OASIS PKCS 11 TC

 View Only
  • 1.  Groups - PKCS #11 V2.30 header files uploaded

    Posted 05-20-2013 13:48
    Submitter's message HI -

    In association with submission of the PKCS #11 V2.30 specification, RSA submits the PKCS #11 V2.30 header files to the OASIS PKCS 11 Technical Committee. To the best of my knowledge, this contribution does not contain any Essential Claims or claims that might become Essential Claims upon approval of an OASIS Standards Final Deliverable.

    regards,

    Bob Griffin
    RSA, the Security Division of EMC -- Mr. Robert Griffin Document Name : PKCS #11 V2.30 header files Description PKCS #11 V2.30 header files Download Latest Revision Public Download Link Submitter : Mr. Robert Griffin Group : OASIS PKCS 11 TC Folder : Working Drafts Date submitted : 2013-05-20 06:48:13


  • 2.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 05-30-2013 01:01
    On Mon, May 20, 2013 at 6:48 AM, Robert Griffin <robert.griffin@rsa.com> wrote: > > Submitter's message > HI - > > In association with submission of the PKCS #11 V2.30 specification, > RSA submits the PKCS #11 V2.30 header files to the OASIS PKCS 11 > Technical Committee. To the best of my knowledge, this contribution > does not contain any Essential Claims or claims that might become > Essential Claims upon approval of an OASIS Standards Final Deliverable. Hi Bob, The PKCS #11 V2.30 header files you submitted contain the same license used in the v2.20 header files: /* License to copy and use this software is granted provided that it is * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface * (Cryptoki)" in all material mentioning or referencing this software. * License is also granted to make and use derivative works provided that * such works are identified as "derived from the RSA Security Inc. PKCS #11 * Cryptographic Token Interface (Cryptoki)" in all material mentioning or * referencing the derived work. * RSA Security Inc. makes no representations concerning either the * merchantability of this software or the suitability of this software for * any particular purpose. It is provided "as is" without express or implied * warranty of any kind. */ This license is believed to be incompatible with the GPL. As a result, the NSS project is still using PKCS #11 header files derived from an old version licensed to Netscape, and some GNU projects produced their own clean-room version of the PKCS #11 header files. As the copyright owner of these header files, RSA is in the best position to re-license the header files. I'd like to request that RSA re-license the header files under the Revised BSD license. Thanks, Wan-Teh Chang


  • 3.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 05-30-2013 01:44
    (had to extract the email from my spam folder ...) On 30/05/2013 11:00 AM, Wan-Teh Chang wrote: >  This license is believed to be incompatible with the GPL. To be more complete in the statement - some people claim that it might be incompatible with the GPL but no one has actually demonstrated how or why this is actually the case and there has been no actual legal view point from anyone who is a lawyer in the open source community. The original contributions are made under the normal OASIS terms and if they end up as a group decision included in OASIS specifications they will be covered by the OASIS IPR terms and conditions. For this TC that is RF under RAND - see https://www.oasis-open.org/policies-guidelines/ipr This was discussed at length in the lead up to the formation of the technical committee and during the first face to face meeting back in early March. And NSS includes the original header files with (and I quote) exactly the same license text (from pkcs11t.h): /* License to copy and use this software is granted provided that it is  * identified as RSA Security Inc. PKCS #11 Cryptographic Token Interface  * (Cryptoki) in all material mentioning or referencing this software.  * License is also granted to make and use derivative works provided that  * such works are identified as derived from the RSA Security Inc. PKCS #11  * Cryptographic Token Interface (Cryptoki) in all material mentioning or  * referencing the derived work.  * RSA Security Inc. makes no representations concerning either the  * merchantability of this software or the suitability of this software for  * any particular purpose. It is provided as is without express or implied  * warranty of any kind.  */ So if you feel certain that this is incompatible with the GPL then you'll find that all NSS (and NSPR) derived code is also incompatible - a conclusion you'll find is not something that many would agree with. Tim.


  • 4.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 05-30-2013 23:16
    On Wed, May 29, 2013 at 6:44 PM, Tim Hudson <tjh@cryptsoft.com> wrote: > > On 30/05/2013 11:00 AM, Wan-Teh Chang wrote: >> This license is believed to be incompatible with the GPL. > > To be more complete in the statement - some people claim that it might be > incompatible with the GPL but no one has actually demonstrated how or why > this is actually the case and there has been no actual legal view point from > anyone who is a lawyer in the open source community. Thank you for the reply. On your reply, I looked into this issue. I compared the license in the PKCS #11 header files with the original BSD license, in particular its advertising clause. Although the first two two clauses in the RSA license are similar to the BSD advertising clause in that they say "all material mentioning ...", their requirements are different. The clauses in the RSA license prescribe a proper way to identify the software or derivative work. However, I can see the second clause regarding derivative work may be considered as burdensome. > And NSS includes the original header files with (and I quote) exactly the > same license text (from pkcs11t.h): > [... snipped...] > > So if you feel certain that this is incompatible with the GPL then you'll > find that all NSS (and NSPR) derived code is also incompatible - a > conclusion you'll find is not something that many would agree with. (Note: NSPR doesn't use the PKCS #11 header files.) The PKCS #11 header files in NSS are based on an old version that Netscape got additional rights to, rather than the current version, because of this concern. Perhaps the concern is unfounded, but it has caused extra work for some open source projects. I can only say that using a commonly-used, well-understood open-source license such as the Revised BSD license will save a lot of headaches. Wan-Teh Chang


