[openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Jakob Bohm jb-openssl at wisemo.com
Thu Dec 7 06:25:40 UTC 2017 

On 06/12/2017 14:51, Michael Wojcik wrote:
> This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev.
>
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jayalakshmi bhat
>> Sent: Wednesday, December 06, 2017 01:07
>> Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom?
> Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it.
>
> Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge.
>
I believe what most people want, rather than the unconfirmed opinion of
a random local patent lawyer is public answers to the following:

****************************

Answers by the OpenSSL team (I have tried topin this out into easily
answered questions that someone on the team should already know):

- Why is the README.ECC file not included in the regular OpenSSL
  tarballs?

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or even better a judicial or contractual opinion) as to the
  question if the license referenced in the README.ECC in the FIPS
  tarballs applies to the ECC code in the regular OpenSSL tarballs.

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or better) as to the question if the license referenced in
  FIPS README.ECC applies to non-validated builds of the FIPS tarball
  (such as modified builds).

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or better) if the license referenced in the FIPS README.ECC
  applies to uses of the validated FIPS blob in code that does not (and
  is not in fact) claim to be covered by the FIPS validation (such as a
  modified OpenSSL that invokes the ECC code in the blob even in
  non-FIPS mode).

- Is there a technically safe way to copy the ECC code from the FIPS
  tarball to a build of non-FIPS OpenSSL?

****************************

Answers by Certicom/Blackberry as patent holders (I have split this into
questions that Certicom/Blackberry should be able to easily answer based
on their own policies, except perhaps the first one):

Note that while the answers and questions below may resemble lawsuit
related questions such as "claim construction charts", it is being asked
outside such context for the purpose of easing compliance with existing
license/sublicense contracts, and to facilitate respect for their
intellectual property, either by acting within granted licenses, obtaining
additional licenses where needed or abstaining from using the patented
technology without a valid license.

As CC/BB may know, OpenSSL is a widely used software library making public
statements a more efficient means of handling this rather than each and
every commercial OpenSSL user entering into near-identical individual
private negotiations.

- Which CC/BB patents (numbers and maybe claims) are applicable to the
  recent 1.0.2*, 1.1.0* and git head branches?  For clarity, the answers
  should probably identify specific files and file versions, to protect
  CC/BB from accidental estoppel regarding the use of additional CC/BB
  patented technology in files they have not examined.  Note that this
  answer will probably form the basis for the answers to the questions
  below.

- Does CC/BB suggest/require that products using any such CC/BB patented
  technology through the OpenSSL licensing mark their licensed products
  with any particular patent notices?

- Does CC/BB demand or not an additional patent license for invocation
of the regular OpenSSL ECC code by the OpenSSL SSL/TLS code in non-FIPS
  scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for invocation
  of the regular OpenSSL ECC code in other scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for use of the
  regular OpenSSL ECC code for curves and or algorithms not standardized
  in the NIST FIPS documents?

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list