[openssl-users] ECC patent status questions
rsalz at akamai.com
Thu Sep 1 22:43:44 UTC 2016
It's hard to answer these questions without wandering down the "legal advice" alleyway.
I think Steve's post answered your questions.
> >> - Was the OpenSSL ECC code provided under a still-valid patent
> >> license from someone in the power to grant it, perhaps Sun
> >> (now Oracle America)?
This is our belief.
> >> - Is the FIPS mode ECC covered through some US Government or
> >> sponsor license?, And if so, does this license extend to
> >> some non-FIPS scenarios, such as invoking the FIPS blob ECC
> >> code from a non-FIPS application (perhaps by modifying a
> >> FIPS-capable OpenSSL library to do so even in non-FIPS
> >> mode)?
The license is for the OpenSSL toolkit, and you can now read it easily online.
> >> - Are there portions of the ECC code in OpenSSL which one
> >> should disable at configure time, similar to how RSA and
> >> IDEA were often disabled in the past?
> >> - Is this situation different depending on the OpenSSL
> >> library version?
Not that we know.
> My questions were being very specific precisely to avoid that, and to be of
> general interest rather than anything specific to what I do myself.
I know you were asking on behalf of the community. Thanks.
> The existence of the NSA agreement is a partial answer to the first question,
> though it seems unclear if this license is recursively sublicensed through 3rd
> parties or not.
They knew they were licensing an open source toolkit.
Hope this helps.
More information about the openssl-users