On 27/01/15 13:12, [email protected] wrote: > > >> Why? We have an explicit licence enabling its use - so why shouldn't it >> be on? >> >> Matt > > > You do, but I don't, and other users of OpenSSL don't either. According to > my legal advice at least - your Lawyer may disagree. The linked pdf doesn't > solve the problem apparently. > > That there is an *issued* patent on the algorithm at all immediately makes it > "controversial", and probably doomed to die. Compare what the BBC did with > the Dirac patents - the patent was publicly filed and then they explicitly > let the application lapse without getting the patent issued within the > timeframe. Once a patent is actually issued, there is the always someone who > is going to have a problem. > > So the question is: Why did they pay for the Patent unless there is an > intention to require Royalties? Are you or OpenSSL going to going to pay my > royalty fees and/or legal costs if I am found to be infringing on this known > patent? > > If you are not happy to be responsible for legal costs, then I recommend you > disable it by default to avoid any such confusion...
The answer to that is in the OpenSSL licence: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. and is also covered by the OpenSSL FAQ: https://www.openssl.org/support/faq.html#LEGAL1 However, it is not the first time that there are things within OpenSSL with patents, and it is not without precedent to have these things switched on (e.g. some distributions have disabled EC stuff because of patent concerns, which is on by default in standard OpenSSL). We did get our own legal advice before including it and those lawyers advised us that we were ok with the patent licence we have been granted. Your mileage may vary with your own legal advice (and of course that may vary depending on where in the world you are located)...hence the FAQ link I provided above. The option to disable OCB has been provided for the cautious. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
