On 09/01/2016 08:22 AM, Jakob Bohm wrote: > Dear OpenSSL team, > > Given the recent patent lawsuit between RIM/CertiCom and Avaya > mentioning the ECC code in OpenSSL, what is (according to the > OpenSSL team) the patent status of the ECC code in OpenSSL? > > Specifically: > > - Was the OpenSSL ECC code provided under a still-valid patent > license from someone in the power to grant it, perhaps Sun > (now Oracle America)? > > - Is the FIPS mode ECC covered through some US Government or > sponsor license?, And if so, does this license extend to > some non-FIPS scenarios, such as invoking the FIPS blob ECC > code from a non-FIPS application (perhaps by modifying a > FIPS-capable OpenSSL library to do so even in non-FIPS > mode)? > > - Are there portions of the ECC code in OpenSSL which one > should disable at configure time, similar to how RSA and > IDEA were often disabled in the past? > > - Is this situation different depending on the OpenSSL > library version? Jacob, for any patent or licensing issues you really need to consult competent legal counsel. Under the U.S. legal system anyone with deep pockets can bring suit against anyone for frivolous reasons. You'll want to consult with your counsel to determine the level of risk for your particular circumstances. If a patent troll targets you for a shakedown the legal virtues of your defense are far less relevant than the size of your pocketbook. I do know that some OpenSSL end users have chosen to omit certain algorithm implementations for perceived legal reasons. The OpenSSL FIPS Object Module is provided in both full and ECC-free versions; the latter at the request of a validation sponsor. As far as I know that ECC-free version (openssl-fips-ecp-2.0.N.tar.gz) has seen very little use though, even by that original sponsor. All that said, we believe all code in OpenSSL to be properly licensed under the legal systems of most countries. We are also members of the Open Invention Network. We have a NSA ECC sublicense (https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and offer any legal advice, though; for that you'll need to check with your own legal counsel. -Steve M. -- Steve Marquess OpenSSL Software Foundation 20-22 Wenlock Road London N1 7GU United Kingdom +44 1785508015 +1 301 874 2571 direct marquess at opensslfoundation.org stevem at openssl.org
