From the Web Authentication Patent Advisory Group.
This report was approved by the Web Authentication Working Group Patent Advisory Group (WebAuthn PAG) on 29 March, 2017.
In response to a disclosure and exclusion from Visa Europe, (the "Disclosed Patents") the WebAuthn PAG Concludes that the Disclosed Patents do not read on the Web Authentication Specification.
Because the PAG concludes that the Disclosed Patents do not contain Essential Claims as defined in the W3C Patent Policy, it recommends that the Web Authentication Working Group continue to work on the Web Authentication Specification.
Consequently, the WebAuthn PAG does not believe that changes are necessary to the Web Authentication Specification with regard to the disclosure, and recommends that work on the Web Authentication Specification should be continued.
The W3C Web Authentication Working Group was chartered in February 2016 based upon a Member Submission of FIDO 2.0 Platform Specifications from members of the FIDO Alliance, to develop a recommendation-track specification or specifications defining an API, as well as signature and attestation formats to provide an asymmetric cryptography-based foundation for authentication of users to Web Applications.
The goal of the W3C Patent Policy is to assure that Recommendations produced under this policy can be implemented on a Royalty-Free (RF) basis. Patent Advisory Groups are formed when patent claims are asserted against or expressly excluded from royalty-free commitment for implementations of W3C Recommendations. That happened here when Visa Europe excluded certain of its patents from the Web Authentication Specification. This report concludes the activities of the Web Authentication PAG.
This section traces the necessary procedural steps following the patent exclusion and the creation of the Patent Advisory Group.
12 November, 2015: W3C published a Member Submission: FIDO 2.0 Platform Specifications 1.0. FIDO Alliance lists this specification as "Proposed Standard Expanded to the World," a designation that carries patent commitments under the FIDO Alliance Membership Agreement, Section 6.2.1. Visa Inc. has throughout this period been a FIDO Alliance member.
8 February 2016: W3C Chartered the Web Authentication Working Group, taking the FIDO2.0 Member Submission as input.
31 May, 2016: The Web Authentication Working Group published the Web Authentication First Public Working Draft.
12-26 August, 2016: Visa Europe, a W3C Member not participating in the Web Authentication Working Group, disclosed and excluded claims from the Web Authentication Specification.
17 October, 2016: This PAG was chartered. The patent holder was invited to join PAG discussion and chose not to participate.
The Web Authentication PAG believes that the technology described in US Patent 7,707,102: Method and apparatus for monitoring the collateral risk analysis commodity lenders does not apply to the Web Authentication Specification.
The '102 Patent consists of 13 claims, of which 3 claims are independent, and 10 claims are dependent. The 3 independent claims of the '102 patent are claim 1, claim 9, and claim 12, which all couch essentially the same invention in separate ways. Since none of the 3 independent claims is applicable to the Web Authentication specification, none of the dependent claims of the '102 Patent are applicable to the Web Authentication Specification. Although Visa Europe's disclosure excluded claims 1, 3, 11-17, 21, and 25-28, the '102 Patent only has 13 claims.
Below is further explanation of why the '102 Patent independent claims 1 and 12 do not read on the Web Authentication specification:
| Claims | Evaluation against Web Authentication Specification |
|
1. A method of determining a collateral risk index for a collateral loan made on a commodity, executed on a computing means having a central processing unit, the method comprising the steps of:
(a) using said computing means to gather from one or more data sources a total number of closed sales, Sc, in a particular commodity market in a predetermined period of time; (b) using said computing means to gather from one or more data sources a total number of sales which are pending, Sp, in said particular commodity market in said predetermined period of time; (c) using said computing means to gather from one or more data sources a total number of expired listings, Le, in said particular commodity market in said predetermined period of time; (d) using said computing means to gather from one or more data sources a total number of active listings La, in said particular commodity market in said predetermined period of time; (e) determining, by said computing means, a market index, Mi, indicative of the strength of said particular commodity market over a period consisting of a length of days, Pd, in accordance with (figure) (f) determining a ratio P of a loan balance, B, to a value of the commodity, V, wherein the loan balance, B and the value of the commodity, V are identified from the collateral loan; (g) determining a collateral risk index, CRi by dividing the market index, Mi, by the loan balance ratio, P; and (h) determining if action is required on the collateral loan based on the Collateral Risk Index to reduce a risk of loss, and if it is determined that action is required, determining a specific action for the collateral loan wherein a specific action is at least one action in a group of actions comprising monitoring the loan for signs of a default or selling the loan to a third party. | * The Web Authentication specification does not describe determining risk for collateral loans made on a commodity, or any related determinations.
