Openness and the OAuth Legal Dance

I’m sitting at the OAuth Summit held at Yahoo in Santa Clara. We’ve had a brief discussion about the IPR policy negotiation process that has been going on in the background between a few core OAuth people and legal departments in various large companies (most notably Yahoo, Google and Microsoft).

Briefly the IPR policy allows employees at large companies to collaborate on the standard while promising to not sue anyone who uses their companies Intellectual Property through use of the standard. So basically Yahoo can’t come sue anyone using OAuth for using some patented algorithm they submitted to OAuth.

The IPR policy is important and good work. That said the current second revision of this is essentially a secret document that will be presented signed, sealed and delivered to us b-list members of the community in a week or twos time.

The community created the OAuth Non-Assertion Covenant and Author’s Contribution License which all the original OAuth spec signers have signed with the exception of Yahoo.

Eran told us today that apparently Yahoo stalled the process in their legal department as they needed a more detailed agreement. This is fine and great feedback, however these comments should somehow be made public so we the community also can follow it and make comments.

I realize that most developers don’t want to follow this, however it is important that it is transparent and googlable. I suggest a OAuth-legal group, the same way OpenID does or a continuation of the existing IPR License on Agree2 which does offer comments, versioning and a full transparent audit trail.

One comment I was given was that we should let lawyers talk with lawyers. I have to call bullshit on that. These kinds of things are way too important to be left in the hand of lawyers without any kind of external oversight.

Gabe has been doing a great job representing us (the OAuth community), however there are lots of people with opinion on this who would like to follow it and voice occasional opinions. Those of us who are building businesses around OAuth based services need to feel comfortable that we aren’t going to be screwed by some indecipherable legalese in the future. More important if there are disputes in the future the negotiation trail is key for solving them.

The final comment I heard is that large companies like Yahoo and Microsoft don’t want to make it public that they are negotiating this. I’m sorry that is even greater bullshit, thats pre-cluetrain, pre internet thought.

Get with the program. Yahoo has more to loose by not using OAuth than us in the OAuth community have to loose by them not joining us. I’m sorry if thats the way it’s done, I don’t care. This is not the world of industrial age negotiation in smoke filled private lounges. You guys are all internet companies for god sake.

OAuth is about open transparent simple standards for creating a infrastructure thats open to all of us and not just Google, Yahoo and Microsoft. Any negotiations behind it should be too.

Update July 2nd, 2008 Here is the latest version of the OAuth Non-Assertion Covenant and Author’s Contribution License For OAuth Specification 1.0