Supporting Open Source Software Development in SSOs/SDOs

Feedback: Robin Cover
Version: 2016-06-04
Alternate Location:

Table of Contents

I. Introduction

The rapid emergence of open source initiatives in the areas of IoT, M2M, Social Networking, Open APIs, Virtualization, Software Defined Networks, and Cloud Frameworks is now recognized as a change in the standardization ecosystem. The role of traditional SSOs/SDOs as the official creators of formalisms they call "standards" is being challenged. In some application domains: technology represented by curated "code" (source code vetted and licensed under open source principles) is now being produced and deployed under the label "standard" — with the same authority as a prose specification declared to be a "standard."[**]

The marketplace is accepting this changing definition of "standardization", even if some of the incumbent SSOs/SDOs may not. Many believe that simply releasing source code as a "standard" is sub-optimal because context (including additional semantics) and conformance usually needs to be expressed using natural language, in prose specification text. Still, most also agree that the changing standardization landscape motivates a need for traditional SSOs/SDOs to adapt to market conditions by updating polices and infrastructure to respond to new business models and opportunities where open source software development and licensing plays an essential role in the standards development process.

This document, produced in the OASIS context (but unofficial in every way, partly as an after-hours hobby), provides some background information on the changing standardization ecosystem, including additional references on Open Source Licenses and Contributor License Agreements (CLAs) that are commonly used in open source initiatives.

[**] Jim Zemlin (Executive Director, Linux Foundation):

"The largest form of collaboration in the tech industry for 20 years was at standards development organisations — IEEE, ISO, W3C, these things — where in order for companies to interoperate, which was a requirement in tech, they would create a specification, and everyone would implement that. The tech sector is moving on to a world where, in the Internet of things [for example], do you want to have a 500-page specification that you hand to a light bulb manufacturer, or do you want source code that you can hand to that manufacturer that enables interoperability? I think that's a permanent fixture. People have figured out for a particular non-differentiating infrastructure they want to work on that through open source, rather than creating a spec."

This is a major shift in the way that the technology world operates. Instead of trying to pin down in a specification how a new set of common standards will operate, leaving each company to implement those specifications as they see fit — perhaps with variable compatibility among them — we are moving to a world where the new standard is represented by open source code that both defines that standard, and does 99% of the work of implementing it.

That brings two huge advantages. First, it ensures that competitors really are working from a common foundation, and that compatibility is baked in. Perhaps even more importantly for those working with the open source code, it saves them much time and money, since they do not need to write an implementation from scratch, but can simply tweak the open source that is freely available. That not only saves money, it speeds up development and the pace of innovation. It also widens the market, since it means that even relatively small companies can take that code and use it in their products — something that was impossible in the age of complex standards..." From Glyn Moody in ComputerWorld , "Why Open Source is Replacing Open Standards", October 15, 2014 (emphasis added)

The 2014-10 observations of Jim Zemlin cited above (apud Glyn Moody) are echoed in a blog article from Andy Updegrove of Gemser Updegrove/, as of 2016-04, excerpted below: "Open Standards, Move Over." Gesmer Updegrove has represented more than 132 standards consortia and open source foundations.

II. Open Source Software Licensing in Traditional SSOs/SDOs

Some traditional SSOs/SDOs are now being presented with competitive challenges from emerging open source initiatives, and are taking steps to update their policies to explicitly accommodate open source software licensing (e.g., permissive copyright licenses). Twelve examples are provided below. Of these twelve, W3C may be the most interesting because ongoing discussion about permissive copyright licenses for document drafts/specifications recognizes, in the Problem Statement, that copyright restrictiveness has pushed some specification development outside W3C, and that traditional restrictive copyright license blocks some specification implementation in Open Source. The 2015-06 revised W3C Software and Document Notice and License (permissive, GPL compatible, FOSS license supporting forkable specifications and code) was modified to clarify that the license is compatible with other liberal licenses. Similarly, a blog article from David Ward, in connection with IESG/IETF standardization activities, observes: "...the unavoidable question for both participants and observers is whether a Standards Development Organization (SDO) like the IETF is relevant in a rapidly expanding environment of Open Source Software (OSS) projects."

DMG (Data Mining Group): PMML and PFA Standards Licensed under BSD Open Source License

"The Data Mining Group (DMG) is an independent, vendor led consortium that develops data mining standards, such as the Predictive Model Markup Language (PMML) [and] Portable Format for Analytics (PFA).

PMML is the leading standard for statistical and data mining models and supported by over 20 vendors and organizations. With PMML, it is easy to develop a model on one system using one application and deploy the model on another system using another application." The PMML Version 4.2 standard was released in February, 2014.

PFA is the next generation open standard intended to enable vendor-neutral exchange and execution of complex predictive analytic models... a standard for statistical models and data transformation engines. PFA combines the ease of portability across systems with algorithmic flexibility: models, pre-processing, and post-processing are all functions that can be arbitrarily composed, chained, or built into complex workflows. PFA may be as simple as a raw data transformation or as sophisticated as a suite of concurrent data mining models, all described as a JSON or YAML configuration file.

The PMML standard, as documented in the DMG's "Standards Notice and License", is licensed under the BSD 3-clause open source license:

The Data Mining Group Consortium ("DMG") Standards Notice and License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:



DMTF: Members Now Make Software Submissions Under the BSD 3-Clause License

As announced in "DMTF Now Enables Member Software Submissions" (May 2014), DMTF's 17-member Board of Directors created new policy to support submissions of software by DMTF members in connection with DMTF standards development activities. The goal is to "complement the development of standard specifications by allowing for submission of related software examples and other software tools." The agreement under this policy "also allows for future opportunities for the DMTF to contribute to and collaborate with Open Source efforts." In 2014, DMTF "developed new projects, specifically software — complementing the development of standard specifications [supporting opportunities to] contribute to and collaborate with Open Source efforts."

Code submissions from DMTF members fall into three categories:

  1. Software Submission: means software submitted by a DMTF member to a DMTF Working Group, Forum or Technical Committee in relation to an approved DMTF Sample Implementation or Validation Software project, whether in source code, binary code, or other format.

  2. Sample Implementation: "means software that implements a DMTF Specification, and which may include functional technologies developed elsewhere and merely incorporated by reference in the body of the DMTF standard or otherwise not expressly set forth in the DMTF Specification"

  3. Validation Software: "means software used to test the functional conformance of an implementation of a DMTF Specification"

Recently (2014-08) the DMTF Board of Directors also approved a charter for the Scalable Platforms Management Forum (SPMF), which includes development of sample implementations, demonstration software, test tools, and source code for the test tools.


Ecma: BSD Software License for Software Incorporated into an Ecma International Standard

Software in an Ecma Standard is made available under the BSD License, as described in the policy: "... rules and procedures relating to the submission, inclusion and licensing of Software that is proposed to be part of an Ecma International Standard.:


Ecma International Policy on Submission, Inclusion and Licensing of Software

Version 1 was: Approved by the Ecma GA on June 17, 2010
Version 2: 2012

The purpose of this Policy is to provide guidance, rules and procedures relating to the submission, inclusion and licensing of Software that is proposed to be part of an Ecma International Standard. Software in standards may require different copyright licenses than descriptive text in standards. Ecma International owns and licenses the copyright in its Standards via the Ecma International Copyright Disclaimer ("Copyright Disclaimer").

For purposes of the Policy "Software" means imperative or declarative programming instructions in a formally defined language that can be processed by hardware that manipulates data according to such programming instructions. Pseudo Code (defined below) is also considered Software under this Policy...

The guidance, rules and procedures described herein are applicable to both submissions of Software by individual submitters and submissions of Software that is developed collaboratively by two or more submitters... Ecma will provide a license to the Software pursuant to the Software License set forth on Exhibit A if the Software is incorporated in an Ecma International Standard...

[License Text]

The [[Name of Software("Software")]] is protected by copyright and is being
made available under the "BSD License", included below. No patent license is
granted, nor is a patent license commitment made, by implication, estoppel
or otherwise.

Copyright (c) [YEAR], [OWNER]
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
   this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
3. Neither the name of the [ORGANIZATION] nor the names of its contributors
   may be used to endorse or promote products derived from this software without
   specific prior written permission.


Standard ECMA-262 5.1 Edition / June 2011
Software License
All Software contained in this document ("Software)" is protected by
copyright and is being made available under the "BSD License", included
below. This Software may be subject to third party rights (rights from
parties other than Ecma International), including patent rights, and no
licenses under such third party rights are granted under this license even
if the third party concerned is a member of Ecma International. SEE THE

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the authors nor Ecma International may be used to 
endorse or promote products derived from this software without specific
prior written permission.


IETF: BSD Licensing of Code Components, Reference Implementations, Hackathons

In the frequently cited Tao of IETF, one of the IETF founding beliefs is formulated as "We believe in rough consensus and running code." Code development in conjunction with prose specification development is deemed essential to IETF specifications. Specification "code" is readily implementable in open source software because the source is BSD-licensed (by IETF rule). Many IETF standards (RFCs) and I-Ds are supported by open source reference implementations. Hackathons and community-driven code sprints are used to "advance the pace and relevance of IETF standards activities by bringing the speed and collaborative spirit of open source software into the IETF."

Code Components

When "Code Components" are incorporated directly into IETF specifications, such code is licensed under the open source Simplified BSD License, ensuring that modifications to code in implementations will be allowed. The IETF Trust "chose the Simplified BSD License for Code Components after consultation with the IETF community, including open source code developers within the community. The Simplified BSD license is widely-recognized within the open source community and has been recognized and approved by the Open Source Initiative (OSI) and is thus compatible with a wide variety of open source software." The intent in selection of Simplified BSD License "was to find a license that would permit the code to be used as-in in any environment with attribution", according to IAB and IETF Chair Russ Housley [Vigilsec]. The IETF specification boilerplate "Copyright Notice" thus asserts: "Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License."

Examples of "Code Components" in IETF specifications licensable under BSD include: any classical programming code, Extensible Markup Language (XML) Schemas, XML RelaxNG definitions, XML DTDs, YANG modeling language representations, ASN.1 modules and structures, Management Information Base (MIB) modules, TLS presentation syntax, Policy Information Base (PIB) module, ABNF definitions, Tables of values, etc.

In detail: what is meant by "Code Components"? According to the IETF TLF FAQ document questions 3.2 - 3.3: "Under the TLP, Code Components are any components intended to be directly processed by a computer. This means that all forms of software code are Code Components. The IETF Trust maintains a list of common code components [v3.0, effective 2009-04-23]...The items on this list are automatically treated as "Code Components" for purposes of the TLP, but this list is illustrative only. That is, a type of code can still be a "Code Component", even if it is not listed. If you feel that a particular type of code that is commonly used in IETF Documents should be added to this list, please email the IAD... If you include a Code Component in an IETF Contribution, you are encouraged to label it with markers such as < CODE BEGINS >and < CODE ENDS >, though these markers are not strictly required..."

Text from the IETF TLP FAQ: "Code Components (see Question 3.2) that are embedded or included in IETF Documents published on or after November 10, 2008, can be used, copied, distributed and modified by anyone in any manner under the open source Simplified BSD License, as described in Questions 3.2 and 3.3. This is true even if the 6.c.iii Legend described in Question 4.2 is present in the IETF Document where the Code Component originates. Code Components that are embedded or included in IETF Documents published during the period of RFC 3978 effectiveness, March 2005 to November 10, 2008, can be used, copied, distributed and modified in any manner under the license grant contained in 3.3.a.E. The IETF takes the position that the code license granted under RFC 3978 is compatible with most other open source licenses, though it has not formally been recognized by the Open Source Foundation."

IETF Reference Implementations

Many IETF standards (RFCs) and I-Ds are supported by (open source) reference implementations, whether developed by IETF Working Group participants or by others. Such implementations are sometimes cited in IETF specifications within the "Implementation Status" section, though such reference does not typically imply official endorsement by the IETF, and in some cases, the IETF RFCs themselves explicitly clarify that the BSD-licensed code published in the RFC text is considered normative.

For example, as reported by Charles Eckel for IETF 94: "Japan was the host city for IETF 94. The IETF hackathon sponsored by Cisco DevNet,was the third in a continuing series to advance the pace and relevance of IETF standards activities by bringing the speed and collaborative spirit of open source software into the IETF. More than 70 developers came together to test experimental protocols, produce reference implementations, create useful utilities, etc.""


IETF Policy References

In the 2014 timeframe, several activities were underway within IESG/IETF to bring geater attention to open source / reference implementations in relation to prose specifications (aka "standards"). See some references below and [TBD]:

Other References

Kantara Initiative: Apache 2.0 and Creative Commons Attribution-Share Alike

Kantara Initiative Work Groups produce Technical Specifications. but may elect to develop software/code and related "Licensed Materials" for which various IPR options are available, including a derivative of the open source Apache 2.0 Contributor License Agreement (CLA) and Creative Commons Attribution-Share Alike. With respect to Copyright and Patents, the CLA provides "Kantara Initiative and IEEE-ISTO on behalf of Kantara Initiative any other rights necessary to allow it to distribute software and other Organization Recommendations using the Apache License, Version 2.0..."

Licensed Materials: Kantara Initiative Intellectual Property Rights Policies Version 1.1: "[Definition] 'Licensed Materials' shall mean any literary work or other work of authorship, including but not limited to toolkits, software development kits ('SDK'), code, documentation, reference implementations, prototypes, software, software protocols, formats, interfaces and test tools, whether pre-existing or newly created or prepared under the auspices of an Work Group, that is intentionally submitted by one or more Participants for use in the development of or for inclusion in the output of a Work Group."


OASIS Open Repositories: Open Source Licenses for Repositories Associated with TCs

In September 2015, OASIS announced the creation of a new option for Technical Committees that want to encourage open source development in support of their standardization activities. The repository development activities are distinct from chartered TC work done by OASIS members, and are not governed by the OASIS TC Process and IPR Policy; they operate under a separate set of rules for contributions, management, licensing, and repository lifecycle.

The OASIS Open Repositories are public GitHub repositories created through public contributions under a designated open source license, and community participants establish development priorities for assets maintained in the repository. Any qualifying OASIS Technical Committee (initially: a TC using the Non-Assertion IPR Mode or RF on Limited Terms IPR Mode) may request the creation of one or more Open Repositories to enable development of additional material — to supplement or otherwise support its standards work. Open Repositories are set up as GitHub projects under the GitHub organization "oasis-open" at Initially, the four license choices include: BSD-3-Clause License, Apache License v 2.0, CC-BY 2.0, and Eclipse Public License v 1.0.

ODPi (Open Data Platform Initiative): Hadoop Big Data as Open Source

"ODPi is a nonprofit organization accelerating the delivery of Big Data solutions by powering a well-defined platform called ODPi Core. The ODPi Core is a set of software components, a detailed certification, and a set of open source tests that the industry can use to build Big Data solutions and data-driven applications. Initial focus: Apache Hadoop (inclusive of HDFS, YARN, and MapReduce) and Apache Ambari. In 2015-10, ODPi announced new members, technical milestones, its formal governance structure, and that the technical activity will be hosted at The Linux Foundation as a Collaborative Project. ODPi uses an open governance model that is led by a community of developers who will form a Technical Steering Committee (TSC) based on expertise and value of contribution...."

Members to date [2015-09] represent a diverse group of Big Data solution providers and end users such as Altiscale, Ampool, Capgemini, CenturyLink, DataTorrent, EMC, GE, Hortonworks, IBM, Infosys, Linaro, NEC, Pivotal, PLDT, SAS Institute Inc, Splunk, Squid Solutions, SyncSort, Telstra, Teradata, Toshiba, UNIFi, VMware, WANdisco, Xiilab, zData and Zettaset.

Intellectual Property Policy: "ODPi seeks to integrate and contribute back to other open source projects within the scope of the Purpose set forth in the ODPi Bylaws. Based on this design goal for ODPi, the development community will conform to all license requirements of the open source projects leveraged within the Platform...

"Except as may be approved by the Board: (a) pre-existing open source projects to be leveraged by ODPi: [i] Will be limited to projects made available under the following licenses: Apache License version 2.0 (Apache-2.0), Eclipse Public License (EPL-1.0) or Mozilla Public License 2.0 (MPL-2.0); and [ii] will be deemed to be contributed to the project in unmodified form by ODPi under the outbound license applicable to the project and made available for modification by ODPi contributors.

"To facilitate upstreaming of modifications and coordination with relevant Apache and other projects, all contributions of source code to ODPi will be made pursuant to a contributor license agreement that is the same as the appropriate Apache contributor license agreement, altered only as necessary to identify ODP as the recipient of the contributions (Apache Corporate Contributor License Agreement or Apache Individual Contributor License Agreement..."

OGC: Standards Published Under Permissive License, Code as Open Source Software

1. Standards and specifications (in various classes) are released by the Open Geospatial Consortium (OGC) under a permissive license:

"Permission is hereby granted, free of charge and subject to the terms set forth below, to any person obtaining a copy of this Intellectual Property and any associated documentation, to deal in the Intellectual Property without restriction (except as set forth below), including without limitation the rights to implement, use, copy, modify, merge, publish, distribute, and/or sublicense copies of the Intellectual Property, and to permit persons to whom the Intellectual Property is furnished to do so, provided that all copyright notices on the intellectual property are retained intact and that each person to whom the Intellectual Property is furnished agrees to the terms of this Agreement. If you modify the Intellectual Property, all copies of the modified Intellectual Property must include, in addition to the above copyright notice, a notice that the Intellectual Property includes modifications that have not been approved or adopted by LICENSOR."