* The Web Authentication specification does not describe gathering data regarding commodity markets. |
|
9. A method of determining a risk of loss on loans for commodities in a lender's or investor's portfolio, executed on a computing means having a central processing unit, the method comprising the steps of:
(a) using said computing means to gather from data sources: the total number of closed sales in a predetermined period of time, Sc; the number of sales pending in said predetermined period of time, Sp; the number of listings which have expired in said predetermined period of time, Le; the number of commodities actively listed, La, at the end of said predetermined period of time; the balance due on a particular loan; and the value of the commodity for such loan; (b) calculating, a total number of listed commodities in said particular commodity market, Tl, in accordance with the equation: Tl=Sc+Sp+Le; (c) determining a total number of successfully marketed commodities, Ts in accordance with the equation: Ts=Sc+Sp; (d) determining a demand index, D, as being Ts divided by Tl; (e) calculating a rate of absorption, Ra, as being Ts divided by a length of days, Pd to be monitored; (f) calculating a supply level, Si, as a ratio of La divided by Ra; (g) calculating, by said computing means, a market index Mi indicative of the strength of the particular commodity market over Pd, as the ratio of D divided by Si; (h) for a specific loan, calculating a ratio, P, of a value of the commodity, V, represented by a loan balance, B; (i) calculating a collateral risk index CRi by dividing the market index Mi by the ratio, P; and (j) evaluating if any remedial action to reduce the risk of loss is required with respect to specific commodity loans in the collateral risk index and if it is determined that remedial action is required, determining a specific remedial action for the collateral loans wherein the specific remedial action is at least one action in a group of actions comprising monitoring the loan for signs of a default or selling the loan to a third party. | * The Web Authentication specification does not describe determining risk for collateral loans made on a commodity, or any related calculations.
* The Web Authentication specification does not describe gathering data regarding commodity markets. |
|
12. An apparatus for calculating a collateral risk index, CRi, determinative of a risk of loss with respect to a loan for a commodity, comprising:
(a) means for interfacing with one or more databases to gather: the total number of closed sales, Sc, in a commodity market in predetermined period of time; the total number of sales which are pending, Sp, in said market in said predetermined period of time; the total number of expired listings, Le, in said market in said period of time; the total number of active listings, La, in said market in said predetermined period of time; the balance, B, due on a specific loan; and, the value, V, of the commodity corresponding to the specific loan; (b) computing means receiving from said means for interfacing said Sc, Sp, Le, La, B, and V parameters and calculating the collateral risk index determinative of the risk of loss, CRi, said collateral risk index, CRi, taking into account the strength of the particular commodity market over a period of time consisting of a length of days, Pd said computing means calculating said collateral risk index, CRi, in accordance with (figure) | * The Web Authentication specification does not describe determining risk for collateral loans made on a commodity, or any related calculations.
