Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Michael Wojcik
This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev.

> From: openssl-users [mailto:[hidden email]] On Behalf Of Jayalakshmi bhat
> Sent: Wednesday, December 06, 2017 01:07

> Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom? 

Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it.

Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Jayalakshmi bhat
Hi Michael

Thanks for the input.

Regards
Jaya

On Wed, Dec 6, 2017 at 7:21 PM, Michael Wojcik <[hidden email]> wrote:
This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev.

> From: openssl-users [mailto:[hidden email]] On Behalf Of Jayalakshmi bhat
> Sent: Wednesday, December 06, 2017 01:07

> Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom? 

Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it.

Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Jakob Bohm-7
In reply to this post by Michael Wojcik
On 06/12/2017 14:51, Michael Wojcik wrote:
> This probably should just have gone to openssl-users. Please don't copy every question to openssl-dev.
>
>> From: openssl-users [mailto:[hidden email]] On Behalf Of Jayalakshmi bhat
>> Sent: Wednesday, December 06, 2017 01:07
>> Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom?
> Consult a lawyer. Opinions on this topic differ wildly, it has a long and vexed history, and legal advice from random people on the Internet isn't worth what you pay for it.
>
> Certicom was purchased by Blackberry years ago; they are the current holder of the ECC patents obtained by Certicom, to the best of my knowledge.
>
I believe what most people want, rather than the unconfirmed opinion of
a random local patent lawyer is public answers to the following:

****************************

Answers by the OpenSSL team (I have tried topin this out into easily
answered questions that someone on the team should already know):

- Why is the README.ECC file not included in the regular OpenSSL
  tarballs?

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or even better a judicial or contractual opinion) as to the
  question if the license referenced in the README.ECC in the FIPS
  tarballs applies to the ECC code in the regular OpenSSL tarballs.

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or better) as to the question if the license referenced in
  FIPS README.ECC applies to non-validated builds of the FIPS tarball
  (such as modified builds).

- Has the OpenSSL project or foundation received any kind of firm legal
  opinion (or better) if the license referenced in the FIPS README.ECC
  applies to uses of the validated FIPS blob in code that does not (and
  is not in fact) claim to be covered by the FIPS validation (such as a
  modified OpenSSL that invokes the ECC code in the blob even in
  non-FIPS mode).

- Is there a technically safe way to copy the ECC code from the FIPS
  tarball to a build of non-FIPS OpenSSL?

****************************

Answers by Certicom/Blackberry as patent holders (I have split this into
questions that Certicom/Blackberry should be able to easily answer based
on their own policies, except perhaps the first one):

Note that while the answers and questions below may resemble lawsuit
related questions such as "claim construction charts", it is being asked
outside such context for the purpose of easing compliance with existing
license/sublicense contracts, and to facilitate respect for their
intellectual property, either by acting within granted licenses, obtaining
additional licenses where needed or abstaining from using the patented
technology without a valid license.

As CC/BB may know, OpenSSL is a widely used software library making public
statements a more efficient means of handling this rather than each and
every commercial OpenSSL user entering into near-identical individual
private negotiations.

- Which CC/BB patents (numbers and maybe claims) are applicable to the
  recent 1.0.2*, 1.1.0* and git head branches?  For clarity, the answers
  should probably identify specific files and file versions, to protect
  CC/BB from accidental estoppel regarding the use of additional CC/BB
  patented technology in files they have not examined.  Note that this
  answer will probably form the basis for the answers to the questions
  below.

- Does CC/BB suggest/require that products using any such CC/BB patented
  technology through the OpenSSL licensing mark their licensed products
  with any particular patent notices?

- Does CC/BB demand or not an additional patent license for invocation
of the regular OpenSSL ECC code by the OpenSSL SSL/TLS code in non-FIPS
  scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for invocation
  of the regular OpenSSL ECC code in other scenarios, if so when and which.

- Does CC/BB demand or not an additional patent license for use of the
  regular OpenSSL ECC code for curves and or algorithms not standardized
  in the NIST FIPS documents?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

OpenSSL - User mailing list
README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 tarballs; do you have evidence otherwise?

I don’t think the team is going to answer any questions beyond what is already in the distrubtuion and website except to say that the license is NOT limited to the FIPS releases.
 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Jakob Bohm-7
On 07/12/2017 13:39, Salz, Rich via openssl-users wrote:
> README.ECC has never been part of 1.0.2 and is always part of the the 1.1.0 tarballs; do you have evidence otherwise?
>
> I don’t think the team is going to answer any questions beyond what is already in the distrubtuion and website except to say that the license is NOT limited to the FIPS releases.
>  
>
The OP claimed the file was only in the FIPS tarballs, and not in the
OpenSSL tarballs.  My questions were based on that.

And I would still say that "consult a lawyer" is a useless answer,
especially as most OpenSSL users will be in the same legal situation,
and lawyers opinions on patent matters are frequently found by courts
to be wrong anyway.

Saying "in the distribution and website" is also quite vague and
thus another example of a non-answer.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Jakob Bohm
> Sent: Thursday, December 07, 2017 08:41
> To: [hidden email]
>
> And I would still say that "consult a lawyer" is a useless answer,
> especially as most OpenSSL users will be in the same legal situation,
> and lawyers opinions on patent matters are frequently found by courts
> to be wrong anyway.

Well, I suppose we'll have to disagree on that point. Speaking hypothetically, if I were the product owner for a commercial software product that used OpenSSL, I would most certainly be raising the question with corporate counsel.

This is a complex and fraught area, and the OpenSSL Foundation is not able (and I'm sure not inclined to try) to indemnify OpenSSL users against infringement claims. To a large extent it doesn't matter what they say. A license file in the OpenSSL distribution is not likely to discourage an IP owner from claiming infringement if they're so inclined. At that point "local" lawyers will be involved whether you like it or not.

I also don't believe that "most OpenSSL users will be in the same legal situation". Here again, patent law is complicated. And more importantly, well-heeled users are much more likely targets of actual infringement claims, which is a very different situation indeed.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


 
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

OpenSSL - User mailing list
In reply to this post by Jakob Bohm-7
➢ The OP claimed the file was only in the FIPS tarballs, and not in the
    OpenSSL tarballs.  My questions were based on that.
   
So the OP is wrong.

➢ Saying "in the distribution and website" is also quite vague and
    thus another example of a non-answer.
   
No it’s not.  The OpenSSL distributions, starting with 1.1.0 have a README.ECC file that points to a license on the Website.  

We are an open source project, we do not provide legal advice.  This is consistent, we have never given patent advice, nor crypto import or export advice.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Jakob Bohm-7
In reply to this post by Michael Wojcik
On 07/12/2017 15:05, Michael Wojcik wrote:

>> From: openssl-users [mailto:[hidden email]] On Behalf
>> Of Jakob Bohm
>> Sent: Thursday, December 07, 2017 08:41
>> To: [hidden email]
>>
>> And I would still say that "consult a lawyer" is a useless answer,
>> especially as most OpenSSL users will be in the same legal situation,
>> and lawyers opinions on patent matters are frequently found by courts
>> to be wrong anyway.
> Well, I suppose we'll have to disagree on that point. Speaking hypothetically, if I were the product owner for a commercial software product that used OpenSSL, I would most certainly be raising the question with corporate counsel.
>
> This is a complex and fraught area, and the OpenSSL Foundation is not able (and I'm sure not inclined to try) to indemnify OpenSSL users against infringement claims. To a large extent it doesn't matter what they say. A license file in the OpenSSL distribution is not likely to discourage an IP owner from claiming infringement if they're so inclined. At that point "local" lawyers will be involved whether you like it or not.
Of cause OpenSSL cannot indemnify users.  This is why my actual
questions to the OpenSSL project were mostly about what 3rd party
assurances that the project had received and could pass on.  For
example written patent license statements by Sun/Oracle (in
conjunction with their 2002 ECC contribution), waivers by
CertiCom etc.

Even if some companies will want to run everything by their
corporate council, corporate council can make much more useful
statements if they can start from some legal documents and
statements rather than having the lawyers try to pour over C
code and published patents.

> I also don't believe that "most OpenSSL users will be in the same legal situation". Here again, patent law is complicated. And more importantly, well-heeled users are much more likely targets of actual infringement claims, which is a very different situation indeed.
>
Point is, that in this global world, most producers are potentially
exposed in lots of "foreign" jurisdictions, and most corporate
counsel, while potentially well-heeled in general patent law, are
unlikely to have specific knowledge of the various patents, licenses
and waivers applicable to ECC crypto.

Being able to say "we only ship to customers in China and outer Mongolia,
and under those local laws there is no risk" is a lot rarer than "we ship
globally except a few problematic destinations, we don't want to be
hauled to the Eastern district of Texas by Certicom, so we want to
know if we have contractual assurances that Certicom is OK with using
OpenSSL builds that have the ECC code enabled"

That latter situation happens to also be the situation of the OpenSSL
project itself, except the degree of being a litigation magnet, thus the
likelihood that the project has obtained some legal documents that can
be passed on, making no independent promises other than those being true
and accurate copies of documents signed by their outside authors.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ECC ciphers in OpenSSL and Citricom Patent/License terms

Jayalakshmi bhat
Hi All,

Thanks for the inputs, This gives me a good understanding on these ciphers usage.

Thanks and Regards
Jayalakshmi

On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohm <[hidden email]> wrote:
On 07/12/2017 15:05, Michael Wojcik wrote:
From: openssl-users [mailto:[hidden email]] On Behalf
Of Jakob Bohm
Sent: Thursday, December 07, 2017 08:41
To: [hidden email]

And I would still say that "consult a lawyer" is a useless answer,
especially as most OpenSSL users will be in the same legal situation,
and lawyers opinions on patent matters are frequently found by courts
to be wrong anyway.
Well, I suppose we'll have to disagree on that point. Speaking hypothetically, if I were the product owner for a commercial software product that used OpenSSL, I would most certainly be raising the question with corporate counsel.

This is a complex and fraught area, and the OpenSSL Foundation is not able (and I'm sure not inclined to try) to indemnify OpenSSL users against infringement claims. To a large extent it doesn't matter what they say. A license file in the OpenSSL distribution is not likely to discourage an IP owner from claiming infringement if they're so inclined. At that point "local" lawyers will be involved whether you like it or not.
Of cause OpenSSL cannot indemnify users.  This is why my actual
questions to the OpenSSL project were mostly about what 3rd party
assurances that the project had received and could pass on.  For
example written patent license statements by Sun/Oracle (in
conjunction with their 2002 ECC contribution), waivers by
CertiCom etc.

Even if some companies will want to run everything by their
corporate council, corporate council can make much more useful
statements if they can start from some legal documents and
statements rather than having the lawyers try to pour over C
code and published patents.

I also don't believe that "most OpenSSL users will be in the same legal situation". Here again, patent law is complicated. And more importantly, well-heeled users are much more likely targets of actual infringement claims, which is a very different situation indeed.

Point is, that in this global world, most producers are potentially
exposed in lots of "foreign" jurisdictions, and most corporate
counsel, while potentially well-heeled in general patent law, are
unlikely to have specific knowledge of the various patents, licenses
and waivers applicable to ECC crypto.

Being able to say "we only ship to customers in China and outer Mongolia,
and under those local laws there is no risk" is a lot rarer than "we ship
globally except a few problematic destinations, we don't want to be
hauled to the Eastern district of Texas by Certicom, so we want to
know if we have contractual assurances that Certicom is OK with using
OpenSSL builds that have the ECC code enabled"

That latter situation happens to also be the situation of the OpenSSL
project itself, except the degree of being a litigation magnet, thus the
likelihood that the project has obtained some legal documents that can
be passed on, making no independent promises other than those being true
and accurate copies of documents signed by their outside authors.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users