On 01/09/2016 20:11, Steve Marquess wrote:
On 09/01/2016 08:22 AM, Jakob Bohm wrote:
Dear OpenSSL team,
Given the recent patent lawsuit between RIM/CertiCom and Avaya
mentioning the ECC code in OpenSSL, what is (according to the
OpenSSL team) the patent status of the ECC code in OpenSSL?
Specifically:
- Was the OpenSSL ECC code provided under a still-valid patent
license from someone in the power to grant it, perhaps Sun
(now Oracle America)?
- Is the FIPS mode ECC covered through some US Government or
sponsor license?, And if so, does this license extend to
some non-FIPS scenarios, such as invoking the FIPS blob ECC
code from a non-FIPS application (perhaps by modifying a
FIPS-capable OpenSSL library to do so even in non-FIPS
mode)?
- Are there portions of the ECC code in OpenSSL which one
should disable at configure time, similar to how RSA and
IDEA were often disabled in the past?
- Is this situation different depending on the OpenSSL
library version?
Jacob, for any patent or licensing issues you really need to consult
competent legal counsel. Under the U.S. legal system anyone with deep
pockets can bring suit against anyone for frivolous reasons. You'll
want to consult with your counsel to determine the level of risk for
your particular circumstances. If a patent troll targets you for a
shakedown the legal virtues of your defense are far less relevant than
the size of your pocketbook.
What on earth made you think I was asking about "legal advice"?
My questions were being very specific precisely to avoid that,
and to be of general interest rather than anything specific
to what I do myself.
I do know that some OpenSSL end users have chosen to omit certain
algorithm implementations for perceived legal reasons. The OpenSSL FIPS
Object Module is provided in both full and ECC-free versions; the latter
at the request of a validation sponsor. As far as I know that ECC-free
version (openssl-fips-ecp-2.0.N.tar.gz) has seen very little use though,
even by that original sponsor.
Indeed, my main point is that there seem to have been a somewhat
sudden shift in policy from the company (Certicom/RIM) that
generally holds most ECC patents, and that this shift in policy
might change the /practical/ advice as to which portions of OpenSSL
should be used in typical deployments.
All that said, we believe all code in OpenSSL to be properly licensed
under the legal systems of most countries. We are also members of the
Open Invention Network. We have a NSA ECC sublicense
(https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and
offer any legal advice, though; for that you'll need to check with your
own legal counsel.
As far as I understand, the OIN helps only if the OpenSSL Foundation
itself became a defendant needing to counter sue etc. (I presume
the OIN is one of those nice patent pools that generally promise
not to sue non-aggressors, making their patents a non-issue for
non-member non-aggressors).
The existence of the NSA agreement is a partial answer to the first
question, though it seems unclear if this license is recursively
sublicensed through 3rd parties or not.
Again not asking for legal advice, merely the general extent of the
(sub-)license provided by the OpenSSL Foundation to the rest of the
community (not just me, but almost everyone).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
