What I thought was the most interesting vendor announcement to come out of last week's Catalyst Conference didn't even rate a press release and wasn't being "demoed" in a hospitality suite. Instead, Sun submitted a document to OASIS and quietly told people (i.e., whispered in their ear) about it.
The document entitled, "Sun SAML Non-Assertion Covenant," begins:
"Sun Microsystems irrevocably covenants that, subject solely to the reciprocity requirement described below, it will not seek to enforce any of its enforceable U.S. or foreign patents against that portion of a product that implements the Security Assertion Markup Language (SAML) V2.0 specification or any subsequent version of that specification in whose development Sun participates to the point where Sun would be obligated by the rules of OASIS to grant (or commit to grant) patent licenses or make equivalent non-assertion covenants ('SAML Implementation')."
That means that whether or not Sun owns patents on methods used by SAML, it will refrain from asking anyone to license that intellectual property. Not that Sun will grant a royalty-free license, but that it simply will not require one.
This is similar to the recent "Statement regarding IPR" which RSA submitted to OASIS. That statement superceded one which, in part, declared that particular patents are owned by RSA but that royalty-free licenses would be granted for their use in SAML implementations. The new statement from RSA states that the company will not enforce patents it may hold for intellectual property used in SAML. Note that Fidelity Investments and AOL have also issued non-assertion statements regarding SAML.
So what does it mean? It means that any lingering doubt that a vendor or customer could be liable for royalties somewhere down the road are substantially eliminated. Companies can implement SAML 2.0-based applications and services with less worry that future liability could kill a project or seriously drain a company's finances.
That should be a big plus as federation begins to percolate up to the top of the list of "next to be implemented" identity projects.