Re: [openssl-users] ECC patent status questions

2016-09-01 Thread Jakob Bohm 

On 02/09/2016 03:27, Kyle Hamilton wrote:


On Thu, Sep 1, 2016 at 3:43 PM, Salz, Rich >wrote:


> The existence of the NSA agreement is a partial answer to the first
question,
> though it seems unclear if this license is recursively
sublicensed through 3rd
> parties or not.

They knew they were licensing an open source toolkit.


So, it looks as though the only way for any one of us to be able to 
have a patent license under the NSA's license to OpenSSL Software 
Foundation is to get a separate license from you that doesn't allow us 
to redistribute or resell it.  (I'm not a lawyer, but it appears to be 
the only way that we would be able to qualify under the "End User" 
definition 1A, as referenced in the grant under section 2.)

Or maybe there is some quirk of US copyright law which causes the
"have made" clause to formally include all copying of OpenSSL done
under license from the Foundation, as those are done under the
Foundation's exclusive right (as copyright holder) to "have copies
made".  I honestly don't know.


Is such a license available?  Could such a license be granted 
severally to the same people who also receive the standard BSD 
license, such that each individual actually receives two separate 
licenses for the same code (i.e., one granted with extremely limited 
rights solely for the purpose of qualifying to receive the NSA ECC 
patent license, the other being separately granted to permit 
redistribution and resale of integrated components but not granting 
any ECC license transitively)?


If such a severed license were possible, I would think that such would 
require that the recipient of the first (limited) license obtain the 
code directly from openssl.org .



Kind of why I asked.  And that would be impractical where OpenSSL
is already linked into something (such as the firmware of a
Telephone).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC patent status questions

2016-09-01 Thread Kyle Hamilton 
On Thu, Sep 1, 2016 at 3:43 PM, Salz, Rich  wrote:

> > The existence of the NSA agreement is a partial answer to the first
> question,
> > though it seems unclear if this license is recursively sublicensed
> through 3rd
> > parties or not.
>
> They knew they were licensing an open source toolkit.
>

So, it looks as though the only way for any one of us to be able to have a
patent license under the NSA's license to OpenSSL Software Foundation is to
get a separate license from you that doesn't allow us to redistribute or
resell it.  (I'm not a lawyer, but it appears to be the only way that we
would be able to qualify under the "End User" definition 1A, as referenced
in the grant under section 2.)

Is such a license available?  Could such a license be granted severally to
the same people who also receive the standard BSD license, such that each
individual actually receives two separate licenses for the same code (i.e.,
one granted with extremely limited rights solely for the purpose of
qualifying to receive the NSA ECC patent license, the other being
separately granted to permit redistribution and resale of integrated
components but not granting any ECC license transitively)?

If such a severed license were possible, I would think that such would
require that the recipient of the first (limited) license obtain the code
directly from openssl.org.

-Kyle H
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC patent status questions

2016-09-01 Thread Salz, Rich 
It's hard to answer these questions without wandering down the "legal advice" 
alleyway.

I think Steve's post answered your questions.


> >> - Was the OpenSSL ECC code provided under a still-valid patent
> >>   license from someone in the power to grant it, perhaps Sun
> >>   (now Oracle America)?

This is our belief.

> >> - Is the FIPS mode ECC covered through some US Government or
> >>   sponsor license?,  And if so, does this license extend to
> >>   some non-FIPS scenarios, such as invoking the FIPS blob ECC
> >>   code from a non-FIPS application (perhaps by modifying a
> >>   FIPS-capable OpenSSL library to do so even in non-FIPS
> >>   mode)?

The license is for the OpenSSL toolkit, and you can now read it easily online.

> >> - Are there portions of the ECC code in OpenSSL which one
> >>   should disable at configure time, similar to how RSA and
> >>   IDEA were often disabled in the past?

No idea.

> >> - Is this situation different depending on the OpenSSL
> >>   library version?

Not that we know.

> My questions were being very specific precisely to avoid that, and to be of
> general interest rather than anything specific to what I do myself.

I know you were asking on behalf of the community.  Thanks.
 
> The existence of the NSA agreement is a partial answer to the first question,
> though it seems unclear if this license is recursively sublicensed through 3rd
> parties or not.

They knew they were licensing an open source toolkit.

Hope this helps.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC patent status questions

2016-09-01 Thread Jakob Bohm 

On 01/09/2016 20:11, Steve Marquess wrote:

On 09/01/2016 08:22 AM, Jakob Bohm wrote:

Dear OpenSSL team,

Given the recent patent lawsuit between RIM/CertiCom and Avaya
mentioning the ECC code in OpenSSL, what is (according to the
OpenSSL team) the patent status of the ECC code in OpenSSL?

