It's hard to answer these questions without wandering down the "legal advice" alleyway. I think Steve's post answered your questions. > >> - Was the OpenSSL ECC code provided under a still-valid patent > >> license from someone in the power to grant it, perhaps Sun > >> (now Oracle America)? This is our belief. > >> - Is the FIPS mode ECC covered through some US Government or > >> sponsor license?, And if so, does this license extend to > >> some non-FIPS scenarios, such as invoking the FIPS blob ECC > >> code from a non-FIPS application (perhaps by modifying a > >> FIPS-capable OpenSSL library to do so even in non-FIPS > >> mode)? The license is for the OpenSSL toolkit, and you can now read it easily online. > >> - Are there portions of the ECC code in OpenSSL which one > >> should disable at configure time, similar to how RSA and > >> IDEA were often disabled in the past? No idea. > >> - Is this situation different depending on the OpenSSL > >> library version? Not that we know. > My questions were being very specific precisely to avoid that, and to be of > general interest rather than anything specific to what I do myself. I know you were asking on behalf of the community. Thanks. > The existence of the NSA agreement is a partial answer to the first question, > though it seems unclear if this license is recursively sublicensed through 3rd > parties or not. They knew they were licensing an open source toolkit. Hope this helps.