[openssl-dev] OCB patent stuff

Matt Caswell matt at openssl.org
Tue Jan 27 13:32:36 UTC 2015 


On 27/01/15 13:12, david.lloyd at fsmail.net wrote:
> 
> 
>> Why? We have an explicit licence enabling its use - so why shouldn't it
>> be on?
>>
>> Matt
> 
> 
> You do, but I don't, and other users of OpenSSL don't either.  According to my legal advice at least - your Lawyer may disagree.  The linked pdf doesn't solve the problem apparently.
> 
> That there is an *issued* patent on the algorithm at all immediately makes it "controversial", and probably doomed to die.  Compare what the BBC did with the Dirac patents - the patent was publicly filed and then they explicitly let the application lapse without getting the patent issued within the timeframe.  Once a patent is actually issued, there is the always someone who is going to have a problem.
> 
> So the question is: Why did they pay for the Patent unless there is an intention to require Royalties?  Are you or OpenSSL going to going to pay my royalty fees and/or legal costs if I am found to be infringing on this known patent?
> 
> If you are not happy to be responsible for legal costs, then I recommend you disable it by default to avoid any such confusion...

The answer to that is in the OpenSSL licence:
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.

and is also covered by the OpenSSL FAQ:
https://www.openssl.org/support/faq.html#LEGAL1

However, it is not the first time that there are things within OpenSSL
with patents, and it is not without precedent to have these things
switched on (e.g. some distributions have disabled EC stuff because of
patent concerns, which is on by default in standard OpenSSL).

We did get our own legal advice before including it and those lawyers
advised us that we were ok with the patent licence we have been granted.
Your mileage may vary with your own legal advice (and of course that may
vary depending on where in the world you are located)...hence the FAQ
link I provided above.

The option to disable OCB has been provided for the cautious.

Matt

More information about the openssl-dev mailing list