extend the
> note Mike provided to also clarify the relationship with the UMA work
> (both in terms to IPR, copyright, and attribution-wise).
>
> It would also make sense to state the relationship in the introduction
> to highlight the compatibility, which I believe is a big accomplishment.
>
> Ciao
> Hannes
>
> On 07/16/2014 01:41 PM, Justin Richer wrote:
>> I thought I had sent this note already, but I don't see it in the
>> archives or in my 'sent' folder:
>>
>> If we're going to point to OpenID Connect (which I'm fine with), then
>> we should clarify that portions were also taken from the UMA specification.
>> In fact, draft -00 actually *was* the UMA specification text entirely.
>> This is also what the OpenID Connect registration specification was
>> (loosely) based on when it was started.
>>
>> In reality, the relationship between these three documents from three
>> different SBO's is more complicated: they all grew up together and
>> effectively merged to become wire-compatible with each other. There
>> were a number of changes that were discussed here in the IETF that
>> OpenID Connect adopted, and a number of changes that were discussed
>> at OIDF that were adopted here. OIDC also extends the IETF draft with
>> a set of OIDC-specific metadata fields and editorial language that
>> makes it fit more closely in the OIDC landscape, but make no mistake:
>> they're the same protocol. In the case of UMA, it's a straight
>> normative reference to the IETF document now because we were able to
>> incorporate those use cases and parameters directly.
>>
>> The trouble is, I'm not sure how to concisely state that all that in
>> the draft text, but it's not as simple as "we copied OpenID", which
>> is what the text below seems to say.
>>
>> -- Justin
>>
>> On 7/16/2014 6:17 AM, Hannes Tschofenig wrote:
>>> Thanks, Mike.
>>>
>>> This is a useful addition and reflects the relationship between the
>>> two efforts.
>>>
>>> Please add it to the next draft version.
>>>
>>> Ciao
>>> Hannes
>>>
>>> On 07/15/2014 09:46 PM, Mike Jones wrote:
>>>> So that the working group has concrete language to consider,
>>>> propose the following language to the OAuth Dynamic Client Registration
>>>> specification:
>>>>
>>>>
>>>>
>>>> Portions of this specification are derived from the OpenID Connect
>>>> Dynamic Registration [OpenID.Registration] specification. This was
>>>> done so that implementations of this specification and OpenID
>>>> Connect Dynamic Registration can be compatible with one another.
>>>>
>>>>
>>>>
>>>> --
>>>> Mike
>>>>
>>>>
>>>>
>>>> *From:*OAuth [mailto:[email protected]] *On Behalf Of *Mike
>>>> Jones
>>>> *Sent:* Tuesday, July 08, 2014 7:15 PM
>>>> *To:* Phil Hunt; Hannes Tschofenig
>>>> *Cc:* Maciej Machulak; [email protected]
>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration: IPR
>>>> Confirmation
>>>>
>>>>
>>>>
>>>> Thinking about this some more, there is one IPR issue that we need
>>>> to address before publication. This specification is a derivative
>>>> work from the OpenID Connect Dynamic Registration specification
>>>> http://openid.net/specs/openid-connect-registration-1_0.html.
>>>> Large portions of the text were copied wholesale from that spec to
>>>> this one, so that the two would be compatible. (This is good thing
>>>> – not a bad
>>>> thing.)
>>>>
>>>>
>>>>
>>>> This is easy to address from an IPR perspective – simply
>>>> acknowledge that this spec is a derivative work and provide proper
>>>> attribution. The OpenID copyright in the spec at
>>>> http://openid.net/specs/openid-connect-registration-1_0.html#Notice
>>>> s allows for this resolution. It says:
>>>>
>>>>
>>>>
>>>> Copyright (c) 2014 The OpenID Foundation.
>>>>
>>>> The OpenID Foundation (OIDF) grants to any Contributor, developer,
>>>> implementer, or other interested party a non-exclusive, royalty
>>>> free, worldwide copyright license to reproduce, prepare derivative
>>>> works from, distribute, perform and display, this Implementers
>>>> Draft or Final Specification solely for the purposes of (i)
>>>> developing specifications, and (ii) implementing Implementers
>>>> Drafts and Final Specifications based on such documents, provided
>>>> that attribution be made to the OIDF as the source of the material,
>>>> but that such attribution does not indicate an endorsement by the OIDF.
>>>>
>>>> Let’s add the reference and acknowledgment in the next version.
>>>>
>>>>
>>>>
>>>> --
>>>> Mike
>>>>
>>>>
>>>>
>>>> *From:*Mike Jones
>>>> *Sent:* Tuesday, July 08, 2014 10:06 AM
>>>> *To:* Phil Hunt; Hannes Tschofenig
>>>> *Cc:* John Bradley; Justin Richer; Maciej Machulak; [email protected]
>>>> <mailto:[email protected]>
>>>> *Subject:* RE: Dynamic Client Registration: IPR Confirmation
>>>>
>>>>
>>>>
>>>> I likewise do not hold any IPR on these specs.
>>>>
>>>> -------------------------------------------------------------------
>>>> -----
>>>>
>>>> *From: *Phil Hunt <mailto:[email protected]>
>>>> *Sent: *7/8/2014 9:11 AM
>>>> *To: *Hannes Tschofenig <mailto:[email protected]>
>>>> *Cc: *Mike Jones <mailto:[email protected]>; John Bradley
>>>> <mailto:[email protected]>; Justin Richer
>>>> <mailto:[email protected]>; Maciej Machulak
>>>> <mailto:[email protected]>; [email protected]
>>>> <mailto:[email protected]>
>>>> *Subject: *Re: Dynamic Client Registration: IPR Confirmation
>>>>
>>>> I confirm I have no IPR disclosures on this document.
>>>>
>>>> Phil
>>>>
>>>>> On Jul 8, 2014, at 4:54, Hannes Tschofenig <[email protected]
>>>>> <mailto:[email protected]>> wrote:
>>>>>
>>>>> Hi Phil, John, Maciej, Justin, Mike,
>>>>>
>>>>> I am working on the shepherd writeup for the dynamic client
>>>>> registration document and one item in the template requires me to
>>>>> indicate whether each document author has confirmed that any and
>>>>> all appropriate IPR disclosures required for full conformance with
>>>>> the provisions of BCP 78 and BCP 79 have already been filed.
>>>>>
>>>>> Could you please confirm?
>>>>>
>>>>> Ciao
>>>>> Hannes
>>>>>
>>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
