... personal wiki, blog and notes
Patent Status of XML-Signature etc
I found out yesterday that WS-Security has patent/license problems which make it difficult to use in a GPL environment. That got me worried about NDG security. We depend on (or will depend on) three pieces of technology
PKI X509 certificate handling (and signatures), and
our Attribute Certificates.
Taking these one at a time.
What is the patent/license status of XML-signature? It's a W3C standard which is a Good Thing (TM), but that doesn't guarantee much. What the W3C knows is summarised here, but probably the best summary of the status appears as a comment on the patent status of xml-signature by Joseph Reagle (the W3C co-chair) which because it's so relevant I'll repeat in it's entirety:
Unfortunately, it's difficult for the patent status of anything to be very clear. (It's like proving a negative: God doesn't exist.) The only clear patent status IMHO is one that has been upheld in court or otherwise considered uncontestable, and it's license has been publically excercised by many implementors.
Regardless, there are a few ambigous statements from a few years back that folks should be aware of, but I'm not personally aware of any specific claims of infringement or licenses with respect to the 12+ implementations.
PKI. Well, ideally we'll concentrate on using OpenSSL, which has a useful FAQ on the topic of GPL and patents and OpenSSL. The key points are that
OpenSSL itself is not a problem, but the various algorithms it uses are patent encumbered (as described in the README). In principle however, we can always change the actual agorithm we use.
The GPL issue is ok on linux systems, but in case of other O/S it is summarised with this:
If you develop open source software that uses OpenSSL, you may find it useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder for permission to use their software with OpenSSL.
Finally, our attribute certificates are just XML documents which describe our own security policies. I don't think anyone elses patent could affect that. However, since we talked about migrating to SAML at one point, so an interesting question would be what would happen if we migrated to SAML to encode our attribute certificates (why we should do this is another question that needs an answer that I can't give - because I haven't one, but people keep telling me we should) ...
The situation for OpenSAML seems somewhat more unclear, and I'll probably need to follow it up at some point, but meanwhile it seems like apache binned OpenSAML because of patent issues, but on the other hand the Shibboleth team seem happy with the patent license that would be granted for them (see the attachment on the previous link), and presumably we could get the same (perpetual terms that appear to allow the delegation of authority to use). Fortunately, SAML isn't on the agenda yet, so we don't need to go there ...