Showing posts with label Open Specification Promise. Show all posts
Showing posts with label Open Specification Promise. Show all posts

11 March 2010

Microsoft Proves it Can Go Open Source

One of the technologies I am waiting for would allow me to effect transactions without giving over vast quantities of personal data. After all, what companies really need to know are: can I pay, and do I have the necessary qualities (age, residence) I claim to have. They don't need to know a vast range of irrelevant *details* about me.

Such a system exists; it's called U-Prove:

It was put together by respected cryptography researcher Dr Stefan Brands. He created a company to develop and market U-Prove, Credentica, which was bought by Microsoft in March 2008. With U-Prove, identity information can be used securely, and private data can be safely shared to those parties that need it, without leaking more information than is required.

U-Prove allows the creation of secure ID tokens, which are pieces of data that incorporate whatever information I need for a given task—but no more—along with cryptographic protection to ensure that they can't be forged, reused, traced back to me, or linked to other tokens that I have issued.

In a world with U-Prove, many existing identity management problems would go away. If my credit card company and online music service both supported U-Prove, I could create a token that allowed a single limited electronic money transfer from my card to the music company, without disclosing my name, address, or date of birth, and without that token being usable to make further purchases. Similarly, I might want to buy a computer game from an online store, the same situation as before, but this time with a twist: the computer game is rated 18+. So to make the purchase, I have to reveal my age, as well as the money transfer, to the online store. U-Prove lets me do this, but still doesn't require me to reveal my name, address, or any other irrelevant detail.

An hour-long presentation by Dr Brands describes how U-Prove works and how it achieves what it does (with even more detail available in his freely downloadable book). It builds on existing public key cryptography concepts, but adds to them the important ability to hide data. Normal public key cryptography is something of an all-or-nothing affair—to prove that a particular piece of data was encrypted by a particular person, you need to know the data. U-Prove allows that proof to take place without revealing all the data.

This is absolutely brilliant. There's just one problem: you can't use it in practical situations, because it's not widely deployed. And because it's not widely deployed, nobody uses it...

So, how do you break that vicious circle? Easy - you make it freely available to encourage uptake - and that's just what Microsoft has done:

It is for these reasons that Microsoft has released its U-Prove SDK using the open source BSD license. Source code is available in both C# and Java, and the technology is covered by Microsoft's Open Specification Promise. This is a irrevocable promise by Microsoft that the company will not assert any claims against anyone using the technology that relate to any patents covering the technology. By releasing the technology under a permissive license, and by making a legally binding agreement that patents covering the technology will not be used in legal action, the company hopes that there will be no barriers to using the system for both service and identity providers.

It's really great to see Microsoft taking advantage of open source in a *good* way; it's just unfortunate that the accompanying Open Specification Promise has a big loophole that makes it pretty useless for consideration by serious free software projects.

Now, if Microsoft were to place all the relevant patents in the public domain....

Follow me @glynmoody on Twitter or identi.ca.

07 July 2009

Are Microsoft's Promises For Ever?

This sounds good:

I have some good news to announce: Microsoft will be applying the Community Promise to the ECMA 334 and ECMA 335 specs.

ECMA 334 specifies the form and establishes the interpretation of programs written in the C# programming language, while the ECMA 335 standard defines the Common Language Infrastructure (CLI) in which applications written in multiple high-level languages can be executed in different system environments without the need to rewrite those applications to take into consideration the unique characteristics of those environments.

"The Community Promise is an excellent vehicle and, in this situation, ensures the best balance of interoperability and flexibility for developers," Scott Guthrie, the Corporate Vice President for the .Net Developer Platform, told me July 6.

It is important to note that, under the Community Promise, anyone can freely implement these specifications with their technology, code, and solutions.

You do not need to sign a license agreement, or otherwise communicate to Microsoft how you will implement the specifications.

The Promise applies to developers, distributors, and users of Covered Implementations without regard to the development model that created the implementations, the type of copyright licenses under which it is distributed, or the associated business model.

Under the Community Promise, Microsoft provides assurance that it will not assert its Necessary Claims against anyone who makes, uses, sells, offers for sale, imports, or distributes any Covered Implementation under any type of development or distribution model, including open-source licensing models such as the LGPL or GPL.

But boring old sceptic that I am, I have memories of this:

The Software Freedom Law Center (SFLC), provider of pro-bono legal services to protect and advance free and open source software, today published a paper that considers the legal implications of Microsoft's Open Specification Promise (OSP) and explains why it should not be relied upon by developers concerned about patent risk.

SFLC published the paper in response to questions from its clients and the community about the OSP and its compatibility with the GNU General Public License (GPL). The paper says that the promise should not be relied upon because of Microsoft's ability to revoke the promise for future versions of specifications, the promise's limited scope, and its incompatibility with free software licenses, including the GPL.

That was then, of course, what about now? Well, here's what the FAQ says on the subject:

Q: Does this CP apply to all versions of the specification, including future revisions?

A: The Community Promise applies to all existing versions of the specifications designated on the public list posted at /interop/cp/, unless otherwise noted with respect to a particular specification.


Now, is it just me, or does Microsoft conspicuously fail to answer its own question? The question was: does it apply to all versions *including* future revision? And Microsoft's answer is about *existing* versions: so doesn't that mean it could simply not apply the promise to a future version? Isn't this the same problem as with the Open Specification Promise? Just asking.