  • 5.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 05-30-2013 23:46
    On 31/05/2013 9:15 AM, Wan-Teh Chang wrote: The PKCS #11 header files in NSS are based on an old version that Netscape got additional rights to, rather than the current version, because of this concern. It would be useful to see whatever details exist of the additional rights as this is the first time that I've seen it mentioned and given that nothing is acknowledged in the files you will need to elaborate on that. RSA added the text to the v2.11 header files back some time before November 2001 as it is present in revision 1.4 of those files according to the records that I have (that revision information being from the CVS repository that was used for maintaining the versions of the header files internal to RSA). Those notes and comments were not in the header files for version 2.10 (January 2000) and the standard itself notes: <quote> License to copy this document is granted provided that it is identified as RSA Security Inc. Public-Key Cryptography Standards (PKCS) in all material mentioning or referencing this document. </quote> I note that the file in the NSS tree for 3.2.1 in nss-3.2.1/mozilla/security/nss/lib/softoken/pkcs11t.h has: <quote> /*  * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document  * is granted provided that it is identified as RSA Security In.c Public-Key  * Cryptography Standards (PKCS) in all material mentioning or referencing  * this document.  */ </quote> And in the current NSS 3.15 tree in nss-3.15/nss/lib/util/pkcs11t.h has: <quote> /* License to copy and use this software is granted provided that it is  * identified as RSA Security Inc. PKCS #11 Cryptographic Token Interface  * (Cryptoki) in all material mentioning or referencing this software.  * License is also granted to make and use derivative works provided that  * such works are identified as derived from the RSA Security Inc. PKCS #11  * Cryptographic Token Interface (Cryptoki) in all material mentioning or  * referencing the derived work.  * RSA Security Inc. makes no representations concerning either the  * merchantability of this software or the suitability of this software for  * any particular purpose. It is provided as is without express or implied  * warranty of any kind.  */ </quote> So from that quick check your information at the very least is out of date as NSS contains the v2.20 header file copyright text unchanged. Summary: the so called problematic text was introduced in v2.11 and this text is contained unchanged in the current versions of NSS Tim.


  • 6.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 06-06-2013 17:01
    On 30.05.2013 03:44, Tim Hudson wrote: > (had to extract the email from my spam folder ...) > > On 30/05/2013 11:00 AM, Wan-Teh Chang wrote: >> This license is believed to be incompatible with the GPL. > > To be more complete in the statement - some people claim that it *might > be incompatible *with the GPL but no one has actually demonstrated how > or why this is actually the case and there has been no actual legal view > point from anyone who is a lawyer in the open source community. Here's how I as the maintainer of several open source projects using pkcs11 headers have had to approach the issue: The introduction of additional restrictions makes a license incompatible with the GPL. The must-mention-RSA-in-derived-work clause is such an additional restriction. The original 4 clause BSD license had a similar clause, and was not GPL compatible. You can read the FSF's information about that here: http://www.gnu.org/licenses/license-list.html#OriginalBSD I have used/installed RSA provided PKCS#11 header files in the open source projects I maintain, and they have not accepted by the open source community until the licensing issue was rectified. This has happened a couple times to my projects. Thus I now use a reimplementation of the header files provided by the GnuPG project. An additional benefit is that it is a single header file. The above may be incorrect in your view, but that does not change the effect that this must-mention-RSA clause has on open source projects using the RSA provided license: With the exception of NSS (which has a complex multiple license scheme), most GPL compatible open source projects currently cannot and/or do not use the RSA provided PKCS#11 header files. In order to provide a more substantive answer to this question, I have written licensing@fsf.org on this matter. Cheers, Stef


  • 7.  PKCS #11 V2.40 header files

    Posted 06-06-2013 17:09
    Hi all - I checked with Chet on this -- we'll be using the normal OASIS boilerplate in the header files. I should be able to do a first cut at the v2.40 header file by the end of the weekend (once I get back from this latest trip), Regards, Bob


