| 1 |
On 9/24/2021 03:55, Hanno Böck wrote: |
| 2 |
> On Fri, 24 Sep 2021 03:46:51 -0400 |
| 3 |
> Joshua Kinard <kumba@g.o> wrote: |
| 4 |
> |
| 5 |
>> If I remember this weekend, I'll e-mail the libtomcrypt author and |
| 6 |
>> see if they have any insight. One would hope they did their own |
| 7 |
>> research before possibly putting patented code out into the public |
| 8 |
>> domain. |
| 9 |
>> |
| 10 |
>> Any idea if the Ed25519 forms are unencumbered? As far as I know, |
| 11 |
>> those were developed by DJB completely independent of ECDSA, so it |
| 12 |
>> seems like those should be fine. |
| 13 |
> |
| 14 |
> I would like to point out that we have no evidence that ECDSA is |
| 15 |
> currently patent-encumbered either. |
| 16 |
> The patents that are listed in Red Hat's openssl patches and the ones |
| 17 |
> that people have been discussing around ecc are all expired. The only |
| 18 |
> "evidence" we have around patent problems is that red hat does not give |
| 19 |
> a clear answer when asked whether there are still issues. My hunch is |
| 20 |
> that this is more of a "large company not answering questions"-problem |
| 21 |
> than a patent problem, but of course I don't know that for sure. |
| 22 |
> |
| 23 |
> ECDSA and the NIST curves have been around since > 20 years, so it's |
| 24 |
> simply impossible that there are any valid patents covering those. |
| 25 |
> (There is of course a slight possibility that there may be patents |
| 26 |
> covering specific implementation details of ECDSA/NIST curves that were |
| 27 |
> only described later.) |
| 28 |
|
| 29 |
Then we are either A) being too paranoid and should just drop bindist from |
| 30 |
the OpenSSL ebuilds, or B) we are not being paranoid enough and packages |
| 31 |
like dropbear/libtomcrypt need bindist added, no? It seems we're stuck in |
| 32 |
the middle here because we don't have the right information. If Red Hat or |
| 33 |
IBM are being non-responsive over this, then surely some other distro out |
| 34 |
there has already figured things out? |
| 35 |
|
| 36 |
|
| 37 |
> I'm not entirely sure what you'd like to ask the libtomcrypt authors. |
| 38 |
> "We think there may be patents, but we don't know. Did you consider |
| 39 |
> that?" |
| 40 |
|
| 41 |
No, actually, I was thinking something more along the lines of "Hey, are you |
| 42 |
aware of these supposed patent claims about ECC/ECDSA implementations that |
| 43 |
Red Hat says exist, and if so, did you do any research on them that you |
| 44 |
could possibly share that led you to feeling confident to release your |
| 45 |
implementation into the public domain". |
| 46 |
|
| 47 |
But I am open to better language. I just don't wanna sit here not knowing. |
| 48 |
Someone out there has to have the right information to settle this. |
| 49 |
|
| 50 |
-- |
| 51 |
Joshua Kinard |
| 52 |
Gentoo/MIPS |
| 53 |
kumba@g.o |
| 54 |
rsa6144/5C63F4E3F5C6C943 2015-04-27 |
| 55 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
| 56 |
|
| 57 |
"The past tempts us, the present confuses us, the future frightens us. And |
| 58 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
| 59 |
|
| 60 |
--Emperor Turhan, Centauri Republic |
Archives