Examples of OGC standards/specifications distributed under permissive license:

Other OGC specifications of various classes thus licensed:

2. Licensing Machine-Readable Representations (Schemas, DTDs...) Under Open Source Software License

The Open Geospatial Consortium (OGC) also recognizes that schemas and DTDs produced as components in publicly available interface standards may need modification or adaptation in software implementations. Therefore, these machine-readable artifacts may be licensed as "code" under software terms. The software license thus applicable to schemas/DTDs grants implementers "Permission to use, copy, and modify this software and its documentation, with or without modification, for any purpose and without fee or royalty..."

Verbatim: "5.10 Is a schema or document definition (DTD) covered by the document or software terms? Schemas (and DTDs) are frequently part of our specifications and seemingly fall under the document copyright terms. However, as long as you do not use the same formal namespace or public identifier to identify that modified OGC schema/DTD (which might confuse applications), you may treat the schema/DTD under the software terms. This means that you are permitted to make a derivative or modified OGC schema/DTD, but even under the software terms you are obligated to include/retain the OGC copyright notice. We further appreciate a couple sentences regarding who made the modifications, when, and what changes were made in the original DTD — a common software documentation practice."

Additionally: the CityGML-3.0 Standard being developed by the Open Geospatial Consortium (OGC) CityGML Standards Working Group in cooperation with SIG 3D and Building Smart International is available on GitHub under the OSI-approved open source MIT License (MIT),


OMG: GitHub Repositories for Open Source Specification and Tools Development

The Object Management Group (OMG) is using GitHub repositories for various specification and software development projects where open source permissive licensing is involved.

The OMG Threat Modeling Phase1 Project is a standards activity developing "operational threat and risk model (AKA Ontology) intended to federate multiple formats, technologies, and use cases to enable a fusion of information in support of proactive and reactive threat/risk assessment, analytics, mitigation, and information sharing. The focus of this effort is fusion of threat and risk information across physical, criminal, and cyber concerns." The Apache License (Version 2.0, January 2004) is used for assets of the RFP and the evolving specification for a proposed standard (models, requirements, use cases). Some of the Reference Standards for Phase 1 include CWE, FIBO, ISC-CERT, OMG Structured Assurance Case Metamodel (SACM), and STIX v1.1..

OMG BPMN Model Interchange Working Group members are producing software licensed under permissive open source license(s):


Open Networking Foundation (ONF): Apache 2.0 Licensing

"Open Networking Foundation (ONF) is a user-driven organization dedicated to the promotion and adoption of Software-Defined Networking (SDN) through open standards development...The OpenFlow Standard is the first SDN standard and a vital element of an open software-defined network architecture." ONF announced "the establishment of the Open SDN Promotion Center (OSPC) in China jointly with Beijing Internet Institute (BII). The Open SDN Promotion Center will be dedicated to creating an open SDN ecosystem, fostering the development of open source projects, facilitating wider deployment of the OpenFlow protocol..."

From the ONF Bylaws: "It shall be the policy of the Corporation to accept Open Source Software licensed under terms substantially similar to the then current Apache 2.0 License. With regard to non-software Contributions to the Corporation, each Member and its Affiliates hereby grants to the Corporation and each Member and its Affiliates a worldwide, irrevocable, non-exclusive, non-transferable (except as otherwise provided in the Bylaws) sub-licensable, royalty-free copyright license to reproduce, create derivative works, distribute, display, and perform the Contributions of the Members solely for the purposes of developing and publishing copyrightable works on behalf of the Corporation."


The Open Group (TOG): MIT Open Source License and TOG Public License

[Placeholder; details TBD; needs investigation]

The Open Group supports the development of open, vendor-neutral IT standards and certifications, [seeking to] "facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies."

"OpenPegasus is an open-source project... OpenPegasus is an open-source implementation of the DMTF CIM and WBEM standards. It is designed to be portable and highly modular. It is coded in C++ so that it effectively translates the object concepts of the CIM objects into a programming model but still retains the speed and efficiency of a compiled language. OpenPegasus is designed to be inherently portable and builds and runs today on most versions of UNIX, Linux, OpenVMS, and Microsoft Windows..."

W3C: OSI-Approved Software License, Test Suite Licenses, Permissive Software and Document (Specification) License

W3C provides several FOSS open source licensing options for specification-related software tools, specifications, test suites, code component portions of in specifications, and for relicensing unfinished specifications. In June 2015, W3C introduced a "W3C Software and Document Notice and License" as a permissive FOSS license (GPL compatible, supports forkable specifications) applicable to documents as well as to code/software. A "CC-dual Licensing" option, allowing for Creative Commons Attribution 3.0 Unported License (CC-BY) as a permissive copyright license for Recommendation-track deliverables, was approved on an experimental basis to support innovation in the W3C HTML Working Group, but its use has been extended to other areas. Earlier changes to the primary W3C Document License (effective 2015-02-01) supported creation of derivative works and stipulated that all Code Components included in W3C Specifications be available under the W3C Software License — an OSI-certified open source license with GPL compatibility. That license change for W3C documents was motivated in part by the W3C's recognition that a traditional restrictive copyright license sometimes blocks or impedes implementation of a specification in open source development environments.

W3C open source and dual/permissive or similar open source licensing:

  1. W3C Open Source Software Notice and License. This OSI-certified open source license for W3C-related software was written so as to preserve the Free Software Foundation's assessment of GPL compatibility and OSI's certification under the Open Source Definition. See the license source from W3C and from the Open Source Initiative. See examples in W3C's Open Source Software and (older) W3C Software Tools.

  2. W3C Software and Document Notice and License (FOSS). In June 2015, W3C announced the adoption of a revision to the "W3C Software Notice and License". The new W3C Software and Document Notice and License is a permissive FOSS license (forkable, GPL compatible) with language modified to clarify that the license is compatible with other liberal licenses. This license is now applicable to both software and text (specification documents as deliverables) in cases where W3C wishes to apply a permissive license to Working Group outputs, including Recommendation-Track Deliverables. The license grants permission "to copy, modify, and distribute this work, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the work or portions thereof, including modifications... [attribution and reference]" As a permissive license, this "W3C Software and Document Notice and License" has no restrictions on field of endeavor, and anticipates that redistribution of the software or text specification (or any portions) will incorporate modifications, as a derivative work — "for any purpose".

    The [a] W3C Social Web Working Group, chartered to define technical protocols, vocabularies, and APIs for the Open Web Platform, has adopted the W3C Software and Document Notice and License for all Working Group deliverables. Other W3C Working Group charters, approved or under review, have desgnated the new W3C Software and Document Notice and License as the default license for all WG deliverables. An important example, measured against the ubiquity of the the HTML Standard, is the [b] Web Platform Working Group, whose members and external GitHub collaborators are developing the HTML Standard (Version 5.1 or higher) under W3C FOSS license terms. "Substantive" contributions to the HTML specification are accepted from participants in the W3C Working Group, or from non-members, subject to a patent licensing commitment.

    Other examples of W3C Working Groups chartered to license deliverables (specificatiions and software) under the W3C Software and Document Notice and License (as of 2016-06): [c] Web Payments Working Group, [d] Internationalization (I18n) Working Group, [e] Second Screen Presentation Working Group ("Code Components" - e.g., [f] Presentation API Polyfill), [g] Device APIs Working Group [proposed with new name Device and Sensors Working Group], [h] Pointer Events Working Group, [i] Verifiable Claims Working Group, [j]Browser Testing and Tools Working Group, [k] TV Control Working Group, [l] (proposed) Web of Things Working Group, [m] (proposed) Web Performance Working Group, and [n] W3C Timed Media Working Group ["This Working Group will use the W3C Software and Document license for all its deliverables"], alternate/choice Timed Text Working Group. The new license is also applicable as the default in any relicense of "unfinished" specifications (e.g., TCP and UDP Socket API;   Web Telephony API;   Messaging API;   Contacts Manager API...)

  3. W3C Licenses for Test Suites. "W3C makes available Test Suites under two distinct licenses for two mutually exclusive uses: (a) a 3-clause BSD License for software development, bugtracking, and other applications that do not require assertions of performance to the public or implied claims of conformance to a W3C Specification [summary; (b) a W3C Test Suite License for an Authoritative W3C Test Suite or when claims of performance with respect to a specification are required.

  4. W3C Dual licensing. Creative Commons Attribution 3.0 Unported License (CC-BY) as well as the W3C Document License. According to the "FAQ Regarding HTML Working Group Charter License Experiment", W3C is/was "experimenting with a permissive copyright license for some Recommendation-track deliverables of a W3C Working Group." Use cases for the Dual License included: "[a] including prose of the specification in software from proprietary to completely open source as well as test cases; [b] extracting parts, such as WebIDL or CSS, in source code trees of implementations of the specification; [c] forking some or all of the Working Group specification and pursuing an alternative development path outside the W3C even without the W3C or the HTML Working Group ceasing operations."

  5. W3C Document License Supporting Derivative Works and Open Source Software Licensing for Code Components in Specifications. In February 2015, W3C announced a significant update to the W3C Document License governing copyright of specifications and other public documents on the W3C web site: to permit preparation and distribution of derivative works, and to license all "Code Components" in documents under the OSI-certified and GPL compatible W3C Software License. Proviso: publication of derivative works that create a competitive technical specification are prohibited.

    From Wendy Seltzer's blog posting:

    "W3C announced today an update to liberalize its general document license. The updated license — applied today to all documents the W3C has published under its general document license —permits the creation of derivative works not for use as technical specifications, and the excerpting of Code Components under the W3C Software License. When writing Recommendations, we want to encourage contribution toward and implementation of standards. We also want to encourage consistent implementation of standards and limit the likelihood of confusion or non-interoperability from divergent versions of a single specification. The updated license works to balance these concerns. Accordingly, this update facilitates the re-use of code, including in packages licensed under the GNU GPL. It also grants clear permissions to enable those documenting software, writing guides and tutorials, and implementing specifications to use excerpts of W3C documents as authoritative source material...."

    The 2015-02 W3C Document License changes were made as a generalization of earlier provisions formulated for the W3C Second Screen Presentation WG: E.g., "Document License: Documents produced by this group will be licensed under the W3C Document License. In addition, "Code Components" — Web IDL in sections clearly marked as Web IDL; and W3C defined markup (HTML, CSS, etc.) and computer programming language code clearly marked as code examples — will be licensed under the W3C Software License. The group should use the following copyright statement:

    Copyright © 2014 W3C ® (MIT, ERCIM, Keio, Beihang), All Rights Reserved.
    W3C liability, trademark and document use rules apply. Additionally, all Code Components,
    as defined below, are made available under the W3C Software License and Notice.

    For the purpose of this license, Code Components are:
    Web IDL in sections clearly marked as Web IDL; and
    W3C defined markup (HTML, CSS, etc.) and computer programming language code clearly marked as code examples.

  6. W3C Permissive Copyright Licenses for document drafts/specifications. In the 2014 timeframe, consensus was sought on the possible formulation of a W3C permissive copyright license (or potentially a combination trademark/license policy) to augment or replace the traditional restrictive copyright license for W3C specification documents. Considerations have been given, e.g., for allowing or mandating a CC-BY license, or a CC-0 license.

    For some details, see the references in the W3C Advisory Board Wiki. Among the expected positive results from adopting "a more liberal copyright license": re-attracting editors and specifications, and motivating more open source implementation of W3C specifications ("GPL open source implementations will be able to implement from W3C specifications"). Also, for example, among draft Consensus Items [2014-06-12]: "Copyright: more and more web platform features are being defined outside of W3C with a CC0 Copyright Declaration: Thus it is proposed that to stay competitive as a venue for web platform standards development, W3C consider adopting a CC0 Copyright Declaration as its Copyright policy."

  7. Relicensing Unfinished W3C Specifications. On 05-December-2014, W3C enacted a policy to support relicensing of unfinished specifications. The policy describes how W3C relicenses specifications when a Working Group has stopped work, but some in the community may wish to continue working on it. The policy was enacted following two reviews by the W3C Membership.

    "Preferred Copyright Licenses: The Director's preferred licensing strategy will depend on the situation. Note: As of December 2014, there are active discussions about permissive copyright licenses, including the use of [Creative Commons Attribution License] CC-BY, CC-BY with code portions available under the W3C Software License, CC0, and revisions to the W3C Document License. Given the absence of consensus, this proposal does not yet include a preferred permissive license, but will be updated when the Director observes consensus on such a license. If portions of a specification were originally licensed under the W3C Software License, that should continue in the relicensed version...Patent licensing commitments under the W3C Patent Policy apply only to W3C Recommendations. Therefore, because specification relicensed under this policy are not Recommendations, there are no new licensing obligations created by this policy."

  8. W3C Groups. Participants in W3C Community Groups and Business Groups grant a permissive copyright license under the W3C Community Contributor License Agreement (CLA) to others, including the right to "reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, distribute, and implement" contributions. Example: WebVTT from W3C Web Media Text Tracks CG, for input to W3C Timed Text WG. See further below under W3C CLA for Community Groups and Business Groups.

  9. W3C Social Web Working Group and Official Open Source Reference Implementations. Social Web Working Group was chartered, as part of the Social Activity, to define the technical protocols, vocabularies, and APIs to facilitate access to social functionality as part of the Open Web Platform. "As of 1 January 2015, OpenSocial standards work and specifications beyond OpenSocial 2.5.1 will take place in the W3C Social Web Working Group, of which the OpenSocial Foundation is a founding member."

    Apache Shindig is the reference implementation of OpenSocial API specifications, versions 1.0.x and 2.0.x, a standard set of Social Network APIs that includes Profiles, Relationships, Activities, Shared Applications, Authentication, and Authorization. Apache Rave is a lightweight and open-standards based extensible platform for using, integrating and hosting OpenSocial and W3C Widget related features, technologies and services...

Other References:

III. Open Source Licensing Examples in Community Initiatives

The community initiatives listed as examples in this section include some projects recently formed, but does not include the well-known community development initiatives like the Apache Software Foundation, the Eclipse Foundation, or open source software hosting facilities. These examples of large and small projects demonstrate the increasing popularity of "software as a standard", "software as an integral part of a standard", or "prose specification development in conjunction with open source software development."

Alliance for Open Media Using W3C RF Patent Policy

"Launched in 2015, the Alliance for Open Media is a Joint Development Foundation project formed to define and develop media codecs, media formats, and related technologies to address marketplace demand for an open standard for video compression and delivery over the web." Alliance members as of 2016-06: "The Alliance for Open Media is governed by founding member companies: Amazon, ARM, Cisco, Google, Intel, Microsoft, Mozilla, Netflix, and NVIDIA."

Specification licensing: [2016-06] "Participants in Alliance for Open Media Working Groups have adopted the Alliance for Open Media Patent License 1.0. This is intended to fulfill their commitments to make available their Essential Claims, as defined in the W3C Patent Policy, in Final Deliverables adopted by that Working Group under the W3C RF licensing requirements as if that Final Deliverable was a W3C Recommendation.

Excerpts from License text: " Licensor ...] grants Licensee a non-sublicensable, perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable ... patent license ... Defensive Termination.... Disclaimers. The Reference Implementation and Specification are provided 'AS IS' and without warranty. The entire risk as to implementing or otherwise using the Reference Implementation or Specification is assumed by the implementer and user.

Software released by the Alliance for Open Media is made available under a combination of (a) the BSD 2-Clause License, and (b) the Alliance for Open Media Patent License 1.0.

The Joint Development Foundation "is an independent non-profit organization that provides the corporate and legal infrastructure to enable groups to establish and operate standards and source code development collaborations. [JDF] provides the corporate and legal infrastructure to enable groups to quickly establish and operate lightweight collaborations to develop technical specifications, standards, and source code. Joint Development Foundation Projects are ideal for specification development projects or as a place to do incubation projects before taking those projects to a larger standards organization....

By using established Joint Development Foundation legal agreements, groups can establish projects quickly and with minimal legal expense. By operating under the Joint Development Foundation's legal umbrella, Projects can enjoy of the benefits of the Joint Development Foundation's existing legal agreements, choice of intellectual property policies, non-profit status, and corporate structure. This enables Projects to more easily establish themselves, collect funds, issue press releases in the Project's name, develop liaison relationships, and hold copyrights, all without negotiating custom agreements and new corporate organizations..."

JDF is "'Free' — there's no cost to start and run your project under the Joint Development Foundation. If you'd like additional services, like bank accounts, project management, or help with meeting logistics, we can help with you obtain those services at an additional cost. Any proceeds will go to help fund the Joint Development Foundation..."

AllSeen Alliance: Permissive OSI-Approved ISC License (ISC)

"AllSeen Alliance [is] a nonprofit consortium dedicated to driving the widespread adoption of products, systems and services that support the Internet of Everything with an open, universal development framework that is supported by a vibrant ecosystem and thriving technical community. The Alliance hosts and advances an industry-supported open software connectivity and services framework based on the AllJoyn open source project with contributions from Premier and Community Members as well as from the open source community.

"To facilitate an open ecosystem, AllSeen Alliance was structured with an open source license, open design, development and contribution model and finally, an appropriate, open governance model.

Software development includes test specifications, test environment and test tools, test facilities, plugfest events.

"The Alliance will release project code under the ISC License and provide no other rights for such code other than those expressly granted in that license. For the text of the ISC License, please visit

ISC License (ISC) for Outbound Distributions "Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies."

