Open Source Licensing Conflicts and Security Standards (Where Have I Heard This Before?)

If the following story rings a bell, it should. Actually, it should ring several bells. Here's why.


According to InfoWorld in a story titled Apache faces Web services security spec roadblock, the Apache Foundation wants to include WS-Security, an OASIS standard, in its open source Axis SOAP stack, and Microsoft wants to preclude relicensing of products that implement WS-Security (although it is willing to license its patents relating to WS-Security on a royalty-free basis directly to both end-users as well as the initial developers). IBM reserved similar rights relating to its own patents that would be infringed by implementations of the standard.


The first reason this should sound familiar is that in September of last year the IETF shut down its MARID (MTA Authorization Records In DNS) working group, which was intending to include another security feature in a specification it was working on. That specification was Sender ID, of which Microsoft was a co-developer. Unfortunately, Microsoft was asserting a similar licensing restriction, to which Apache (among many other open source groups) objected. Much sturm und drang followed, with more stops, starts, skirmishes and concessions transpiring than it makes sense to cover here. Suffice it to say that neither side was having much fun.


The second controversy this story should call to mind is the simmering dispute over the convergence between open source licensing terms and those that have been historically tolerable in the world of open standards. That clash reached a high (or low) point earlier this year with the sending of an open Call to Action letter from 29 prominent open source advocates to OASIS at the time that OASIS adopted a revised intellectual property rights (IPR) policy that was intended to be more open source friendly (see the March issue of our Consortium Standards Bulletin, What Does “Open” Mean?). The action called for was a boycott of OASIS standards and process until OASIS amended its IPR policy to the signatories’ satisfaction.


What each of these stories highlights is the fact that there are two consensus systems in use today that end users like you and me wish need to work together productively and efficiently, but which haven’t yet fully worked out how to do so. On the one hand, the open source community has a dynamite development and licensing model, and on the other hand, the open standards community has a venerable and useful model of its own that has enabled the modern technology world that in turn gave birth to the open source model. That traditional model (which applies to every possible product and service domain) permits licensing terms that are non-problematic in other domains, but which are not simpatico with the open source model, which (to date) applies almost exclusively to software.


All would be fine, were it not for the fact that it would be unthinkably inefficient for open source software to have nothing to do with open standards. And, in truth, traditional open standards users would be delighted if open standards required neither licenses nor royalties — but those that develop open standards simply have not been asked in the past by their constituencies to require the same degree of IPR sacrifice in the vast majority of standard setting situations as their brethren in the open source world require in all projects.


The big divide is between ideology and market forces. Among open source advocates, licensing terms are a matter of principle, while in the open standards community, licensing terms are matters of pure dollars and cents. If market forces lead towards royalty free GNU licensing, then those terms will become staples in open software standards. Personally, I believe that it’s only a matter of time before this happens, at least in some software areas (and eventually, perhaps, in most). Another way of saying it is that when open source software becomes more important than proprietary software, then a tipping point will be passed at which the vendors themselves will be the ones that demand GNU terms even before they are asked to offer them. Many major vendors are already at, or approaching that point.


So what do those at Apache do while they await the proverbial tipping point? One can expect that IBM, which has placed huge strategic bets on open source, will work things out speedily and amicably with Apache. But what of Microsoft, which, at least superficially, has little reason to do anything to encourage the spread of open source software?

Well, we can still hope for progress there. Why? Here are a few reasons.

First, the world already overwhelmingly relies on Apache servers, and Microsoft isn’t likely to spend its resources trying to reverse that reality. Second, Microsoft has had enough bad press over the years regarding security issues, so it will be better off if WS-Security is broadly implemented. Third, there are doubtless numerous benefits that Microsoft must expect from WS-Security becoming ubiquitous (with or without the licensing term in question) that should offset the concession of dropping the offending term. Also, Microsoft doesn’t need any more headaches in open-source bullish Europe, which continues to press Microsoft on antitrust grounds whenever it can. And finally, Microsoft is spending more and more time setting up joint strategies with historically strange bedfellows such as IBM and Sun — both of which are firmly on the open source bandwagon.


I can’t predict the specifics of what will happen next, but I do think that a lot of water has flowed over the dam since this time last year, when the IETF threw up its hands and shut down MARID. If this new situation resolves itself quickly, it will be a sign that the initially clashing open source/open standards gears are starting to grind themselves into an alignment that may, perhaps sooner rather than later, begin to hum.


When that happens, we all win. I’m looking forward to it.