Bob, thank you for your note!
Some comments to some particular points in your message:
It was recently pointed out that issues concerning confidentiality of information may not have been adequately addressed; patent submissions may also place additional constraints and restrictions on what individuals or organizations may do with certain information or material for IETF purposes. Indeed, this is but one aspect of a much larger topic that has not been discussed in any real depth. There are other important issues that merit attention in this context, insurance, clear indication of who has signature authority and for what actions, ownership of copyright claims in IETF documentation -- to name a few.
The issues of copyrights and patents as they relate to Internet standards are the purview of the IPR working group. Issues have been raised recently that the IETF currently does not get enough rights from authors of Internet standards to give permissions it needs to others - this is a topic of some complexity, and I invite anyone who wants to discuss it to go to the IPR WG's mailing list.
The IETF has traditionally largely refused to deal with confidential information as part of its standards process.
Although CNRI has been responsible for all aspects of the IETF Secretariat for over sixteen years, and, prior to 1998, provided technical leadership to the IETF as well, since then the provision of IETF Secretariat services has been carried out by Foretec Seminars, Inc. under contract to CNRI. CNRI continues to provide the IETF Secretariat function, and maintains the oversight of the IETF Secretariat services provided by Foretec. These CNRI activities are the province of many of the topics discussed in connection with the IASA activity and the IAOC in particular. One of the aspects of this oversight activity is quality control of not only the services provided in support of the IETF, but policies and procedures to govern the contribution and use of information or material that may be subject to patents, copyright or other rights or interests (?intellectual property?).
I believe that the IETF has set its own procedures for this. See RFC 3667, RFC 3668. I do not know that we have ever had an IPR issue raised that related to documents outside those used in the standards process.
Among the issues to consider is (if CNRI does not provide the IETF Secretariat function) who will be responsible for administration and quality control over the use of trademarks, and how will that responsibility be carried out; who will be responsible for managing confidential and/or proprietary information or materials developed for or contributed to the IETF and its other constituent bodies such as the IETF Secretariat; and how can intellectual property rights or interests in such information or material best be transferred to other parties in the event a transition is required.
It would be desirable to start a discussion on these topics prior to concluding on the BCP, recognizing that all the long-term issues will undoubtedly not be resolved up front.
The current relevant text in the draft BCP (-05) is:
The IASA is responsible for undertaking any and all required actions that involve trademarks on behalf of the IETF.
As you say, it's unlikely that all the long-term issues will be resolved up front....
CNRI has made the IETF leadership aware of the fact that CNRI may have substantial objections to certain of the proposed roles for ISOC going forward. While none of the issues raised to date appear to be such that they cannot be resolved by the parties, subject to the adoption of appropriate resolutions by both the CNRI Board of Directors and the ISOC Board of Directors, to date, the discussions leading to any resolution of this matter have not taken place. The time is ripe to deal with these issues and not to put this discussion off to some future time.
Absent any other arrangement, CNRI intends to continue to hold the IETF-related assets, including intellectual property rights or interests therein, that have been developed over many years; however, we are willing to consider transferring these assets in a trust arrangement for use by the IETF in the future, subject to oversight by IAOC acting as trustees for the IETF in the public interest.
I am not certain how such an arrangement would hang together. The IAOC as constituted is not a separate legal entity, but an oversight body for the IASA function.
I believe that the IASA could do most, if not all, of the functions you outline below, without any modification to the current (-05) version of the BCP draft.
Specifically, in order to enable the IAOC to assume such trust responsibility, it is important to add this task to the list of IAOC responsibilities in the draft IASA (proposed BCP 04), section 3.2 as follows:
Proposed Additional IAOC Responsibilities: * Serve as Trustees for IETF-related patent, copyright, trademark and other rights or interests in IETF assets, as appropriate, where such assets are placed in trust for the IETF, and coordinate with the IESG and IAB, as appropriate, on such management arrangements. Where appropriate, take appropriate steps to prosecute and maintain rights in any such assets.
I believe the IAD could do the practical functions (steps to prosecute and so on). I do not understand much of what being a "Trustee" would entail, so I have no comment on that part.
* Enter into agreements with ISOC and others for the transfer of any right, title or interest ISOC and others may claim in existing IETF assets to a newly formed trust arrangement set up to hold any copyrights, patents, trademark or other rights or interests owned or claimed by the IETF, such agreements to provide, in particular, that all future copyright claims related to Internet Drafts, Requests for Comment or other documents or other works created for the IETF, whether by the IAD or other persons or organizations providing support services for the IETF, include a copyright notice in the name of the IETF. Where appropriate, contracts with support providers should provide that any work performed for the IETF is work for hire, or, to the extent it may not be deemed work for hire, require that any such provider grant and assign, and agree to grant and assign all right, title and interest in any copyright, patent, trademark or other rights or interests arising in the performance of work for the IETF back to the IETF trust entity established to hold IETF assets in the public interest.
