[openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

[Jakob Bohm]

On 07/12/2017 15:05, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Jakob Bohm
>> Sent: Thursday, December 07, 2017 08:41
>> To: openssl-users at openssl.org
>>
>> And I would still say that "consult a lawyer" is a useless answer,
>> especially as most OpenSSL users will be in the same legal situation,
>> and lawyers opinions on patent matters are frequently found by courts
>> to be wrong anyway.
> Well, I suppose we'll have to disagree on that point. Speaking hypothetically, if I were the product owner for a commercial software product that used OpenSSL, I would most certainly be raising the question with corporate counsel.
>
> This is a complex and fraught area, and the OpenSSL Foundation is not able (and I'm sure not inclined to try) to indemnify OpenSSL users against infringement claims. To a large extent it doesn't matter what they say. A license file in the OpenSSL distribution is not likely to discourage an IP owner from claiming infringement if they're so inclined. At that point "local" lawyers will be involved whether you like it or not.
Of cause OpenSSL cannot indemnify users.  This is why my actual
questions to the OpenSSL project were mostly about what 3rd party
assurances that the project had received and could pass on.  For
example written patent license statements by Sun/Oracle (in
conjunction with their 2002 ECC contribution), waivers by
CertiCom etc.

Even if some companies will want to run everything by their
corporate council, corporate council can make much more useful
statements if they can start from some legal documents and
statements rather than having the lawyers try to pour over C
code and published patents.

> I also don't believe that "most OpenSSL users will be in the same legal situation". Here again, patent law is complicated. And more importantly, well-heeled users are much more likely targets of actual infringement claims, which is a very different situation indeed.
>
Point is, that in this global world, most producers are potentially
exposed in lots of "foreign" jurisdictions, and most corporate
counsel, while potentially well-heeled in general patent law, are
unlikely to have specific knowledge of the various patents, licenses
and waivers applicable to ECC crypto.

Being able to say "we only ship to customers in China and outer Mongolia,
and under those local laws there is no risk" is a lot rarer than "we ship
globally except a few problematic destinations, we don't want to be
hauled to the Eastern district of Texas by Certicom, so we want to
know if we have contractual assurances that Certicom is OK with using
OpenSSL builds that have the ECC code enabled"

That latter situation happens to also be the situation of the OpenSSL
project itself, except the degree of being a litigation magnet, thus the
likelihood that the project has obtained some legal documents that can
be passed on, making no independent promises other than those being true
and accurate copies of documents signed by their outside authors.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded