FYI. Basically, ITU said, get the DHS trademark out, so the ball is back in DHS's court, and ours. I may miss part of Thursday's staff meeting in order to phone into CTI TC and answer questions as needed. regards Jamie James Bryce Clark, General Counsel, OASIS Open, setting the standard for open collaboration ---------- Forwarded message --------- From: Jamie Clark <
jamie.clark@oasis-open.org > Date: Tue, Sep 13, 2022 at 2:29 PM Subject: Response to STIX and TAXII submission to ITU-T: options and next steps To: OASIS CTI TC Discussion List <
cti@lists.oasis-open.org > Cc: Coderre, Rob <
robert.c.coderre@accenture.com >, Darley, Trey <
trey.darley@accenture.com >, Kelly Cullinane <
Kcullinane@copado.com >, Chet Ensign <
chet.ensign@oasis-open.org >, Duncan Sparrell <
duncan@sfractal.com > Dear members of the CTI TC: As you know, we submitted the OASIS standards STIX v2.1 and TAXII v.2.1 to Study Group 17 of the ITU-T at your request, after we completed our member review process and received no objections. That submission was discussed at the recently-completed semiannual plenary for SG 17. Several of our OASIS experts, including our liaison rep to ITU Duncan Sparrell, were present and participated. The ITU-T has agreed to open a new work item to process the submission. Their official response is attached as a liaison statement (LS). Objections were raised as a reaction to the unusual trademark reservations associated with the standards, which are summarized below. OASIS and this TC must respond to that communication. They have asked us to continue the discussion by e-mail in the interim between meetings, with the hope to reach resolution well before the end of 2022. Our reply should propose a method for overcoming SG 17's trademark and naming concerns that both reflects your intent and is consistent with our licensing rules. Essentially, the LS puts the burden back on OASIS to explain how the two parties could reach agreement on a pair of final ITU T recommendations, before their next meeting in early 2023. This note summarizes the issues, and invites feedback on how we should proceed. Although SG 17 did agree to work on this issue (and that took some conversation by our liaison reps), they took the relatively unprecedented step of NOT yet agreeing to the current OASIS standard as the baseline text. That change was made at the final plenary as a compromise to allow us to continue without having to start over next year. Also note the ITU LS used different, non-trademarked acronyms ("STIE" and "TAEII") as the work item names. Normally, OASIS sends such submissions on a "take it or leave it" basis, with the understanding that no substantive changes may be made to the material (so that we're not encouraging forking of our own standards). However, OASIS also normally delivers its specifications free of any third-party claims, other than as are routinely included by operation of our own IPR policy. All of those requirements are set in our liaison and submissions policy, which creates a routine safe harbor approach for "take it or leave it" submissions. However, in this case, that route was unavailable, as the special claims lodged against STIX and TAXII in their initial contributions are outside our normal default rules, and are a sticking point with ITU as well. As background, the initial contributions of STIX and TAXII to OASIS in 2015 included special reservations from the contributing agency of certain trademark rights and related rights, which normally are not permitted under OASIS rules. (CTI special license linked here:
https://www.oasis-open.org/committees/cti/ipr.php ; applicable OASIS rule here:
https://www.oasis-open.org/policies-guidelines/ipr/#s5.3 ) OASIS requested that DHS remove the license requirement as a possible bar to broad implementation. When it became clear that the claims could not be quickly resolved and removed by the time of the initial Committee Specification approvals, after some negotiation, we reached agreement with the contributors about how the marks would be used and permitted. Staff advised the OASIS Board in 2016 that, in our view, the arrangement provided sufficient license rights for any party to freely use and implement conformant copies of the works, without licensing obstacles. There also was some urgency felt to the initial releases, in light of imminent requirements for standardized cybersec information sharing requirements. Our Board of Directors agreed, waived the usual ban on embedded trademarks in OASIS standards, and permitted the approvals to go forward, both in their initial and several subsequent versions. At the time, we did discuss the likelihood of some challenges, if the standard was submitted externally in the same form to external bodies. As you know, this TC developed significantly updated versions in subsequent years, resulting in the JSON-based versions 2.0 and 2.1. Earlier this year, your TC concluded that v2.1 was stable, and adopted a resolution just in time to ask us to send the most recent versions to ITU, as we have. At that time, while ISO policies would have clearly prohibited such a trademark restriction, there appeared to be a wider degree of discretion about the equivalent approach under ITU rules. So, with no agreement about withdrawing the restriction, we submitted the material with the trademark claims still embedded. The ITU-T Study Group received our submission in time to consider it during its most recent two-week plenary session. Our liaisons there indicated there was some hesitancy from some SG 17 experts to accept an input that would still embed trademark phrases owned by a third-party. (For clarity's sake, ITU expressed no concern about OASIS' usual reservations of rights, which have been acceptable to ITU-T in many prior similar submissions such as SAML, XACML, and CAP; but rather, only about the special trademark restriction.) SG 17's formal response (as documented in the attached LS), at the end of the session, was to agree to a new work item with modified names (STIE and TAEII), to remove any presumption about using the trademarked names in their official action, and then to ask OASIS if we can remove or resolve those reservations prior to ITU-T taking further action in its next plenary, shortly after the new year. As we have shared with several of you, we anticipated that possible reaction, and did not find it particularly surprising: any UN body might wish to pause, before endorsing a technical specification, the use of which must be permitted by some single entity in order to be confidently used. OASIS, in consultation with our Board of Directors, this TC, and the relevant stakeholders, will need to decide how to approach this request. Our options may include the following: Negotiate with the original contributors about removal of the trademark license and restrictions, so that no third party trademark claim obstacle remains to the Study Group's hesitancy to proceed. Negotiate some kind of paring back of the same license, short of complete removal. We're not yet sure if that approach would address ITU-T's concerns. Accept the Study Group's implied suggestion that the name of the works be modified slightly so that there no longer is any question of infringement of the trademarked names. Please note that this would require (a) some clarification about the other effects of the special license, (b) some substantive rewrites in various places, as the word fragments "STIX" and "TAXII" appear throughout both of these works, and (c) resolving issues of equivalence and branding, to confirm that the renamed works would be sufficiently equivalent that our generic licensing rules will still apply. Withdraw the submission. Please note, any decisions made by OASIS and the CTI TC will need enough time to be processed, including management of potential edits, OASIS approval process, and ample time for ITU-T review. We believe that further conversation will be necessary with several stakeholders, in order to best assess this approach. We'd also be happy to meet with the TC to discuss these issues. Please give this your thought, with a goal to possibly reaching TC consensus by October. Thanks for your attention. Respectfully, Jamie James Bryce Clark General Counsel OASIS Open
jamie.clark@oasis-open.org Xing LinkedIn Twitter Setting the standard for open collaboration . Attachment: sp17-sg17-oLS-00027.docx Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document