* The Web Authentication specification does not describe gathering data regarding commodity markets. |
The Web Authentication PAG has grouped the following disclosed patents and patent applications for analysis:
* Laid-open/published patent application #12/617135 filed on 12 November 2009 (United States of America) held by Visa Europe
* Issued patent '2482558' (Canada) held by Visa Europe
* Issued patent '106986' (Singapore) held by Visa Europe
* Issued patent '1009942890000' (Republic of Korea) held by Visa Europe
Each of these four patents or applications are based off the same PCT/US03/11952, and have substantially identical disclosures and claims.
| Claims | Evaluation against Web Authentication Specification |
| 1. A method by which a trusted party authenticates the identity of an account holder during a transaction between said account holder and a requesting party, said method comprising: establishing an online, Internet communication connection between said requesting party and an Internet-capable mobile device of said account holder in order to conduct said transaction; creating a condensed authentication request message at said requesting party; transmitting said condensed authentication request message to said trusted party via said mobile device of said account holder; verifying the identity of said account holder by said trusted party using an identity-authenticating token received from said account holder; creating a condensed authentication response message at said trusted party; transmitting said condensed authentication response message to said requesting party via said mobile device of said account holder; and validating, by said requesting party, that said condensed authentication response message indicates that the identity of said account holder is authenticated, whereby the identity of said account holder is authenticated by said trusted party for said requesting party. | * The Web Authentication specification does not describe verifying the identity of an account holder by a trusted party using an identity-authenticating token received from the account holder.
* The Web Authentication specification describes an interface between a Relying Party, an authenticator, and a user agent for authenticating users, and not a completed service as described in the claim. The Web Authentication API can be implemented by a party without performing the claimed method. |
| 9. An account authentication system in which a trusted party authenticates the identity of an account holder with respect to an account during a transaction between said account holder and a requesting party, the system comprising: an Internet-capable mobile device of said account holder; a requesting party server configured to communicate online over the Internet with said mobile device of said account holder in order to process said transaction, said requesting party server further configured to create a condensed authentication request message and to transmit said request message to said trusted party via said mobile device; an access control server controlled by said trusted party and configured to communicate over the Internet with said mobile device of said account holder, said access control using an identity-authenticating token received from said account holder and to create a condensed authentication response message; and a requesting party software module configured to receive said condensed authentication response message and to validate that said response message indicates that the identity of said account holder is authenticated. | * The Web Authentication specification does not describe verifying the identity of an account holder by a trusted party using an identity-authenticating token received from the account holder.
* The Web Authentication specification describes an interface between a Relying Party, an authenticator, and a user agent for authenticating users, and not a completed service as described in the claim. The Web Authentication API can be implemented by a party without performing the claimed method. * The Web Authentication specification does not describe an access control server controlled by said trusted party that communicates over the Internet with an account holder's mobile device. |
The Web Authentication PAG believes that the technology described in Canada Patent 2,482,558: Mobile account authentication service does not apply to the Web Authentication Specification.
The '558 Patent consists of 48 claims, of which 4 claims are independent, and 44 claims are dependent. The 4 independent claims of the '558 patent are claim 1, claim 15, claim 27, and claim 39. Since the 1 excluded independent claim is not applicable to the Web Authentication specification, none of the excluded dependent claims of the '558 Patent are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1, 3, 6, and 11.
The Web Authentication PAG believes that the technology described in Singapore Patent 106,986: Mobile authentication service does not apply to the Web Authentication Specification.
The '986 Patent consists of 40 claims, of which 4 claims are independent, and 36 claims are dependent. The 4 independent claims of the '986 patent are claim 1, claim 9, claim 16, and claim 28. Since the 2 excluded independent claims are not applicable to the Web Authentication specification, none of the excluded dependent claims of the '986 Patent are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1, 3, 6, 9-10, 13, and 39.
The Web Authentication PAG believes that the technology described in Singapore Patent 106,986: Mobile authentication service does not apply to the Web Authentication Specification.
The '986 Patent consists of 48 claims, of which 4 claims are independent, and 44 claims are dependent. The 4 independent claims of the '000 patent are claim 1, claim 9, claim 16, and claim 28. Since the 2 excluded independent claims are not applicable to the Web Authentication specification, none of the excluded dependent claims of the '000 Patent are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1, 3, 6, 9-10, 13, 41-42, and 45-46.
