No doubt Eran Hammer-Lahav relished announcing the conclusion of the arduous IPR process for OAuth with the addition of a licensing statement now found on the specification, signed by AOL, Citizen Agency, Google, Ma.gnolia, Pownce, Six Apart, Twitter, Wesabe, Yahoo!, and the individual contributors:
Specifications are tricky creatures. On their own, they are only copyrightable. But on their own they are also not very interesting. Their value is in their implementations, and those are subject to patents. If you have been following the tech world over the past couple of year, you know that patents can be very risky to developers. The problem is that in order to implement specifications, the developer usually has to write code that uses some existing patents. It is practically impossible to know which patents are involved, but at a minimum, the developers need to know that the people who wrote the specification are not going to sue them.
Over the past 8 months we have been working to obtain the necessary protections for the community, to be able to freely implement the OAuth Core 1.0 specification without any fear of being sued by any of the people involved (or their employers). Unlike specifications done in standard bodies where Intellectual Property Rights (IPR) are established ahead of time and set the scope and terms of the work, community specifications start with ideas and goodwill. This is a fundamental difference and a requirement for future community work. The need for the Open Web Foundation grew out of the frustration of communities like OAuth and OpenID having to go through hell to obtain these legal protections. In the next few months, the Open Web Foundation will offer tools and help communities avoid this painful process and focus on writing good specifications, not legal contracts.
Some of you will notice the new addition to the OAuth specification – the License section! A short paragraph detailing the licensing terms of the specification and providing links to the legal agreements. That short addition took hundred of hours and the dedication of many individuals and companies. Guaranteeing the open availability of this work is critical for small and large companies alike. Not everyone cares about this the same way and there are already implementations of OAuth out there. IPR risk is something very specific to each company and its culture, but this effort will help provide equal access to this important building block. It is not absolute protection – there is no such thing – but it is pretty good!
The community owes Eran, Gabe Wachob, DeWitt Clinton, David Recordon, Larry Halff, and Shreyas Doshi a great debt of gratitude for their hard work ensuring that the future of OAuth remains open and unencumbered.
