[openssl-users] ECC patent status questions

Steve Marquess stevem at openssl.org
Thu Sep 1 18:11:34 UTC 2016

On 09/01/2016 08:22 AM, Jakob Bohm wrote:
> Dear OpenSSL team,
> Given the recent patent lawsuit between RIM/CertiCom and Avaya
> mentioning the ECC code in OpenSSL, what is (according to the
> OpenSSL team) the patent status of the ECC code in OpenSSL?
> Specifically:
> - Was the OpenSSL ECC code provided under a still-valid patent
>  license from someone in the power to grant it, perhaps Sun
>  (now Oracle America)?
> - Is the FIPS mode ECC covered through some US Government or
>  sponsor license?,  And if so, does this license extend to
>  some non-FIPS scenarios, such as invoking the FIPS blob ECC
>  code from a non-FIPS application (perhaps by modifying a
>  FIPS-capable OpenSSL library to do so even in non-FIPS
>  mode)?
> - Are there portions of the ECC code in OpenSSL which one
>  should disable at configure time, similar to how RSA and
>  IDEA were often disabled in the past?
> - Is this situation different depending on the OpenSSL
>  library version?

Jacob, for any patent or licensing issues you really need to consult
competent legal counsel. Under the U.S. legal system anyone with deep
pockets can bring suit against anyone for frivolous reasons.  You'll
want to consult with your counsel to determine the level of risk for
your particular circumstances. If a patent troll targets you for a
shakedown the legal virtues of your defense are far less relevant than
the size of your pocketbook.

I do know that some OpenSSL end users have chosen to omit certain
algorithm implementations for perceived legal reasons.  The OpenSSL FIPS
Object Module is provided in both full and ECC-free versions; the latter
at the request of a validation sponsor. As far as I know that ECC-free
version (openssl-fips-ecp-2.0.N.tar.gz) has seen very little use though,
even by that original sponsor.

All that said, we believe all code in OpenSSL to be properly licensed
under the legal systems of most countries. We are also members of the
Open Invention Network. We have a NSA ECC sublicense
(https://www.openssl.org/source/NSA-PLA.pdf). I'm not going to try and
offer any legal advice, though; for that you'll need to check with your
own legal counsel.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
20-22 Wenlock Road
London N1 7GU
United Kingdom
+44 1785508015
+1 301 874 2571 direct
marquess at opensslfoundation.org
stevem at openssl.org

More information about the openssl-users mailing list