Note: There are updates following this posting
This has troubled me for a few years now…
I just asked the DataPortability group for clarification… but in a nutshell ( and reprinted below )
To-date, I’ve been unable to find any sort of licensing attributed to
the OpenID or oAuth specs.
To the best of my knowledge:
– neither has been explicitly placed in the public domain
– neither has been submitted to IETF, thereby covered by its IP
– neither have released a CC or OSI license with their specs
The only licensing statements I’ve found in OpenID are in regards to a
non-assertation agreement and transfer of copyright to the OpenID
foundation. The foundation uses the goal “The goal is to release
every part of this under the most liberal licenses possible, so
there’s no money or licensing or registering required to play.”
However I see no license on any of the specs, just on the
Correct me if I’m wrong here, please… but shouldn’t these projects
have some sort of open licensing on their specs ? Microformats, APML,
XFN, FOAF, RSS all explicity use CC licenses on their specs. RDF is
covered by W3C. OPML has what seems to be a CC-noderivs. XMPP is
covered by the IETF’s IP policy.
Going by US Copyright and Patent standards, copyright is implicit and
technically rests with the authors/foundations; and technologies may
be patented until 1yr from date of initial public disclosure.
So my questions are:
1. Are there hidden open licenses or public domain placements that
I’m just unaware of ?
2. If there are no explicit open licenses on these:
– what does this mean? It’s great that the implementations are
license free, but could they be construed as violations of copyright /
patent / something at a future point ?
– how are two of the most popular ‘Open Standards’ the only two
without any sort of prominent licensing on their specifications ?
Basically, every single OpenStandard out there — even FindMeOn’s OpenSN ( Open Social Network ) and
findmeon node standards , have CC licenses ( usually share-alike, or attribution/no-derivs ), are covered by the IETF’s liberal open IP policies, have some sort of OSI comparable license, or are put in the public domain.
OpenID, and interestingly enough oAuth, have no licenses whatsoever.
Libraries of / implementations of the specs are released under OSI licenses, but the spec’s themselves have no visible licensing terms at-all.
How in the hell did both of these protocols get so popular – and backed by large companies – with nebulous licensing terms?
More importantly, is OpenID actually open?
Update #1: Gabriel Wachob has pointed me to https://agree2.com/declarations/oauth-non-assertion-covenant — in which the oAuth authors license the spec in with a CC license. I suggested he migrate that license to their actual website & spec , as every other project does. oAuth is definitively open.