Is OpenID actually Open?

Note: There are updates following this posting

This has troubled me for a few years now…

I just asked the DataPortability group for clarification… but in a nutshell ( and reprinted below )

To-date, I’ve been unable to find any sort of licensing attributed to
the OpenID or oAuth specs.

To the best of my knowledge:
– neither has been explicitly placed in the public domain
– neither has been submitted to IETF, thereby covered by its IP
– neither have released a CC or OSI license with their specs

The only licensing statements I’ve found in OpenID are in regards to a
non-assertation agreement and transfer of copyright to the OpenID
foundation. The foundation uses the goal “The goal is to release
every part of this under the most liberal licenses possible, so
there’s no money or licensing or registering required to play.”
However I see no license on any of the specs, just on the
implementation libraries.

Correct me if I’m wrong here, please… but shouldn’t these projects
have some sort of open licensing on their specs ? Microformats, APML,
XFN, FOAF, RSS all explicity use CC licenses on their specs. RDF is
covered by W3C. OPML has what seems to be a CC-noderivs. XMPP is
covered by the IETF’s IP policy.

Going by US Copyright and Patent standards, copyright is implicit and
technically rests with the authors/foundations; and technologies may
be patented until 1yr from date of initial public disclosure.

So my questions are:
1. Are there hidden open licenses or public domain placements that
I’m just unaware of ?
2. If there are no explicit open licenses on these:
– what does this mean? It’s great that the implementations are
license free, but could they be construed as violations of copyright /
patent / something at a future point ?
– how are two of the most popular ‘Open Standards’ the only two
without any sort of prominent licensing on their specifications ?

Basically, every single OpenStandard out there — even FindMeOn’s OpenSN ( Open Social Network ) and
findmeon node standards , have CC licenses ( usually share-alike, or attribution/no-derivs ), are covered by the IETF’s liberal open IP policies, have some sort of OSI comparable license, or are put in the public domain.

OpenID, and interestingly enough oAuth, have no licenses whatsoever.

Libraries of / implementations of the specs are released under OSI licenses, but the spec’s themselves have no visible licensing terms at-all.

How in the hell did both of these protocols get so popular – and backed by large companies – with nebulous licensing terms?

More importantly, is OpenID actually open?

Update #1: Gabriel Wachob has pointed me to — in which the oAuth authors license the spec in with a CC license. I suggested he migrate that license to their actual website & spec , as every other project does. oAuth is definitively open.

One thought on “Is OpenID actually Open?

  1. Making sure that these technologies are actually open is incredibly important so I’m glad that you’re making sure to hold our feet to the fire around it. I’ve been involved in OpenID since the beginning and have spent a lot of time the past year helping to ensure that OpenID is really both “open” and free to implement by anyone. Obviously there are no guarantees when it comes to IPR, even for every standard from groups like the IETF, rather it is about doing the best that can be done.

    For OpenID we’ve spent time working with a large group of community members — both big and small — to develop an IPR policy and process for OpenID specifications. These are designed to ensure that contributors do not have any hidden patents over finalized specifications. You can learn a bit more about some of this finished work at The current finalized OpenID specifications have been covered by non-assertion agreements executed by various contributors ( as well as all of the companies which are members of the OpenID Foundation’s board. This means that individuals to some of the largest companies on the web have pledged to help ensure that OpenID is free to implement and not encumbered by patents.

    Hopefully this helps provide some insight into what the OpenID community is doing to help fulfill Brad Fitzpatrick’s original statement, “Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.” I’m happy to provide more information, answer other questions, etc as I can.

Leave a Reply

Your email address will not be published. Required fields are marked *