subject:"Re\: \[openssl\-users\] ECC ciphers in OpenSSL and Citricom Patent\/License terms"

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-10 Thread Jayalakshmi bhat

Hi All,

Thanks for the inputs, This gives me a good understanding on these ciphers
usage.

Thanks and Regards
Jayalakshmi

On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohm  wrote:

> On 07/12/2017 15:05, Michael Wojcik wrote:
>
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
>>> Of Jakob Bohm
>>> Sent: Thursday, December 07, 2017 08:41
>>> To: openssl-users@openssl.org
>>>
>>> And I would still say that "consult a lawyer" is a useless answer,
>>> especially as most OpenSSL users will be in the same legal situation,
>>> and lawyers opinions on patent matters are frequently found by courts
>>> to be wrong anyway.
>>>
>> Well, I suppose we'll have to disagree on that point. Speaking
>> hypothetically, if I were the product owner for a commercial software
>> product that used OpenSSL, I would most certainly be raising the question
>> with corporate counsel.
>>
>> This is a complex and fraught area, and the OpenSSL Foundation is not
>> able (and I'm sure not inclined to try) to indemnify OpenSSL users against
>> infringement claims. To a large extent it doesn't matter what they say. A
>> license file in the OpenSSL distribution is not likely to discourage an IP
>> owner from claiming infringement if they're so inclined. At that point
>> "local" lawyers will be involved whether you like it or not.
>>
> Of cause OpenSSL cannot indemnify users.  This is why my actual
> questions to the OpenSSL project were mostly about what 3rd party
> assurances that the project had received and could pass on.  For
> example written patent license statements by Sun/Oracle (in
> conjunction with their 2002 ECC contribution), waivers by
> CertiCom etc.
>
> Even if some companies will want to run everything by their
> corporate council, corporate council can make much more useful
> statements if they can start from some legal documents and
> statements rather than having the lawyers try to pour over C
> code and published patents.
>
> I also don't believe that "most OpenSSL users will be in the same legal
>> situation". Here again, patent law is complicated. And more importantly,
>> well-heeled users are much more likely targets of actual infringement
>> claims, which is a very different situation indeed.
>>
>> Point is, that in this global world, most producers are potentially
> exposed in lots of "foreign" jurisdictions, and most corporate
> counsel, while potentially well-heeled in general patent law, are
> unlikely to have specific knowledge of the various patents, licenses
> and waivers applicable to ECC crypto.
>
> Being able to say "we only ship to customers in China and outer Mongolia,
> and under those local laws there is no risk" is a lot rarer than "we ship
> globally except a few problematic destinations, we don't want to be
> hauled to the Eastern district of Texas by Certicom, so we want to
> know if we have contractual assurances that Certicom is OK with using
> OpenSSL builds that have the ECC code enabled"
>
> That latter situation happens to also be the situation of the OpenSSL
> project itself, except the degree of being a litigation magnet, thus the
> likelihood that the project has obtained some legal documents that can
> be passed on, making no independent promises other than those being true
> and accurate copies of documents signed by their outside authors.
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-07 Thread Salz, Rich via openssl-users

➢ The OP claimed the file was only in the FIPS tarballs, and not in the
OpenSSL tarballs.  My questions were based on that.

So the OP is wrong. 

➢ Saying "in the distribution and website" is also quite vague and
thus another example of a non-answer.

No it’s not.  The OpenSSL distributions, starting with 1.1.0 have a README.ECC 
file that points to a license on the Website.  

We are an open source project, we do not provide legal advice.  This is 
consistent, we have never given patent advice, nor crypto import or export 
advice.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-07 Thread Michael Wojcik

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Thursday, December 07, 2017 08:41
> To: openssl-users@openssl.org
> 
> And I would still say that "consult a lawyer" is a useless answer,
> especially as most OpenSSL users will be in the same legal situation,
> and lawyers opinions on patent matters are frequently found by courts
> to be wrong anyway.

Well, I suppose we'll have to disagree on that point. Speaking hypothetically, 
if I were the product owner for a commercial software product that used 
OpenSSL, I would most certainly be raising the question with corporate counsel.

This is a complex and fraught area, and the OpenSSL Foundation is not able (and 
I'm sure not inclined to try) to indemnify OpenSSL users against infringement 
claims. To a large extent it doesn't matter what they say. A license file in 
the OpenSSL distribution is not likely to discourage an IP owner from claiming 
infringement if they're so inclined. At that point "local" lawyers will be 
involved whether you like it or not.

I also don't believe that "most OpenSSL users will be in the same legal 
situation". Here again, patent law is complicated. And more importantly, 
well-heeled users are much more likely targets of actual infringement claims, 
which is a very different situation indeed.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 


 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-07 Thread Jakob Bohm


On 07/12/2017 13:39, Salz, Rich via openssl-users wrote:

README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 
tarballs; do you have evidence otherwise?

I don’t think the team is going to answer any questions beyond what is already 
in the distrubtuion and website except to say that the license is NOT limited 
to the FIPS releases.
  


The OP claimed the file was only in the FIPS tarballs, and not in the
OpenSSL tarballs.  My questions were based on that.

