Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi All, Thanks for the inputs, This gives me a good understanding on these ciphers usage. Thanks and Regards Jayalakshmi On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohmwrote: > On 07/12/2017 15:05, Michael Wojcik wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >>> Of Jakob Bohm >>> Sent: Thursday, December 07, 2017 08:41 >>> To: openssl-users@openssl.org >>> >>> And I would still say that "consult a lawyer" is a useless answer, >>> especially as most OpenSSL users will be in the same legal situation, >>> and lawyers opinions on patent matters are frequently found by courts >>> to be wrong anyway. >>> >> Well, I suppose we'll have to disagree on that point. Speaking >> hypothetically, if I were the product owner for a commercial software >> product that used OpenSSL, I would most certainly be raising the question >> with corporate counsel. >> >> This is a complex and fraught area, and the OpenSSL Foundation is not >> able (and I'm sure not inclined to try) to indemnify OpenSSL users against >> infringement claims. To a large extent it doesn't matter what they say. A >> license file in the OpenSSL distribution is not likely to discourage an IP >> owner from claiming infringement if they're so inclined. At that point >> "local" lawyers will be involved whether you like it or not. >> > Of cause OpenSSL cannot indemnify users. This is why my actual > questions to the OpenSSL project were mostly about what 3rd party > assurances that the project had received and could pass on. For > example written patent license statements by Sun/Oracle (in > conjunction with their 2002 ECC contribution), waivers by > CertiCom etc. > > Even if some companies will want to run everything by their > corporate council, corporate council can make much more useful > statements if they can start from some legal documents and > statements rather than having the lawyers try to pour over C > code and published patents. > > I also don't believe that "most OpenSSL users will be in the same legal >> situation". Here again, patent law is complicated. And more importantly, >> well-heeled users are much more likely targets of actual infringement >> claims, which is a very different situation indeed. >> >> Point is, that in this global world, most producers are potentially > exposed in lots of "foreign" jurisdictions, and most corporate > counsel, while potentially well-heeled in general patent law, are > unlikely to have specific knowledge of the various patents, licenses > and waivers applicable to ECC crypto. > > Being able to say "we only ship to customers in China and outer Mongolia, > and under those local laws there is no risk" is a lot rarer than "we ship > globally except a few problematic destinations, we don't want to be > hauled to the Eastern district of Texas by Certicom, so we want to > know if we have contractual assurances that Certicom is OK with using > OpenSSL builds that have the ECC code enabled" > > That latter situation happens to also be the situation of the OpenSSL > project itself, except the degree of being a litigation magnet, thus the > likelihood that the project has obtained some legal documents that can > be passed on, making no independent promises other than those being true > and accurate copies of documents signed by their outside authors. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
➢ The OP claimed the file was only in the FIPS tarballs, and not in the OpenSSL tarballs. My questions were based on that. So the OP is wrong. ➢ Saying "in the distribution and website" is also quite vague and thus another example of a non-answer. No it’s not. The OpenSSL distributions, starting with 1.1.0 have a README.ECC file that points to a license on the Website. We are an open source project, we do not provide legal advice. This is consistent, we have never given patent advice, nor crypto import or export advice. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Thursday, December 07, 2017 08:41 > To: openssl-users@openssl.org > > And I would still say that "consult a lawyer" is a useless answer, > especially as most OpenSSL users will be in the same legal situation, > and lawyers opinions on patent matters are frequently found by courts > to be wrong anyway. Well, I suppose we'll have to disagree on that point. Speaking hypothetically, if I were the product owner for a commercial software product that used OpenSSL, I would most certainly be raising the question with corporate counsel. This is a complex and fraught area, and the OpenSSL Foundation is not able (and I'm sure not inclined to try) to indemnify OpenSSL users against infringement claims. To a large extent it doesn't matter what they say. A license file in the OpenSSL distribution is not likely to discourage an IP owner from claiming infringement if they're so inclined. At that point "local" lawyers will be involved whether you like it or not. I also don't believe that "most OpenSSL users will be in the same legal situation". Here again, patent law is complicated. And more importantly, well-heeled users are much more likely targets of actual infringement claims, which is a very different situation indeed. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
On 07/12/2017 13:39, Salz, Rich via openssl-users wrote: README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 tarballs; do you have evidence otherwise? I don’t think the team is going to answer any questions beyond what is already in the distrubtuion and website except to say that the license is NOT limited to the FIPS releases. The OP claimed the file was only in the FIPS tarballs, and not in the OpenSSL tarballs. My questions were based on that. And I would still say that "consult a lawyer" is a useless answer, especially as most OpenSSL users will be in the same legal situation, and lawyers opinions on patent matters are frequently found by courts to be wrong anyway. Saying "in the distribution and website" is also quite vague and thus another example of a non-answer. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 tarballs; do you have evidence otherwise? I don’t think the team is going to answer any questions beyond what is already in the distrubtuion and website except to say that the license is NOT limited to the FIPS releases. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
