Q1: What is Sun contributing to OpenSSL?

Sun contributed an implementation of the Elliptic Curve Cryptographic (ECC) technology which is well integrated into the existing OpenSSL source infrastructure. This code enables secure TLS/SSL handshakes using the Elliptic Curve based cipher suites.

Sun's contributions to the OpenSSL project include: - Addition of ECC cipher suites based on the current IETF internet-draft, which specifies the use of elliptic curve technology in SSL. - Implementation of the Elliptic Curve Diffie-Hellman (ECDH) key agreement protocol based on ANSI X9.63. - Addition of elliptic curve support over binary polynomial fields and the underlying arithmetic library completing the Elliptic Curve cryptographic library in OpenSSL.

Q2: Where can the downloadable code be found?

The latest version of the OpenSSL code containing ECC cipher suites can be found at the OpenSSL website: ftp://ftp.openssl.org/snapshot/ The download file is named: openssl-SNAP-20020819.tar.gz or later versions.

Q3: What about the standardization of ECC cipher suite?

Sun's implementation is based on the current IETF internet-draft which is now available in the IETF repository: http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-02.txt

This document describes new key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the TLS (Transport Layer Security) protocol. In particular, it specifies the use of Elliptic Curve Diffie-Hellman (ECDH) key agreement in a TLS handshake and the use of Elliptic Curve Digital Signature Algorithm (ECDSA) as a new authentication mechanism.

Q4: What license is Sun's ECC code contributed under?

Sun contributed the ECC code to the OpenSSL project to be licensed under the standard OpenSSL license.

Q5: Why the additional "covenant" language in the Sun license?

The OpenSSL's standard BSD style license does not address patent issues explicitly. Sun added a "patent peace provision" language to clarify its patent grant.

This language is modeled after the Mozilla Public License. Similar language can also be found in the IBM Common Public License.

This covenant was Sun's way of promoting a patent peace arrangement so that key technology like Elliptic Curve Cryptography can become a standard in the industry.

Q6: Is Sun's license more restrictive than the existing OpenSSL license?

No.

Sun's contribution did not in any way create additional limitations to the OpenSSL license. Sun simply added language to clarify its patent grant.

Q7: What about the patented technology in the contributed code?

Sun acknowledges that it has some patented ECC technology in the contributed code.

Sun grants to OpenSSL users the right to make use of the contributed patented technology in the context of OpenSSL.

Sun does not intend to assert its patent rights associated with the code that was delivered to the OpenSSL project. Sun simply asks that anyone holding patents associated with the same code agree not to assert them against Sun in return.

Sun does not forbid people from using the donated code on the basis of whether or not they make this promise.

Q8: What is the "not to sue" clause referring to?

This is part of the patent peace provision language which is designed to encourage technology contribution to the open source community and to promote the standardization of key technologies.

If you don't have patents in this area its a non-issue.

Q9: Is the additional "covenant" language good or bad for the open source community users?

This "patent peace provision" is a positive trend for the overall open source community.

A cross industry "patent peace arrangement" will encourage more technology contribution to the open source community and will help accelerate the standardization of key technologies such as Elliptic Curve Cryptography.

The open source community users can only benefit from this movement.