Contribution Agreement for Inbound Contributions Copyright License: "You hereby grant to the Alliance, a non-exclusive, irrevocable, perpetual, worldwide, royalty-free, sublicensable and transferable copyright license to use, copy, prepare derivative works of, modify, distribute directly or indirectly through multiple tiers, publicly perform and publicly display by all means now known or later developed, and/or to otherwise fully exploit Your Contribution and any derivative works thereof or modifications created thereto pursuant to an open source software license that has been approved by the Alliance in accordance with the By-Laws of the Alliance for use within Alliance projects."


Cloud Foundry Foundation: GitHub Projects Using OSI-Approved Licenses

"Cloud Foundry is a multi-cloud, multi-vendor open source platform for application lifecycle automation. The Cloud Foundry open-source 'platform as a service' (PaaS) provides a choice of clouds, developer frameworks, and application services.

Cloud Foundry's 50+ member companies work collaboratively together to drive the global awareness and adoption of the Cloud Foundry open source project, the world's leading industry PaaS. AT&T, CenturyLink, Cisco, HPE, Huawei, IBM, NTT, Pivotal, SAP, Swisscom, Verizon, and Yahoo! Japan run implementations of Cloud Foundry, typically on OpenStack.

Cloud Foundry operates under an open governance by contribution model, led by a diverse group of technical, open source contributors." Most of the foundation's 160+ GitHub repositories use the Apache License Version 2.0 open source license. "The Apache License 2.0 must be used for any new Cloud Foundry Projects (including documentation therefor), and the Board must approve any exception."

Guidelines for contributing code to the GitHub repositories: "ensure that you have a Contributor License Agreement on file; fork the GitHub project's repository; create a feature branch and make changes on your branch; push to your fork and submit a pull request. If you have a CLA on file, your contribution will be analyzed for engineering quality and product fit prior to merging."

Docker: Apache License Version 2.0

Docker is an open source application container engine for distributed applications, supported by a developer community (over 460 contributors as of June 2014) and open development on GitHub.

Details: "... Docker is an open platform for developers and system administrators to build, ship, run and orchestrate distributed applications. With Docker, IT organizations shrink application delivery from months to minutes, frictionlessly move workloads between data centers and the cloud, and improve infrastructure efficiency by 50 percent or more. Inspired by an active community and by transparent, open source innovation, Docker has been downloaded 67+ million times and is used by thousands of the world's most innovative organizations, including eBay, Baidu, Yelp, Spotify, Yandex, and Cambridge HealthCare. Docker's rapid adoption has catalyzed an active ecosystem, resulting in more than 60,000 Dockerized applications and integration partnerships with AWS, Cloud Foundry, Google, IBM, Microsoft, OpenStack, Rackspace, Red Hat, and VMware." [Vintage-2014 description]

European Union Public License (EUPL): Supporting FOSS Resources

The European Commission created the open source "European Union Public License (EUPL)" to support international software development collaborations producing open source software for public administrations. For example, many of the specification development projects under ISA (Interoperability Solutions for European Public Administrations) have supporting EUPL-licensed software tools. "The ISA programme of the European Commission facilitates such transactions through more than 40 actions with a budget of some EUR 160 million."

Alternately, for EU Joinup collaborative activities: "any licence that is recognized by the OSI (Open Source Initiative), or the FSF (Free Software Foundation) will be accepted for distributing projects hosted on Joinup". Joinup "is a collaborative platform created by the European Commission and funded by the European Union via the Interoperability Solutions for Public Administrations (ISA) Programme. It offers several services that aim to help e-Government professionals share their experience with each other. We also hope to support them to find, choose, re-use, develop and implement interoperability solutions."


Hyperledger Project Using Apache 2.0, DCO, and Creative Commons Attribution

"The Hyperledger Project is a collaborative effort created to advance blockchain technology by identifying and addressing important features for a cross-industry open standard for distributed ledgers that can transform the way business transactions are conducted globally. The Project is a Linux Foundation Collaborative Project and implements many open source best practices familiar to other leading projects.

Mission (detail) as chartered: (a) "create an enterprise grade, open source distributed ledger framework and code base, upon which users can build and run robust, industry-specific applications, platforms and hardware systems to support business transactions; (b) create an open source, technical community to benefit the ecosystem of HLP solution providers and users, focused on blockchain and shared ledger use cases that will work across a variety of industry solutions; (c) promote participation of leading members of the ecosystem, including developers, service and solution providers and end users; (d) host the infrastructure for HLP, establishing a neutral home for community infrastructure, meetings, events and collaborative discussions and providing structure around the business and technical governance of HLP...."

Hyperledger Project Intellectual Property Policy: "Members agree that all new inbound code contributions to HLP shall be made under the Apache License, Version 2.0. All contributions shall be accompanied by a Developer Certificate of Origin (DCO) sign-off that is submitted through a Governing Board and LF-approved contribution process. Such contribution process will include steps to also bind non-Member Contributors and, if not self-employed, their employer, to the licenses expressly granted in the Apache License, Version 2.0 with respect to such contribution...

"All outbound code will be made available under the Apache License, Version 2.0. All documentation will be contributed to and made available by HLP under the Creative Commons Attribution 4.0 International License. If an alternative inbound or outbound license is required for compliance with the license for a leveraged open source project or is otherwise required to achieve HLP's mission, the Governing Board may approve the use of an alternative license for specific inbound or outbound contributions on an exception basis...."

IoTivity Open Source Project: IoT Framework Under Apache License Version 2.0

"IoTivity is an open source software framework providing connectivity for the Internet of Things (IoT), hosted as a Linux Foundation Collaborative Project. The IoTivity project is sponsored by the Open Interconnect Consortium (OIC), a group of industry leaders who will be developing a standard specification and certification program to address these challenges... The standard and the open source implementation will help ensure interoperability among products and services regardless of maker and across multiple industries, including smart home, automotive, industrial automation, and healthcare."

"Apache License: The IoTivity project is an open source project released under the terms of the Apache License version 2.0."


Open Annotations Project: Specification and Reference Implementation

The Open Annotations Project provides an example of SSO collaboration to produce code and prose specifications: "Together, Hypothesis and the W3C propose to deliver the software and standards necessary for sharable, distributed annotations on all Web content, enabling citizens, journalists and publishers to engage with information in a way that has not yet been possible. We will produce a reference implementation that web users can carry with them anywhere in their browsers, and that publishers and journalists can add to web sites."

"The Open Annotation data model provides an extensible, interoperable framework for expressing annotations such that they can easily be shared between platforms, with sufficient richness of expression to satisfy complex requirements while remaining simple enough to also allow for the most common use cases, such as attaching a piece of text to a single web resource..."

Update 2014-12: The W3C Web Annotation Working Group was chartered through 01-October-2016 to "define a generic data model for annotations, and define the basic infrastructural elements to make it deployable in browsers and reading systems through suitable user interfaces." Plan: "use the Open Annotation Data Model and Open Annotation Extension specifications, from the W3C Open Annotation Community Group, as a starting point for development of the data model specification. The Robust Link Anchoring specification will be jointly developed with the WebApps WG, where many client-side experts and browser implementers participate."


Open Interconnect Consortium (OIC): Reference Implementation and Test Beds

"The Open Interconnect Consortium is a group of industry leaders who are coming together to create both a standard specification and an open source project to address the challenges of connecting billions of IoT devices."

Open Source Software Contributions: "Members may make Code Contributions to OIC subject to the Apache 2.0 license. As used herein, the term 'Code Contribution' means a submission by a Member proposing an initial base of OIC Open Source Code or an addition to or modification of Open Source Code provided that the submission is of a form to be deemed acceptable by OIC and submitted or uploaded to OIC as provided by OIC..."

The open source project supporting the specification is to produce:

  1. an "open source reference implementation" — "develop protocol specifications and an open source reference implementation, and eventually a certification program"
  2. "test beds" — "develop protocol specifications and an open source reference implementation, and eventually a certification program". The test beds involve code, just as the implementations involve code.


OpenDaylight: Eclipse Public License and CC-BY for SDN Framework

OpenDaylight, with more than 60 members [2014-12], "is a collaborative, open source project to advance Software Defined Networking (SDN). OpenDaylight is a community-led, open, industry-supported framework, consisting of code and blueprints, for accelerating adoption, fostering new innovation, reducing risk and creating a more transparent approach to Software-Defined Networking."

Licensing: "OpenDaylight is structured and governed using open source best practices and is licensed under the Eclipse Public License - v 1.0 (EPL), which is a common choice for Java-based projects. The EPL is an approved open source license by the Open Source Initiative and considered a free software license by the Free Software Foundation. The license choice of EPL maximizes OpenDaylight's license compatibility with the large ecosystem of libraries and 3rd party components that have already been released under the EPL license. Where necessary the Board may approve exceptions for other licenses..."

"User Content that is not in the form of source or object code, including but not limited to white papers, dissertations, articles or other literary works, power point presentations, encyclopedias, anthologies, wikis, blogs, diagrams, drawings, sketches, photos or other images, audio content, video content and audiovisual materials, will be governed by the Creative Commons Attribution 3.0."


Open Platform for NFV: Apache 2.0 and Creative Commons Attribution

"The OPNFV Project was launched at the end of September [2014] with the intention of creating an open source reference platform for NFV (Network Functions Virtualisation). The number and diversity of the member companies supporting the project is a validation of the high level of hope on open source as the preferred delivery method for a de facto standard NFV platform."

[From 'About']:

"The initial scope of OPNFV will be on building NFV Infrastructure (NFVI), Virtualized Infrastructure Management (VIM), and including application programmable interfaces (APIs) to other NFV elements, which together form the basic infrastructure required for Virtualized Network Functions (VNF) and Management and Network Orchestration (MANO) components. OPNFV is expected to increase performance and power efficiency; improve reliability, availability, and serviceability; and deliver comprehensive platform instrumentation.

OPNFV will work closely with ETSI's NFV ISG, among other Standards Development Organizations (SDOs), to drive consistent implementation of standards for an open NFV reference platform. Increasingly, standards are being drafted in conjunction with major open source projects. Since feedback from open source implementations can drive the rapid evolution and adoption of standards, this tight coordination of otherwise independent processes is crucial to the establishment of an NFV ecosystem. When open source software development is aligned with standards development, it can root out issues earlier, identify resolutions, and potentially establish de facto standards, resulting in a far more economical approach to platform development..."

OPNFV Project IPR Policy summary:

"Except as may be approved by the Board:

  • All new code contributions to the OPNFV Project shall be made under the Apache License, Version 2.0 available at All contributions of source code to the OPNFV Project will be accompanied by a Developers Certificate of Origin (DCO, available at that is submitted through a Board-approved contribution process which will bind the authorized contributor and, if not self-employed, their employer to the licenses expressly granted in the Apache License, Version 2.0, only with respect to such contribution, with no limitation, estoppel or effect on any other member of OPNFV

  • All outbound code will be made available under the Apache License, Version 2.0.

  • All documentation will be received and made available by the OPNFV Project under the Creative Commons Attribution 4.0 International License


OpenStack Foundation

OpenStack: open source software for creating private and public clouds. The OpenStack project is provided under the Apache 2.0 open source license.

"OpenStack requires contributions to be released under the Apache 2.0 license, and have licensing information in the header when uploaded to the public code repository. This submission method makes all contributions immediately available to all community members under the Apache 2.0 license. Our Contributor License Agreement is based on the Apache Software Foundation form, and we concur with their FAQ" [on the scope of patent grants]

Project Interoperability: Assets Under Creative Commons CC0 1.0 Universal License

Project Interoperability is "based on Project Open Data. The project is a public domain work and is not subject to domestic or international copyright protection. See the license file (Creative Commons CC0 1.0 Universal) for additional information. Members of the public and US government employees who wish to contribute are encourage to do so, but by contributing, dedicate their work to the public domain and waive all rights to their contribution under the terms of the CC0 Public Domain Dedication." [Detail:] "Data and content created by government employees within the scope of their employment are not subject to domestic copyright protection under 17 U.S.C. Section 105..."

Nearby: Project Open Data "Project Open Data is an online collection of code, best practices, and case studies developed to help agencies adopt the framework presented in the OMB memorandum M-13-13 "Open Data Policy-Managing Information as an Asset"... Project Open Data is a collaborative, open source project. Both Federal employees and members of the public are strongly encouraged to improve the project by contributing" via GitHub under open licenses.


Sentilo: EUPL Open Source Sensor/Actuator Platform

"Sentilo is an open source sensor and actuator platform designed to fit in the Smart City architecture of any city who looks for openness and easy interoperability. It's built, used, and supported by an active and diverse community of cities and companies that believe that using open standards and free software is the first smart decision a Smart City should take....It is also aimed at anyone from the IT world interested in contributing to the expansion of the 'Internet of Things' and smart cities with the goal of improving citizens' quality of life..."

"There are no restrictions to commercial use of Sentilo, particularly building a commercial product on top of (or that uses) Sentilo: you may build and install Sentilo and sell services or license software extensions to third parties. You may also install Sentilo and provide your services on a (for payment) SaaS basis. If you distribute any Sentilo software (or any modification to the original software), you need to ensure that the end-user/client gets a copy of the source code of this software — but not of any extensions, plug-ins or applications that use the Sentilo code as a platform."


U.S. DHS and MITRE: Permissive and BSD 3-Clause Licensing for STIX/TAXII

"STIX is a language for the specification, capture, characterization, and communication of standardized cyber threat information. Trusted Automated eXchange of Indicator Information (TAXII) is a U.S. Department of Homeland Security (DHS)-led, community-driven effort to standardize the trusted, automated exchange of cyber threat information. TAXII is the preferred exchange mechanism for Structured Threat Information eXpression (STIX)."

STIX and TAXII are made available by grant under [a permissive] "royalty-free license to use Structured Threat Information Expression (STIX) for research, development, and commercial purposes." Verbatim [2015-05-04] from Terms of Use: License: "The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Structured Threat Information Expression (STIX) for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy."

See Legal: License: "STIX is released under a permissive license for any commercial or non-commercial purpose while helper scripts and related tools have individual licenses that typically follow Berkeley Software Distribution."

Several implementations and toolsets supporting STIX/TAXII are available from GitHub, along with schemas and related deliverables. For example:

  1. YETI: a TAXII implementation available under the BSD 3-clause license.

  2. STIX Document Validator, available under the BSD 3-clause license.

  3. A Python library for parsing, manipulating, and generating STIX content, available under the BSD 3-clause license.

  4. A Python library for handling TAXII Messages invoking TAXII Service, available under the BSD 3-clause license.


WebRTC Project: BSD Open Source Copyright License

"WebRTC is an open framework for the web that enables Real Time Communications in the browser. The project goal is to enable rich, high quality, RTC applications to be developed for the browser, mobile platforms, and IoT devices, and allow them all to communicate via a common set of protocols. It includes the fundamental building blocks for high quality communications on the web such as network, audio and video components used in voice and video chat applications. The WebRTC effort is being standardized on a API level at the W3C and at the protocol level at the IETF. The project is supported by Google, Mozilla, Opera, and others."

Contributor Agreement: To contribute code, you will need to fill in one of the following agreements. Also, please re-read the WebRTC project's software license and patent grant documents.


IV. Open Source Examples from OASIS

The examples below could be marshaled to illustrate a historic and ongoing mismatch between TC Members' desire to write "code" against prose specifications, where code writing and software licensing per se are not formally supported in the development of OASIS Work Products. Various ad hoc tactics have been used to accommodate some of the exceptions (alternately: code development activities are simply rejected before they see the light of day), but when exceptions are countenanced, the licensing for modifiable code is not clean. TC members often simply follow their own goals for software development — sometimes close to but arguably not clearly within the expected norms. The examples below reveal TC Members' basic instincts, so to speak, and some of the resulting mismatch.

NIST's Biometric Identity Assurance Service (BIAS) Reference Implementation

The Biometric Identity Assurance Services (BIAS) SOAP Profile became an official OASIS standard on 24 May 2012. Some TC members felt that a reference implementation would be useful in the promotion and adoption of the standard. NIST developed a reference implementation to complement the 24 May 2012 [OASIS] standard.

"There are two components in the reference implementation: a service and a client. The service is written in Visual Basic.Net and the client in Adobe Flex. It is a functional service which matches fingerprints using the Bozorth3 algorithm from NBIS.Net."

License for the reference implementation: "This software was developed at the National Institute of Standards and Technology (NIST) by employees of the Federal Government in the course of their official duties. Pursuant to title 17 Section 105 of the United States Code. This software is not subject to copyright protection and is in the public domain."


NIST's Live Streaming Prototype for OASIS Biometric TC WS-Biometric Devices (spec)

Kevin Mangold of NIST, and member of the OASIS Biometrics Technical Committee, reported on Monday, 03-June-2013: "NIST has made two recent contributions to the OASIS Biometric TC WS-Biometric Devices specification [a command and control protocol for biometric devices]. First, the BWS team provided a live streaming prototype..."

License for this contribution to OASIS Biometrics TC: "The research software provided on this web site ('software') is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software."

NIST also prepared reference implementations for the WS-Biometric Devices specification: "NIST has written two reference implementations against the WS-Biometric Devices specification. To help ensure the quality of the specification, they were developed independently on two different platforms."


Akoma Ntoso: Permissive/Liberal License for the AKN Schema

The Akoma Ntoso specification governing parliamentary, legislative, and judiciary document formats, is being advanced for standardization in the OASIS LegalDocumentML (LegalDocML) TC, supported in part by a generous contribution from Microsoft.

Several released versions of the Akoma Ntoso specification used a GPL open source license for the principal Akoma Ntoso schema: "[this is] free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version."

Why would the Akoma Ntoso specification developers seek to apply an open source license for the schema? It's natural because implementations are expected to be widely distributed by open source software suppliers, and it is expected that developers of these applications/implementations, as well as end user customizations, will modify the Akoma Ntoso schema for use in various jurisdictions, exploiting the extensibility models and customization features. Why "modify"? Because that's the way it works: customization and extension are key to the design.

Some of the Akoma Ntoso schema customization features are explained in "Customizing Akoma Ntoso: Modularization, Restrictions, Extensions" [also Customizing Akoma Ntoso or Customizing Akoma Ntoso: modularization, restrictions, extensions"], which discusses "customizations to the general Akoma Ntoso schema that imply performing actual modifications to the actual schema". A fuller treatment of customizations, explaining Akoma Ntoso as "more like a Lego box full of building bricks," is presented by Flavio Zeni in the April 2014 OpenParl News Brief:

"We can say that Akoma Ntoso is a meta-schema that allows you to build your own schema: it provides the building blocks for different organisations to use to build their own very individual schemas. Having organisations using similar building blocks, identifying these blocks in a similar fashion goes a long way to allow greater integration and exchange of documents as well as reusability of software tools..."

Akoma Ntoso thus provides the building blocks for you to create the specific schema you need, and it allows you to add new (markup) elements and modify base schema elements if you need them. AKN defines the core vocabulary and allows use of the vocabulary and atomic component markup structures to be composed variably for different jurisdictions and their legal genres.

From a licensing point of view, it may be desirable for software developers and others to license their Akoma Ntoso (compliant) schema modifications and customizations under a permissive license that composes easily with other recognized open source licenses, as part of localized or specialized asset distributions that include programming code libraries, utilities, authority tables, and any other supporting software applications.

Excerpt from license text in the Akoma Ntoso specification release (file: gpl-3.0.txt):

Version 3, 29 June 2007

Developers that use the GNU GPL protect your rights with
two steps: (1) assert copyright on the software, and (2)
offer you this License giving you legal permission to copy,
distribute and/or modify it...

Preamble: The GNU General Public License is a free, 
copyleft license for software and other kinds of works...


DocBook 5.0, 5.1 DocBook Schema (GitHub and SourceForge) Can Be Freely Modified/Forked

DocBook is "the popular XML schema originally developed to document computer and hardware projects, but DocBook 5.0 has been expanded and simplified to address documentation needs in other fields..." Development of DocBook takes place on GitHub, including DocBook schemas and DocBook XSLT 2.0 Resources:, though some development takes place on SourceForge. NB: Norm Walsh, longtime lead architect for DocBook, was recently recognized as recipient of the OASIS Distinguished Contributor Award.

Formally, DocBook is being advanced for standardization in the OASIS DocBook TC, so official copies of the DocBook schema and associated software are published in the OASIS Library.

The License text for The DocBook Schema Version 5.0 (OASIS Standard, 01-November-2009) and later versions clarifies that users of the schema are free to make and distribute modifications so long as the distributed modifications do not call the distribution "DocBook"

The conditions of the license permit a range of development projects to use/adapt DocBook for specialized documentation projects, and no negative side-effects of "forking" have been reported. The DocBook user community is cohesive, and has found the generous license terms ideal for their purposes:

"2. If You Change DocBook, It's Not DocBook Anymore! The license agreement under which DocBook is distributed gives you complete freedom to change, modify, reuse, and generally hack the schema in any way you want, except that you must not call your alterations 'DocBook'." [from the Intro, "Customizing DocBook"]

Verbatim (excerpt) from the DocBook schema license:

# This file is part of DocBook Vx.x
# Copyright 1992-2008 HaL Computer Systems, Inc.,
# O'Reilly & Associates, Inc., ArborText, Inc., Fujitsu Software
# Corporation, Norman Walsh, Sun Microsystems, Inc., and the
# Organization for the Advancement of Structured Information
# Standards (OASIS).
# Permission to use, copy, modify and distribute the DocBook schema
# and its accompanying documentation for any purpose and without fee
# is hereby granted in perpetuity, provided that the above copyright
# notice and this paragraph appear in all copies. The copyright
# holders make no representation about the suitability of the schema
# for any purpose. It is provided "as is" without expressed or implied
# warranty.
# If you modify the DocBook schema in any way, label your schema as a
# variant of DocBook. See the reference documentation
# (
# for more information.


Virtio TC: Spec Header File Licensed Under BSD as Open Source

Members of the OASIS Virtual I/O Device (VIRTIO) TC are producing a VIRTIO (Virtual I/O) Device Specification.

Open source licensing use case: this OASIS TC has created a Multi-Part specification that includes C++ source code as a Normative portion. Two of the computer definition files are stubbed out, being skeletons for the creation of local-use files in particular implementation contexts. The TC wished to clarify that licensing for these two files (only these two) is explicitly the BSD license, to support implementation in commercial and non-commercial software products.

Virtual I/O Device (VIRTIO) Version 1.0
OASIS Committee Specification Draft 03
01 July 2014

Verbatim (excerpt) of license text, where file (virtio_ring.h) declares:

"An interface for efficient virtio implementation.
 * This header is BSD licensed so anyone can use the definitions
 * to implement compatible drivers/servers.
 * Copyright 2007, 2009, IBM Corporation
 * Copyright 2011, Red Hat, Inc
 * All rights reserved.
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of IBM nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.


PKCS #11 Header Files Licensed Under Permissive License

Members of the OASIS PKCS 11 TC are enhancing the PKCS #11 Cryptographic Token Interface standard (from RSA Laboratories) for cryptographic tokens controlling authentication information — personal identity, cryptographic keys, certificates, digital signatures, biometric data.

The input specification to the OASIS TC from RSA included header files, where the expectation is that such files would require modification in implementation contexts. Accordingly, the RSA license text for the header files clarifies that such modification is allowed in production and use of derivative works:

"License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing the derived work."

Discussion about the possible use of the (typical) boilerplate OASIS copyright notice language produced some discontent in the OASIS TC because what explicitly RSA granted (modification/derivation) seemed to be disallowed by the OASIS boilerplate: "...this seems like a step backwards from the RSA license previously used with the header files. In particular the following clause prohibits modification. Ability to modify source code is at the core of most open source licenses." [posted to the TC discussion by Stef Walter (, Wednesday, June 12, 2013 11:54 AM. The OASIS boilerplate asserts, in part: "this document itself may not be modified in any way"]

Verbatim RSA license in the header files as contributed

/* pkcs11.h include file for PKCS #11. */
/* $Revision: 1.4 $ */

/* License to copy and use this software is granted provided that it is
 * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 * (Cryptoki)" in all material mentioning or referencing this software.

 * License is also granted to make and use derivative works provided that
 * such works are identified as "derived from the RSA Security Inc. PKCS #11
 * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
 * referencing the derived work.

 * RSA Security Inc. makes no representations concerning either the
 * merchantability of this software or the suitability of this software for
 * any particular purpose. It is provided "as is" without express or implied
 * warranty of any kind.


V. Open Source Licenses

[This Section TBD 2014-12]

VI. Contributor License Agreements (CLAs)

In consideration of possible use of CLAs and compatibility of CLAs with Open Source Licenses: some examples and general references are provided here.

"One potential way to effectively structure rights between developers (authors), the projects (entities) that distribute their works, and the users (end licensees) of their work is the use of contributor agreements. Contributor agreements, to describe them briefly, define and clarify the terms, under which a contribution (code, translation, artwork, etc.) is made to an open source or open content project. Thus, using a contributor agreement can provide confidence in the origin and ownership of individual contributions and thereby protect the project and its organisers, the users of the software and also the contributors. While contributor agreements are increasingly being adopted by open source projects, the benefits and downsides have been the subject of intense and at times emotional discussion. Arguments about the appropriate form for contributor agreements intensified when project Harmony was launched in 2011 as the first attempt at standardized templates for contributor agreements. In addition to the debate around substance and exact wording of the agreements, there were also critics who claimed that harmonized contributor agreements were a means for companies to establish the transfer of rights from contributors to commercial investors as an industry standard...." [excerpt from Catharina Maracke, "Copyright Management for Open Collaborative Projects: Inbound Licensing Models for Open Innovation." ]


AllSeen Alliance

AllSeen Alliance IP Policy for Inbound Contributions: "All contributions of project source code to the Alliance will be accompanied by a Developers Certificate of Origin (DCO) that is submitted through an Alliance-approved contribution process. Except as provided in the next sentence, all contributions shall be made pursuant to the ISC license. Contributions may, at the election of any contributor, be made pursuant to an Alliance-approved Contribution Agreement."