On 06/12/2017 14:51, Michael Wojcik wrote: This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev. From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jayalakshmi bhat Sent: Wednesday, December 06, 2017 01:07 Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom? Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it. Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge. I believe what most people want, rather than the unconfirmed opinion of a random local patent lawyer is public answers to the following: Answers by the OpenSSL team (I have tried topin this out into easily answered questions that someone on the team should already know): - Why is the README.ECC file not included in the regular OpenSSL tarballs? - Has the OpenSSL project or foundation received any kind of firm legal opinion (or even better a judicial or contractual opinion) as to the question if the license referenced in the README.ECC in the FIPS tarballs applies to the ECC code in the regular OpenSSL tarballs. - Has the OpenSSL project or foundation received any kind of firm legal opinion (or better) as to the question if the license referenced in FIPS README.ECC applies to non-validated builds of the FIPS tarball (such as modified builds). - Has the OpenSSL project or foundation received any kind of firm legal opinion (or better) if the license referenced in the FIPS README.ECC applies to uses of the validated FIPS blob in code that does not (and is not in fact) claim to be covered by the FIPS validation (such as a modified OpenSSL that invokes the ECC code in the blob even in non-FIPS mode). - Is there a technically safe way to copy the ECC code from the FIPS tarball to a build of non-FIPS OpenSSL? Answers by Certicom/Blackberry as patent holders (I have split this into questions that Certicom/Blackberry should be able to easily answer based on their own policies, except perhaps the first one): Note that while the answers and questions below may resemble lawsuit related questions such as "claim construction charts", it is being asked outside such context for the purpose of easing compliance with existing license/sublicense contracts, and to facilitate respect for their intellectual property, either by acting within granted licenses, obtaining additional licenses where needed or abstaining from using the patented technology without a valid license. As CC/BB may know, OpenSSL is a widely used software library making public statements a more efficient means of handling this rather than each and every commercial OpenSSL user entering into near-identical individual private negotiations. - Which CC/BB patents (numbers and maybe claims) are applicable to the recent 1.0.2*, 1.1.0* and git head branches? For clarity, the answers should probably identify specific files and file versions, to protect CC/BB from accidental estoppel regarding the use of additional CC/BB patented technology in files they have not examined. Note that this answer will probably form the basis for the answers to the questions below. - Does CC/BB suggest/require that products using any such CC/BB patented technology through the OpenSSL licensing mark their licensed products with any particular patent notices? - Does CC/BB demand or not an additional patent license for invocation of the regular OpenSSL ECC code by the OpenSSL SSL/TLS code in non-FIPS scenarios, if so when and which. - Does CC/BB demand or not an additional patent license for invocation of the regular OpenSSL ECC code in other scenarios, if so when and which. - Does CC/BB demand or not an additional patent license for use of the regular OpenSSL ECC code for curves and or algorithms not standardized in the NIST FIPS documents? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi Michael Thanks for the input. Regards Jaya On Wed, Dec 6, 2017 at 7:21 PM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > This probably should just have gone to openssl-users. Please don't copy > every question to openssl-dev. > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Jayalakshmi bhat > > Sent: Wednesday, December 06, 2017 01:07 > > > Does it mean to use ECC ciphers from OpenSSL does the end user needs to > get the license from Citricom? > > Consult a lawyer. Opinions on this topic differ wildly, it has a long and > vexed history, and legal advice from random people on the Internet isn't > worth what you pay for it. > > Certicom was purchased by Blackberry years ago; they are the current > holder of the ECC patents obtained by Certicom, to the best of my knowledge. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev. > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jayalakshmi bhat > Sent: Wednesday, December 06, 2017 01:07 > Does it mean to use ECC ciphers from OpenSSL does the end user needs to get > the license from Citricom? Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it. Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi, I have a question on ECC ciphers implementaion in OpenSSL. I do see README.ECC file in FIPS certfied OpenSSL crypto library. That says The OpenSSL Software Foundation has executed a sublicense agreement entitled "Elliptic Curve Cryptography Patent License Agreement" with the National Security Agency/ Central Security Service Commercial Solutions Center (NCSC) dated 2010-11-04. However OpenSSL library does not include this file. Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom? Thanks and Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users