United States Patent Application 12/617135 has been published as US2010/0063895 A1. The 135 Application consists of 21 claims, of which 2 claims are independent and 19 claims are dependent. The 2 independent claims of the 135 Application are claim 1 and claim 13. Since the 1 excluded independent claim is not applicable to the Web Authentication specification, none of the excluded dependent claims of the 135 Application are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1, 3, 10-11, 22, and 24. As the 135 Application only has 21 claims, excluded claims 22 and 24 are disregarded by the PAG.
In addition to the reasons identified by the PAG applicable to Patent Group 1, the 135 Application has differing language that does not apply to the Web Authentication Specification. The 135 Application claim 1 includes an additional steps of "contacting, by said trusted party, said mobile device of said account holder using a telephone number of said mobile device and establishing a text message channel or a voice channel;" and "receiving an identity-authenticating token from said mobile device over said text message channel or said voice channel." The Web Authentication Specification does not describe communications between a trusted party and a mobile device using a text message channel or voice channel.
United States Patent Application 14/269999 has been granted as U.S. Patent No. 9,424,421 (the '421 Patent) on August 23, 2016, with identical claims. Thus, the PAG's Analysis refers to the '421 Patent in lieu of Patent Application 14/269999. The '421 Patent consists of 27 claims, of which 4 claims are independent and 23 claims are dependent. The 4 independent claims of the '421 Patent are claim 1, claim 11, claim 16, and claim 25. Since the 1 excluded independent claim of the '421 Patent is not applicable to the Web Authentication specification, none of the excluded dependent claims of the '421 Patent is applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1 and 5.
| Claims | Evaluation against Web Authentication Specification |
| 1. A method comprising: executing, by a mobile computing device, a secure operating environment on the mobile computing device, wherein the secure operating environment executes on the mobile computing device independently of a host operating environment of the mobile computing device; receiving, by the secure operating environment, a request for a security service, the request received from an application executing in the secure operating environment; determining, by the secure operating environment, a security capability of the mobile computing device to provide the security service, wherein the security capability of the mobile computing device is provided in part by the host operating environment; determining, by the secure operating environment, a security capability of the secure operating environment to provide the security service; performing a comparison between the security capability of the mobile computing device and the security capability of the secure operating environment; selecting, by the secure operating environment, based on the comparison, a first security capability to provide the security service, wherein the first security capability is selected from one or both of the security capability of the mobile computing device or the security capability of the secure operating environment; and providing, by the secure operating environment, the security service to the application, wherein the security service is provided based on the first security capability. | * The Web Authentication specification describes an interface between a Relying Party, an authenticator, and a user agent for authenticating users, and not a completed service as described in the claim. The Web Authentication API can be implemented by a party without performing the claimed method.
* The Web Authentication specification does not describe a secure operating environment on a mobile computing device independent of a host operating environment. |
The Web Authentication PAG has grouped the following disclosed patents and patent applications for analysis:
* United States Patent Application 14/490522
* Australian Patent Application 2014323499
Each of these two patents or applications are based off the same PCT/US2014/056388, and have substantially identical disclosures and claims.
| Claims | Evaluation against Web Authentication Specification |
| 1. A method comprising: receiving, at a management application located in a trusted execution environment associated with a mobile device, an account holder verification information; receiving, at the management application, a first account holder verification request from a first application; providing a first account holder verification response to the first application, wherein the first account holder verification response is generated by the management application using the account holder verification information; receiving, at the management application, a second account holder verification request from a second application; and providing a second account holder verification response to the second application, wherein the second account holder verification response is generated by the management application using the account holder verification information. | * The Web Authentication specification describes an interface between a Relying Party, an authenticator, and a user agent for authenticating users, and not a completed service as described in the claim. The Web Authentication API can be implemented by a party without performing the claimed method.