Apache Software Foundation

Cloud Foundry Foundation

Elements of "IP Hygiene" (IP cleanliness) formulated by the Cloud Foundry Foundation in its Guiding Principles include:

  • Ensuring that all incoming code is legally contributed
  • Ensuring that all third-party code included in or referenced (i.e., a dependency) by Projects is compatible with Cloud Foundry licensing requirements
  • Ensuring all contributions have an associated CLA in place
  • Ensuring that all Dedicated Committers have committer agreements in place covering each of the Projects on which they have commit rights


Eclipse Foundation

Ecma International


Kantara Initiative

Option Apache Contributor License Agreement (CLA): "Can be used for development of output of a Work Group other than Technical Specifications. Option: Source Code Contributor License Agreement (CLA): Apache 2.0. Derived from the Kantara Initiative Intellectual Property Rights Policies document."

For Copyright: "...You hereby grant to Kantara Initiative and to IEEE-ISTO on behalf of Kantara Initiative and to recipients of software and other Organization Recommendations distributed by Kantara Initiative a perpetual, worldwide, non-exclusive, nocharge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Licensed Materials and such derivative works...."

OpenStack Foundation

Open Web Foundation (OWF)

"The OWFa and CLA establish copyright and patent rights for a specification, ensuring that downstream consumers may freely implement and reuse the licensed specification without seeking further permission."

Ubuntu / Canonical

W3C (Community Groups and Business Groups)

The W3C CLA pertains to any "Specification" produced by Group members; however, "Any source code created by the Project is not subject to this CLA, but rather subject to separate licensing terms for that source code" [W3C Software License]". — "[IPR policies for Community Groups and Business Groups] are designed to make it easy for IPR holders to join a group, to provide implementers with some IPR protection during development of a specification, to create a final specification that benefits from Royalty-Free licensing commitments, and to license contributions under a permissive copyright.

CLAs: Additional Examples and References

Contributor License Agreements: Additional Examples

Contributor License Agreements: References

VII. Classes of Software (Examples)

Examples: Open Source Software Developed Together with Implementation Specifications

  1. Specification implementations (partial or complete): [reference implementations], non-normative prototype implementations, proof-of-concept implementations, example/sample implementations, model implementations, etc.
  2. Test suites for interoperability/conformance/performance testing (test harness/tools and sample machine-readable data/scenarios)
  3. Data validators and parsers
  4. Data conversion, transformation, and serialization software
  5. Enumerated data types: customizable/extensible machine-readable data sets: codelists, authority files, instance constants
  6. Specialized editors: graph editors, slideware production
  7. Specialized VCS: software for data diff (delta), merge, and version control
  8. Visualization software: data/models presented in diagrams, hierarchical models, hypertext-linked documentation, statistics
  9. Browser plugin modules for data manipulation, rendering, navigation
  10. Multi-purpose toolkits: tools/frameworks for (API) development toolkits supporting the implementation specification
  11. Customizable/extensible models: Assertion grammars, schemas, model representations, and related formalisms that may be treated as software

VIII. General References

  • [April 13, 2016] "Open Standards, Move Over." By Andrew Updegrove. In The Standards Blog ( "The top IT companies are increasingly opting to use open source software to solve problems that they used to address with open standards. And where standards must still play a role, the same companies are deciding to develop the open source software first and the related standards later, rather than the traditional practice of doing it the other way around. The reasons are many and obvious: time to market is faster, interoperability is often more easily obtainable, development economies are dramatic, and the number of standards ultimately needed is far less... Without anyone ever reporting on the change, or perhaps even noticing it, the word 'standards' has been repurposed to describe code bases rather than [prose, human language] specifications. And perhaps advisedly so, because these code bases solve the problems that standards used to address...."

  • [November 13, 2014] "Open Standards, Open Source, Open Loop. How Does an SDO Enable Innovation?" By David Ward [LI] (Cisco Systems, Development CTO and Chief Architect). Presented at the IETF 91 Meeting (Honolulu, HI, USA). See also the slides from IETF 94, and the recorded session. "As more and more functionality is being placed into Open Source without standardization, how should SDOs interact with developers and deployers of Open Source? There are claims that Open Source defines the industries 'de facto Standards'.. As the IETF (Internet Engineering Task Force) meets in Hawaii, the unavoidable question for both participants and observers is whether a Standards Development Organization (SDO) like the IETF is relevant in a rapidly expanding environment of Open Source Software (OSS) projects." See also Simon Sharwood in The Register. and update in "The Critical Connections Between Open Standards and Open Source".

  • [October 28, 2014] "Operators and the IETF." Version -00 (or later). By Chris Grundemann and Jan Zorz (Internet Society). IETF Network Working Group. "... with the advent of OpenFlow, Software Defined Networks (SDN), Network Function Virtualization (NFV), and an overall trend toward open source, particularly open application programming interfaces (APIs), in the network space, this disparity may now be seen as related to a larger and growing problem. If open APIs become the de-facto definition of interoperability requirements, the role of the standardization bodies, and the opportunity for operators to influence specifications, diminishes. As a result the functional interoperability (and interchangeability) of vendors and devices will decrease, potentially leading to a more proprietary and less open and global nature of the Internet. In response, the Internet Society has launched a new project to address the perceived gap between Operators and the IETF..." See also update 2014-11-06, and other blog articles.

  • [October 15, 2014] "Why Open Source is Replacing Open Standards: Linux Foundation Leads the Way." By Glyn Moody. In Computerworld UK. See the excerpt above from Jim Zemlin (Executive Director, Linux Foundation) on the shift from open standards to open source as a result of these industry-wide collaborative projects.

  • [August 18, 2014] "IETF Working Groups Co-Chair: Real Standards Need Reference Implementations." By Tom Nadeau (Brocade, Distinguished Engineer II) and Scott M. Fulton III, In FierceEnterprise Communications. "... imagine a world where you have one implementation that everybody uses. And that's really what open source is: Everybody can still get together and do the on-the-wire protocol specs, and things like that, but then they build a reference implementation, which then not only embodies the on-the-wire protocols, but also the literal processing of those messages... Existing standards processes, like at the IETF and ITU, were driven in the past by what amounted to a really long process for developing services, getting specifications written, getting protocols specified, getting code written in equipment, and then deploying that stuff. That was often a multi-year process — four or five years...The mark of a truly mature development team [...] is its ability to produce reference implementations: working models that can actually be deployed in some production scenarios, even if the working level is minimal.... A mature open source reference platform should be led by a principal player, balanced by an assembly of possibly competing interests..." See above on IETF Reference Implementations

  • [December 10, 2013] "The Launch of AllSeen Alliance (and the Next Generation of Open Collaboration)." By Andy Updegrove. In Blog. "Specifically, the mission of the AllSeen Alliance includes creating a layer of software that implements existing standards and finesses the need to create many new standards, because anyone can use the software right out of the virtual box. In other words, it is the framework, rather than a description of one — ready to go, and already interoperable by design. And because it's open source, it can be readily and easily adapted as needed by anyone to allow their particular things to join the party..."

  • [August 2013] "Copyright Management for Open Collaborative Projects: Inbound Licensing Models for Open Innovation." By Catharina Maracke. In SCRIPT-ed [ISSN: 1744-2567] Volume 10, Issue 2 (August 2013), pages 140-148. Supporting articles in this issue include: (a) "Drafting Options for Contributor Agreements for Free and Open Source Software: Assignment, (Non)Exclusive Licence and Legal Consequences. A Comparative Analysis of German and US Law," by Tim Engelhardt; (b) "Comparative Analysis of Copyright Assignment and Licence Formalities for Open Source Contributor Agreements," by Andres Guadamuz and Andrew Rens; (c) "Internationalisation of FOSS Contributory Copyright Assignments and Licenses: Jurisdiction-Specific or 'Unported'?" by Axel Metzger.

IX. Notes

  • [2016-06-04] Fixed a few broken links; added entries for Hyperledger Project and Alliance for Open Media; updated DMG, Akoma Ntoso, and W3C.

  • [2016-04-12] Retospective on the status of this document, and origins. Per notice in the "Feedback" colophon below ("...some broken links and out-dated assertions...") I feel compelled to note what readers will immediately intuit: this document is now uneven, reflecting an evolving purpose and a succession of audiences, but without any thorough-going rewrite to make the goals clear. I hope it's useful despite the pedigree. The document was created in 2014-08 for one audience and purpose, and has been imperfectly redacted since then to support different interests. I nominally update the content, almost always on non-company (off-clock) time, as a hobby, because "open source and standards" holds personal interest. Link-rot will be an ongoing problem; about fifteen years ago I read that the [average] half-life of a URI reference was 43 days. As TBL asserted (using different words): "Links don't break: people break them."

Feedback: Please send questions, comments, or other feedback (correcting errors of fact, identifying dubious or misleading claims, reporting infelicities, suggesting emendations of any kind) to Robin Cover. At any time the document will have some broken links and out-dated assertions. Feel free to link to this resource (by URI reference) but please do not re-post or redistribute. Nothing in this document may be construed to represent the opinions, judgments, or conclusions of any corporate entity or of any other human person. Similarly, the document intent is to offer no advice, counsel, recommentation, or guidance of any kind whatsoever.