Starting work on the shibboleth-sp2 packages

Russ Allbery rra at debian.org
Tue Jun 24 19:13:28 UTC 2008


"Scott Cantor" <cantor.2 at osu.edu> writes:

> All of the SAML schemas are from OASIS (pretty much everything in the
> opensaml/schemas directory).
>
> All of them were copied over vebatim from the specifications, and none
> of them generally have an explicit copyright on them. For example, the
> official specification ZIP file here:
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip
>
> In the case of the SAML schemas, the SP will simply blow up if they
> aren't present, because basic configuration is always validated right
> now, and it imports some of them.
>
> If this presents a problem, the solution would be to get some kind of
> clarification on the terms.

Hm, at first glance, if OASIS is happy with copying of those parts of the
standard without any copyright notice, I wonder if they consider them
copyrightable.  One could make a strong argument that a schema document
itself is a functional interface specification and hence isn't
copyrightable under US law.

According to the OASIS page, the general copyright for the specifications
themselves is somewhat problematic, but it's not clear if that covers the
schema:

| This document and translations of it may be copied and furnished to
| others, and derivative works that comment on or otherwise explain it or
| assist in its implementation may be prepared, copied, published, and
| distributed, in whole or in part, without restriction of any kind,
| provided that the above copyright notice and this section are included
| on all such copies and derivative works. However, this document itself
| may not be modified in any way, including by removing the copyright
| notice or references to OASIS, except as needed for the purpose of
| developing any document or deliverable produced by an OASIS Technical
| Committee (in which case the rules applicable to copyrights, as set
| forth in the OASIS IPR Policy, must be followed) or as required to
| translate it into languages other than English.

I could argue that excerpting the schemas falls under the above license
grant, but it's not clear that modifying the schemas to develop another
protocol based on SAML would be covered, which would be a problem from the
DFSG perspective.

Has OASIS ever commented one way or the other on your use of the schemas
or on any copyright notices that might be required for them?

The W3C documents were more of a concern because they contain large blocks
of text which is copyrightable in its own right.  The OASIS schemas don't
contain enough English text to be copyrightable independently of the rest
of the schema, only at most brief revision histories, so if the schemas
fall under the interface exception to US copyright law, there probably
isn't a problem.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-shibboleth-devel mailing list