* The Web Authentication specification does not describe a management application that generates first and second account holder verification responses using the account holder verification information. * The Web Authentication specification does not describe a management application located in a trusted execution environment. |
| Claims | Evaluation against Web Authentication Specification |
| 22. A method comprising: receiving, by a first application provided on a mobile device, a payment request for a transaction conducted using the mobile device; sending, by the first application, an account holder verification request to a management application located in a trusted execution environment associated with the mobile device; receiving, at the first application, an account holder verification response from the management application, wherein the first account holder verification response is generated by the management application using account holder verification information provided to the management application by a user or a second application on the mobile device; and processing the payment request for the transaction based on the account holder verification response. | * The Web Authentication specification describes an interface between a Relying Party, an authenticator, and a user agent for authenticating users, and not a completed service as described in the claim. The Web Authentication API can be implemented by a party without performing the claimed method.
* The Web Authentication specification does not describe a management application on a mobile device that generates first account holder verification responses using account holder verification information provided by a user or a second application on the mobile device. * The Web Authentication specification does not describe a management application located in a trusted execution environment. * The Web Authentication specification does not describe a payment request or processing of a payment request or transaction. |
The '522 Application consists of 22 claims, of which 4 claims are independent and 18 claims are dependent. The 4 independent claims of the '522 Application are claim 1, claim 11, claim 12, and claim 22. Since the 2 excluded independent claim of the '522 Application is not applicable to the Web Authentication specification, none of the excluded dependent claims of the '522 Application are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1-10 and claim 22.
The '499 Application consists of 22 claims, of which 4 claims are independent and 18 claims are dependent. The 4 independent claims of the '499 Application are claim 1, claim 11, claim 12, and claim 22. Since the 1 excluded independent claim of the '499 Application is not applicable to the Web Authentication specification, none of the excluded dependent claims of the '499 Application are applicable to the Web Authentication Specification. Visa Europe's disclosure excluded claims 1-10.
Furthermore, Visa has an independent commitment to provide royalty-free patent licenses to the Disclosed Patents' "Granted Claims" (as defined by the FIDO Alliance Membership Agreement) on the FIDO 2.0 Platform Specifications 1.0.
The Web Authentication Specification is based upon the FIDO 2.0 Platform Specifications 1.0, provided as a Member Submission to W3C. Through FIDO Alliance process, FIDO Alliance designated this specification as "Proposed Standard Expanded to the World," making its royalty-free promise to "any party in the world." Pursuant to the FIDO Alliance Membership Agreement, Section 6.2.1. Visa Inc. was listed a member of the FIDO Alliance throughout the period from November 2015 to the conclusion of this PAG.
Since the Web Authentication Specification remains functionally similar to the FIDO 2.0 Platform Specifications 1.0, the commitments made in FIDO would serve as additional defense to any attempt by Visa to assert the Disclosed Patents against implementors or users of the Web Authentication Specification.
In this report, the PAG concludes that the Disclosed Patents do not contain Essential Claims as defined in the W3C Patent Policy and recommends that the Web Authentication Working Group continue to work on the Web Authentication Specification.
Taking into account the information made available to the PAG, the following recommendations are given:
The WebAuthn PAG recommends that work on the Web Authentication Specification should be continued without PAG-related change.
None of the authors is your attorney. No part of this report is intended as legal advice either to W3C or to its members. It is intended merely as a summary of what the PAG has learned to date. Rely on this report entirely at your own risk. This analysis includes the personal opinions of the authors.
THESE RECOMMENDATIONS OF THE WEB AUTHENTICATION PATENT ADVISORY GROUP ARE NOT LEGAL ADVICE. NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THIS PATENT ADVISORY GROUP OR THEIR RESPECTIVE EMPLOYERS TAKES ANY RESPONSIBILITY FOR THE ACCURACY, LEGAL CORRECTNESS OR OTHER FITNESS FOR ANY PURPOSE OF THE INFORMATION PROVIDED IN THIS REPORT. ESPECIALLY, NEITHER W3C NOR ANY OF THE PARTICIPANTS OF THIS PATENT ADVISORY GROUP OR ANY OF THEIR RESPECTIVE EMPLOYERS MAKE ANY REPRESENTATION THAT FOLLOWING THE RECOMMENDATIONS HERE WILL AVOID AN INFRINGEMENT OF ANY PATENTS MENTIONED IN THE REPORT.