And I would still say that "consult a lawyer" is a useless answer,
especially as most OpenSSL users will be in the same legal situation,
and lawyers opinions on patent matters are frequently found by courts
to be wrong anyway.

Saying "in the distribution and website" is also quite vague and
thus another example of a non-answer.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-07 Thread Salz, Rich via openssl-users

README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 
tarballs; do you have evidence otherwise?

I don’t think the team is going to answer any questions beyond what is already 
in the distrubtuion and website except to say that the license is NOT limited 
to the FIPS releases.
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-06 Thread Jakob Bohm


On 06/12/2017 14:51, Michael Wojcik wrote:

This probably should just have gone to openssl-users. Please don't copy every 
question to openssl-dev.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jayalakshmi bhat
Sent: Wednesday, December 06, 2017 01:07
Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the 
license from Citricom?

Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed 
history, and legal advice from random people on the Internet isn't worth what 
you pay for it.

Certicom was purchased by Blackberry years ago; they are the current holder of 
the ECC patents obtained by Certicom, to the best of my knowledge.


I believe what most people want, rather than the unconfirmed opinion of
a random local patent lawyer is public answers to the following:



Answers by the OpenSSL team (I have tried topin this out into easily
answered questions that someone on the team should already know):

- Why is the README.ECC file not included in the regular OpenSSL
 tarballs?

- Has the OpenSSL project or foundation received any kind of firm legal
 opinion (or even better a judicial or contractual opinion) as to the
 question if the license referenced in the README.ECC in the FIPS
 tarballs applies to the ECC code in the regular OpenSSL tarballs.

- Has the OpenSSL project or foundation received any kind of firm legal
 opinion (or better) as to the question if the license referenced in
 FIPS README.ECC applies to non-validated builds of the FIPS tarball
 (such as modified builds).

- Has the OpenSSL project or foundation received any kind of firm legal
 opinion (or better) if the license referenced in the FIPS README.ECC
 applies to uses of the validated FIPS blob in code that does not (and
 is not in fact) claim to be covered by the FIPS validation (such as a
 modified OpenSSL that invokes the ECC code in the blob even in
 non-FIPS mode).

- Is there a technically safe way to copy the ECC code from the FIPS
 tarball to a build of non-FIPS OpenSSL?



Answers by Certicom/Blackberry as patent holders (I have split this into
questions that Certicom/Blackberry should be able to easily answer based
on their own policies, except perhaps the first one):

Note that while the answers and questions below may resemble lawsuit
related questions such as "claim construction charts", it is being asked
outside such context for the purpose of easing compliance with existing
license/sublicense contracts, and to facilitate respect for their
intellectual property, either by acting within granted licenses, obtaining
additional licenses where needed or abstaining from using the patented
technology without a valid license.

As CC/BB may know, OpenSSL is a widely used software library making public
statements a more efficient means of handling this rather than each and
every commercial OpenSSL user entering into near-identical individual
private negotiations.

- Which CC/BB patents (numbers and maybe claims) are applicable to the
 recent 1.0.2*, 1.1.0* and git head branches?  For clarity, the answers
 should probably identify specific files and file versions, to protect
 CC/BB from accidental estoppel regarding the use of additional CC/BB
 patented technology in files they have not examined.  Note that this
 answer will probably form the basis for the answers to the questions
 below.

- Does CC/BB suggest/require that products using any such CC/BB patented
 technology through the OpenSSL licensing mark their licensed products
 with any particular patent notices?

- Does CC/BB demand or not an additional patent license for invocation
of the regular OpenSSL ECC code by the OpenSSL SSL/TLS code in non-FIPS
 scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for invocation
 of the regular OpenSSL ECC code in other scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for use of the
 regular OpenSSL ECC code for curves and or algorithms not standardized
 in the NIST FIPS documents?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-06 Thread Jayalakshmi bhat

Hi Michael

Thanks for the input.

Regards
Jaya

On Wed, Dec 6, 2017 at 7:21 PM, Michael Wojcik <
michael.woj...@microfocus.com> wrote:

> This probably should just have gone to openssl-users. Please don't copy
> every question to openssl-dev.
>
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Jayalakshmi bhat
> > Sent: Wednesday, December 06, 2017 01:07
>
> > Does it mean to use ECC ciphers from OpenSSL does the end user needs to
> get the license from Citricom?
>
> Consult a lawyer. Opinions on this topic differ wildly, it has a long and
> vexed history, and legal advice from random people on the Internet isn't
> worth what you pay for it.
>
> Certicom was purchased by Blackberry years ago; they are the current
> holder of the ECC patents obtained by Certicom, to the best of my knowledge.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

2017-12-06 Thread Michael Wojcik

This probably should just have gone to openssl-users. Please don't copy every 
question to openssl-dev.

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Jayalakshmi bhat
> Sent: Wednesday, December 06, 2017 01:07

> Does it mean to use ECC ciphers from OpenSSL does the end user needs to get 
> the license from Citricom? 

Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed 
history, and legal advice from random people on the Internet isn't worth what 
you pay for it.

Certicom was purchased by Blackberry years ago; they are the current holder of 
the ECC patents obtained by Certicom, to the best of my knowledge.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

8 matches

Site Navigation

Mail list logo

Footer information