Specifically:

- Was the OpenSSL ECC code provided under a still-valid patent
  license from someone in the power to grant it, perhaps Sun
  (now Oracle America)?

- Is the FIPS mode ECC covered through some US Government or
  sponsor license?,  And if so, does this license extend to
  some non-FIPS scenarios, such as invoking the FIPS blob ECC
  code from a non-FIPS application (perhaps by modifying a
  FIPS-capable OpenSSL library to do so even in non-FIPS
  mode)?

- Are there portions of the ECC code in OpenSSL which one
  should disable at configure time, similar to how RSA and
  IDEA were often disabled in the past?

- Is this situation different depending on the OpenSSL
  library version?

Jacob, for any patent or licensing issues you really need to consult
competent legal counsel. Under the U.S. legal system anyone with deep
pockets can bring suit against anyone for frivolous reasons.  You'll
want to consult with your counsel to determine the level of risk for
your particular circumstances. If a patent troll targets you for a
shakedown the legal virtues of your defense are far less relevant than
the size of your pocketbook.

What on earth made you think I was asking about "legal advice"?

My questions were being very specific precisely to avoid that,
and to be of general interest rather than anything specific
to what I do myself.


I do know that some OpenSSL end users have chosen to omit certain
algorithm implementations for perceived legal reasons.  The OpenSSL FIPS
Object Module is provided in both full and ECC-free versions; the latter
at the request of a validation sponsor. As far as I know that ECC-free
version (openssl-fips-ecp-2.0.N.tar.gz) has seen very little use though,
even by that original sponsor.

Indeed, my main point is that there seem to have been a somewhat
sudden shift in policy from the company (Certicom/RIM) that
generally holds most ECC patents, and that this shift in policy
might change the /practical/ advice as to which portions of OpenSSL
should be used in typical deployments.


All that said, we believe all code in OpenSSL to be properly licensed
under the legal systems of most countries. We are also members of the
Open Invention Network. We have a NSA ECC sublicense
(https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and
offer any legal advice, though; for that you'll need to check with your
own legal counsel.

As far as I understand, the OIN helps only if the OpenSSL Foundation
itself became a defendant needing to counter sue etc. (I presume
the OIN is one of those nice patent pools that generally promise
not to sue non-aggressors, making their patents a non-issue for
non-member non-aggressors).

The existence of the NSA agreement is a partial answer to the first
question, though it seems unclear if this license is recursively
sublicensed through 3rd parties or not.

Again not asking for legal advice, merely the general extent of the
(sub-)license provided by the OpenSSL Foundation to the rest of the
community (not just me, but almost everyone).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECC patent status questions

2016-09-01 Thread Steve Marquess 
On 09/01/2016 08:22 AM, Jakob Bohm wrote:
> Dear OpenSSL team,
> 
> Given the recent patent lawsuit between RIM/CertiCom and Avaya
> mentioning the ECC code in OpenSSL, what is (according to the
> OpenSSL team) the patent status of the ECC code in OpenSSL?
> 
> Specifically:
> 
> - Was the OpenSSL ECC code provided under a still-valid patent
>  license from someone in the power to grant it, perhaps Sun
>  (now Oracle America)?
> 
> - Is the FIPS mode ECC covered through some US Government or
>  sponsor license?,  And if so, does this license extend to
>  some non-FIPS scenarios, such as invoking the FIPS blob ECC
>  code from a non-FIPS application (perhaps by modifying a
>  FIPS-capable OpenSSL library to do so even in non-FIPS
>  mode)?
> 
> - Are there portions of the ECC code in OpenSSL which one
>  should disable at configure time, similar to how RSA and
>  IDEA were often disabled in the past?
> 
> - Is this situation different depending on the OpenSSL
>  library version?


Jacob, for any patent or licensing issues you really need to consult
competent legal counsel. Under the U.S. legal system anyone with deep
pockets can bring suit against anyone for frivolous reasons.  You'll
want to consult with your counsel to determine the level of risk for
your particular circumstances. If a patent troll targets you for a
shakedown the legal virtues of your defense are far less relevant than
the size of your pocketbook.

I do know that some OpenSSL end users have chosen to omit certain
algorithm implementations for perceived legal reasons.  The OpenSSL FIPS
Object Module is provided in both full and ECC-free versions; the latter
at the request of a validation sponsor. As far as I know that ECC-free
version (openssl-fips-ecp-2.0.N.tar.gz) has seen very little use though,
even by that original sponsor.

All that said, we believe all code in OpenSSL to be properly licensed
under the legal systems of most countries. We are also members of the
Open Invention Network. We have a NSA ECC sublicense
(https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and
offer any legal advice, though; for that you'll need to check with your
own legal counsel.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marqu...@opensslfoundation.org
ste...@openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users