Re: Basic ECC in NSS 3.12.4 with NSPR 4.8

[Rob Stradling]

Frank, I'm pretty sure you meant to say Certicom (who are now owned by RIM) 
rather than Entrust.  (Perhaps you were thinking of Entrust's CRL Distribution 
Points patent, a license for which was granted to Mozilla relatively 
recently?)

Certicom have said that their desire is to facilitate the wide-scale adoption 
and proliferation of Elliptic Curve Cryptography (ECC) technology and that 
they will, upon request, provide a nonexclusive, royalty free patent license, 
to manufacturers to permit end users (including both client and server sides), 
to use the patents...

https://datatracker.ietf.org/ipr/1154/
http://www.certicom.com/images/pdfs/certicom%20-ipr-contribution-to-
ietfsept08.pdf

Does anybody know if Mozilla/NSS has actually requested and obtained a 
nonexclusive, royalty free patent license from Certicom/RIM?

On Tuesday 03 November 2009 18:49:57 Frank Hecker wrote:
 David Stutzman wrote:
  Rob Stradling wrote:
  A question for the NSS devs:
  Is there any reason why NSS couldn't be changed to assume
  NSS_ENABLE_ECC=1 by default?
 
  Yes...
  http://fedoraproject.org/wiki/User:Peter/Disabled_applications
 
  Disabled features:
  Elliptic Curve crypto algorithm
 
  Reasons:
  software patents and US Laws (?)
 
 I think these reasons are out of date and not applicable.
 
 Re patents, Entrust freely licensed enough of their ECC-relevant patents
 to permit it to be implemented in NSS (though IIRC Entrust retains
 rights to certain ECC-related patent, which is why the NSS
 implementation doesn't include as many ECC features as it otherwise might).
 
 Re US laws, to my knowledge there are no US laws or regulations that
 would specifically affect ECC as opposed to other encryption mechanisms.
 US encryption export control regulations don't distinguish between ECC
 and (e.g.) RSA, AES, etc., and have permitted export of open source
 encryption code since 2000 or so.
 
 Frank
 

Rob Stradling
Senior Research  Development Scientist
C·O·M·O·D·O
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Basic ECC in NSS 3.12.4 with NSPR 4.8

[Frank Hecker]

Rob Stradling wrote:
Frank, I'm pretty sure you meant to say Certicom (who are now owned by RIM) 
rather than Entrust.  (Perhaps you were thinking of Entrust's CRL Distribution 
Points patent, a license for which was granted to Mozilla relatively 
recently?)


D'oh! You are correct, I was thinking of Entrust and CRLDP. As far as I 
can tell the inclusion of ECC into NSS was based on NSS implementing 
non-patented ECC techniques.


Certicom have said that their desire is to facilitate the wide-scale adoption 
and proliferation of Elliptic Curve Cryptography (ECC) technology and that 
they will, upon request, provide a nonexclusive, royalty free patent license, 
to manufacturers to permit end users (including both client and server sides), 
to use the patents...


https://datatracker.ietf.org/ipr/1154/
http://www.certicom.com/images/pdfs/certicom%20-ipr-contribution-to-
ietfsept08.pdf


I hadn't seen these documents previously. Note that they date from after 
the implementation of ECC functionality in NSS, which I believe was done 
in 2006 in the Firefox 2 timeframe.


Does anybody know if Mozilla/NSS has actually requested and obtained a 
nonexclusive, royalty free patent license from Certicom/RIM?


To my knowledge Mozilla has not; I can't speak for Sun or Red Hat.

Note that the general problem with these licenses is that they typically 
apply only to the original licensee (e.g., Mozilla, if we were to get a 
license) and don't in and of themselves permit downstream licensees of 
the open source code to practice the patent themselves with respect to 
derivative works of the open source code. This is a major obstacle with 
respect to using such patents in open source products. I'm not a lawyer, 
but I strongly suspect that the current form of the Certicom license 
would be judged incompatible with the patent grant language in the MPL, 
GPL, and LGPL.


If so, the near-term chances of our being able to use such patents in 
the context of NSS is slim to none. We may have to wait until the 
patents expire or until Certicom further loosens the license language 
(which depends on its own business interests, of course).


Frank

--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto