[openssl-users] ECC patent status questions

[Salz, Rich]

It's hard to answer these questions without wandering down the "legal advice" alleyway.

I think Steve's post answered your questions.


> >> - Was the OpenSSL ECC code provided under a still-valid patent
> >>   license from someone in the power to grant it, perhaps Sun
> >>   (now Oracle America)?

This is our belief.

> >> - Is the FIPS mode ECC covered through some US Government or
> >>   sponsor license?,  And if so, does this license extend to
> >>   some non-FIPS scenarios, such as invoking the FIPS blob ECC
> >>   code from a non-FIPS application (perhaps by modifying a
> >>   FIPS-capable OpenSSL library to do so even in non-FIPS
> >>   mode)?

The license is for the OpenSSL toolkit, and you can now read it easily online.

> >> - Are there portions of the ECC code in OpenSSL which one
> >>   should disable at configure time, similar to how RSA and
> >>   IDEA were often disabled in the past?

No idea.

> >> - Is this situation different depending on the OpenSSL
> >>   library version?

Not that we know.

> My questions were being very specific precisely to avoid that, and to be of
> general interest rather than anything specific to what I do myself.

I know you were asking on behalf of the community.  Thanks.
 
> The existence of the NSA agreement is a partial answer to the first question,
> though it seems unclear if this license is recursively sublicensed through 3rd
> parties or not.

They knew they were licensing an open source toolkit.

Hope this helps.