Re: Does being an RFC mean anything?
On Mar 11, 2009, at 2:22 PM, Lawrence Rosen wrote:
The recent threads about draft-housley-tls-authz have taught me
something I didn't know about IETF, and I don't like what I've
There are, it appears, many types of IETF RFCs, some which are
intended to be called "Internet standards" and others which bear
other embedded labels and descriptions in their boilerplate text
that are merely "experimental" or "informational" or perhaps simply
"proposed standard". One contributor here described the RFC series
as "a repository of technical information [that] will be around when
I am no longer around."
The world is now full of standards organizations that treat their
works as more significant than merely "technical information." Why
do we need IETF for that purpose? If all we need is a repository of
technical information, let's just ask Google and Yahoo to build it
for us. Maybe our Internet standards should instead be created in an
organized body that pays serious attention to the ability of the
wide world to implement those standards without patent encumbrances.
But even if IETF isn't willing to amend its patent policy that far—
and most SDOs still aren't, unfortunately—at the very least we
should take our work seriously. When someone proposes a serious RFC,
we should demand that the water around that RFC be swept for mines—
especially *disclosed* patent mines that any serious sailor would
want to understand first.
If IETF isn't willing to be that serious, maybe we should recommend
that our work go to standards organizations that do care? As far as
my time to volunteer for a better Internet, there are far better
ways to do it than listening here to proposals that are merely
"technical information." At the very least, separate that into a
different list than IETF.org so I know what to ignore!
By the way, many of the same companies and individuals who are
involved here in IETF are also active participants in W3C, OASIS,
and the new Open Web Foundation, all of which organizations pay more
attention to patents and the concept of "open standards" than what
IETF seems to be doing here. So let's not be disingenuous, please.
Almost everyone here has previous experience doing this the right way.
I work in VoIP. My current day job is consulting on IPR, primarily on
patent litigation defense.
There are tens of thousands of patents in this area in the US alone. I
can think of few things I've seen in the last few years that aren't
covered by some kind of patent when they are brought into IETF, and
most of those acquire some kind of patent not long after. Many of the
things I've seen I can't discuss for NDA reasons, but I can say that I
accidentally found one patent that might possibly apply to an RFC I
edited, for which I submitted a 3rd party IPR disclosure to test the
Even if we applied the entire administrative capacity of the IETF to
filing and processing IPR disclosures, we couldn't possibly keep up
with the applicable US patents applying to VoIP, much less the tens of
thousands of patents on other protocols and in other jurisdictions.
I haven't looked, but I'm willing to bet that the same reality applies
to every other SDO.
So get real. The ONLY thing that an SDO's IPR disclosure process helps
with is the submarine patent held by an active participant in the SDO
-- and look where that got us with FTC vs. Rambus in the long run. To
the extent that the SDO disclosure policies apply, they apply equally
to Standard, Informational, Experimental, and even Historical track
RFCs. That's it -- if an IETF participant fails to disclose, they run
risk of litigation around applying a patent against a standard, and
the outcome is not a sure thing.
This is especially poignant in that the IETF does not have corporate
membership. Rather, it has voluntary individual participation. So for
example, if Employee A (who does not participate in the IETF) at
company X files an patent on Idea #12 but doesn't tell Employee B (who
works on Idea #12 in the IETF), then it's arguable that Company X has
no disclosure liability here. For example, in the case I mentioned
above where I filed the 3rd party notice, none of the participants
from the IPR-owning company that I spoke to had been previously aware
of the IPRs existence. Some attorney back in the home-country filed it
based on a disclosure from somebody who probably wasn't even aware
there was a need for a standard related to the idea.
Now, if you want to lobby for requiring corporate membership in IETF,
feel free, but prepare for the throwing of a lot of stones. In the
meantime, get over it. Trying to require IETF to do a patent search on
every aspect of every RFC would just shut the organization down.
Ietf mailing list