The IAOC, not being a separate legal entity, would not be able to enter into agreements. I believe that the functions you outline are mostly covered by the BCP's section 3.1, which state, among other things:
The IAD negotiates service contracts, with input, as appropriate, from other bodies, including legal advice, and with review, as appropriate, by the IAOC. The IAOC should establish guidelines for what level of review is expected based on contract type, size, cost, or duration. ISOC executes contracts on behalf of the IASA, after whatever review ISOC requires to ensure that the contracts meet ISOC's legal and financial requirements.
If a contract entered into by ISOC on behalf of IASA and/or the IETF
(an "IASA Contract") provides for the creation, development,
modification or storage of any data (including, without limitation,
any data relating to IETF membership, documents, archives, mailing
lists, correspondence, financial records, personnel records and the
like) ("Data"), then the IAD shall ensure that such contract grants
to ISOC the perpetual, irrevocable right, on behalf of IASA and IETF,
to use, display, distribute, reproduce, modify and create derivatives
of such Data. ISOC will permit IASA and its designee(s) to have sole
control and custodianship of such Data, and ISOC will not utilize or
access such Data in connection with any ISOC function other than IETF
without the written consent of the IAD.* To maintain protection for IETF-related trademarks, develop quality of service standards for the use of such trademarks, and establish procedures for the licensing of such trademarks by IAOC to all providers of IETF support services, including in particular ISOC, as employer of the IAD, and any successor entity selected to manage any aspect of the IAD?s activities. The IAOC should also determine under what circumstances ISOC, the IAD or any other party is authorized to sublicense the use of any IETF-related trademarks. If the IAOC determines that a service provider fails to meet such standards, the IAOC should make a recommendation to the IETF leadership on how best to proceed.
I believe this is what the IAD is supposed to do. Given that work would be done under contract, there seems to be little need for a second type of control through the licensing of trademarks.
* Provide guidance to the IAD and other parties, as appropriate, with respect to the administration of the IETF policies and procedures established for the contribution, collection, retention and use of information or material for IETF purposes that may be subject to copyright, patent or other rights or interests. Work with the IESG and IAB to establish guidelines to be followed by the IAD and IETF leadership, as well as any IETF support providers, covering the collection and retention of personally identifiable information and other data that may be subject to confidentiality obligations or data protection laws and regulations in order to ensure compliance by the IETF with any such obligations or restrictions.
Another point that got added to version -05 was this:
The IAD shall ensure that personal data collected for legitimate purposes of the IASA are protected appropriately; at minimum, such data must be protected to a degree consistent with relevant legislation.
* Meet with the IETF leadership at regular intervals to review the existing IETF policies and procedures governing confidential and/or proprietary information or material to determine whether the existing policies and procedures meet the needs of the IETF community.
I certainly expect this to happen, but it is a level of detail that I do not think belongs in the BCP.
* Provide guidance to the IAD in entering into appropriate insurance agreements on behalf of the IETF, including coverage for the IAD, IAOC, IESG, IAB, IETF Area Directors and other persons who play leadership roles in the IETF, and, to the extent required, review the costs of relevant premiums. In addition, as part of any arrangement with ISOC, require ISOC to provide appropriate employment and workplace-related insurance for the IAD; and provide oversight with respect to insurance-related requirements to be placed on IETF support providers by the IAD and others, such as insurance to cover injuries or loss suffered in connection with IETF meetings. Provide specific signature authority to the IAD to enable the IAD to enter into and maintain the necessary insurance policies on behalf of the IETF and the IETF leadership.
The question of insurance was mentioned in version -00:
If ISOC directly funds any other IETF expenses, such as the IETF share of ISOC's liability insurance premium, this will be documented together with the other IASA accounts.
It was removed because comments indicated that this was at a level of detail inappropriate for the BCP. I think the provision of insurance for the IETF officers was always thought to be part of the remit of the IAD; whether this is best done as a single policy joint with ISOC D&O insurance or a separate policy is a matter I believe the IAD should have discretion to decide.
* In consultation with the IESG and IAB, retain independent legal counsel, where appropriate or required, to represent the rights and interests of the IAOC, IESG, IAB or IETF, and, to the extent that either ISOC or the IAD is not the party giving rise to the need for counsel, work with ISOC and/or IAD to determine how best to cover the costs of any such legal services.
This was raised in issue #822. Comments were that it's probably a good idea, and certainly in some cases, but that the BCP did not prevent it, so it did not need to be mentioned there.
Again, it's a question of what level of detail this (hard-to-change) document needs to go into.
Harald
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf