There is no substitute for legal counsel, but Tom had a summary that
you might be interested in...
http://libtom.org/pages/toorcon8_ecc_tstdenis.pdf
See slides 24-27.
Larry
On Jan 10, 2008, at 2:25 PM, Anilkumar Bollineni wrote:
Thanks a lot for the responses.
Bill, I agree with you that the use of ECC is really matters here,
the area where Certicom holds ECC patents. One of our application
with respect to ECC that are planning to use ECDSA (Elliptic Curve
DSA) signature based certificate generation/verification, signature
generation/verification. Meanwhile I talked to one of the sales guy
from Certicom, and he is saying that one of certicom patents is
related to ECDSA and he said if I want to do ECDSA from OpenSSL,
then I need to get license.I am not sure whether that information is
correct or not.
The OpenSSL does not say anyword about the EC/ECDSA usage and its
patents information in Certicom. The only thing I got about that is
that Sun has donated the EC code to OpenSSL.
If OpenSSL users are really violating the Certicom patents then if
users need to be aware of that, then it is better that OpenSSL tell
some information about it in the release notes. Or May be that
OpenSSL EC implementation does not violate any certicom patents and
that's why OpenSSL is not mentioning? Could somebody has any insight
in it?
Thanks again.
Best Regards,
Anil
Bill Colvin <[EMAIL PROTECTED]> wrote:
I would characterize the Certicom patents as falling into 3 main
categories:
1) patents relating to the use of ECC in very specific
application circumstances
This represents the bulk of Certicom patents. For these patents you
will have to do your own research as they are dependent on you
application and have nothing to do with OpenSSL.
2) patents that improve the performance of the underlying
mathematics
For these patents, it would be difficult to say if the developers
who implemented the underlying math algorithms happened to implement
a patented Certicom technique. However, unless they were actually
using the patent docs during implementation, I doubt that this would
be the case.
3) patents on ECC techniques
Now these are the ones you can find in the implementation of
OpenSSL. There are two main ones here – point compression and MQV.
Point compression reduces the size of an ECC public key, but ECC
keys are much smaller than RSA keys even without it, so this one can
be avoided. MQV is a key exchange technique. It also can be
avoided by using ECDH.
NSA licensed 26 Certicom patents (which includes MQV and point
compression) for use in government applications with prime modulus
curves greater than 255. This is a good Q&A on the details of this
license http://www.certicom.ca/download/aid-501/FAQ-The%20NSA%20ECC%20License%20Agreement.pdf
NSA did not license all of Certicom’s patents, only a subset for
use in a limited “field of use”.
Bill
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Anilkumar Bollineni
Sent: January 10, 2008 2:12 PM
To: openssl-users@openssl.org
Subject: About ECC patent and OpenSSL ECC code
Hi there,
I have a question on OpenSSL ECC (Elliptic Curve Cryptography) code.
I saw that Sun systems has donated the the ECCcode to OpenSSL. Also
I saw that Certicom has held 130 patents in ECC area and finally NSA
has licensed that code.
Suppose if I download the code from the OpenSSL and try to develop a
product using the OpenSSL ECC code, does it violate any patent issue
with certicom?
Can anybody share any experience or information about this?
Thanks for support.
-Anil
Never miss a thing. Make Yahoo your homepage.