  • 8.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 06-06-2013 20:13
    On 7/06/2013 3:00 AM, Stef Walter wrote: The original 4 clause BSD license had a similar clause, and was not GPL compatible. You can read the FSF's information about that here: http://www.gnu.org/licenses/license-list.html#OriginalBSD There are two categories of incompatibly in that list - those that are actually incompatible and those which the FSF or more accurately Richard Stallman simply don't want you to use because the original acknowledgement is considered obnoxious . In practical terms, you have to actually see the a module covered by the GPL and a module covered by the LICENSE_NAME cannot legally be linked together in items in that list to locate something actually being claimed by the FSF as legally incompatible rather than philosophically incompatible. Read through http://www.gnu.org/philosophy/bsd.html and also do note the conflicting statements at http://www.gnu.org/licenses/gpl-faq.html#OrigBSD which offers a different view point on the topic as well. Those same pages also list that you simply cannot have a non-free driver with a Linux kernel and contain piles of information about linking approaches and what is considered okay and not okay which are interpretations to support a philosophical viewpoint noted as not supported by the actual license text. There is a substantial difference you get between the advice from the FSF legal team and the political team in this and many areas. As always, seek legal advice from an appropriately qualified lawyer - I doubt there are any on this mailing list. However I think you'll find that the new header files will have a different set of text on the front. Whether or not the OASIS text causes problems However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English. and how that gets reflected into the header files remains to be see. Tim. (veteran of many an email exchange with Richard Stallman and many interactions with IP lawyers).


  • 9.  Re: [pkcs11] Groups - PKCS #11 V2.30 header files uploaded

    Posted 06-07-2013 07:17
    On 06.06.2013 22:13, Tim Hudson wrote: > On 7/06/2013 3:00 AM, Stef Walter wrote: >> The original 4 clause BSD license had a similar clause, and was not >> GPL compatible. You can read the FSF's information about that here: >> http://www.gnu.org/licenses/license-list.html#OriginalBSD > > There are two categories of incompatibly in that list - those that are > actually incompatible and those which the FSF or more accurately Richard > Stallman simply don't want you to use because the original > acknowledgement is considered "obnoxious". In practical terms, you have > to actually see the "a module covered by the GPL and a module covered by > the LICENSE_NAME cannot legally be linked together" in items in that > list to locate something actually being claimed by the FSF as legally > incompatible rather than philosophically incompatible. > > Read through http://www.gnu.org/philosophy/bsd.html and also do note the > conflicting statements at The above offers opinions on the Original BSD license (with advertising clause) when used as a license on its own. It does not conflict with: > http://www.gnu.org/licenses/gpl-faq.html#OrigBSD which offers a > different view point on the topic as well. The above is about using the Original BSD license (with advertising clause) together with GPL software, and outlines incompatibility. It is indeed this second item that causes people to reject the RSA PKCS#11 headers for use together with GPL software. > There is a substantial difference you get between the advice from the > FSF legal team and the "political team" in this and many areas. Again, as noted before, when there is legal ambiguity most of the open source community simply rejects the code/headers in question, and routes around the problem. Is this sometimes unnecessary? Perhaps. You can see this in action here, whether you think it's silly or not: http://en.it-usenet.org/thread/11873/7499/ > As always, seek legal advice from an appropriately qualified lawyer - I > doubt there are any on this mailing list. We might do this as a Technical Committee (although waiting for Robert's reworked headers is appropriate here). For better or for worse open source development is organic like evolution. There is rapid mutation, spawning, death of projects, and so on. To expect and every new open source project that somehow wants to use a PKCS#11 header to consult a lawyer ... it's just not going to happen. Instead what open source does is try to avoid the possible problems with the licensing, (eg: in the RSA PKCS#11 headers), and use other unencumbered re-implementations. If this Technical Committee wants to provide header files that are usable by everyone (well nearly everyone, there are always outliers), then we should try to make the license as compatible and unambiguous as possible. If it is a non-goal to make the headers usable by a broad audience, then we can ignore this issue. It's just one more (albeit minor) bump in the road towards wider PKCS#11 adoption. Once again ... it's not about what the lawyers say, it's about what people actually do when faced with the issue. Different lawyers often say completely different things especially when they practice in different jurisdictions. I am not here to seek or offer legal advice, merely to point out what actually happens in the real world (well the open source part of the real world, heh) when an attribution clause is present in an otherwise liberal license. > However I think you'll find that the new header files will have a > different set of text on the front. Whether or not the OASIS text causes > problems "However, this document itself may not be modified in any way, > including by removing the copyright notice or references to OASIS, > except as needed for the purpose of developing any document or > deliverable produced by an OASIS Technical Committee (in which case the > rules applicable to copyrights, as set forth in the OASIS IPR Policy, > must be followed) or as required to translate it into languages other > than English." and how that gets reflected into the header files remains > to be see. Yes, will be interesting. I'm waiting to see what that'll look like. Cheers, Stef