Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards, Praveen Kumar R&D Project Manager Emergency Care Professional (EC-Pro) Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/ Connect with Philips [cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
This topic has without a doubt been silently visited by many MbedTLS users :)
The biggest problem I see is that the MbedTLS devs produce a new version roughly every 2.3 weeks :) And any customer with a brain and internet access will google MbedTLS, discover that the current version is about a year later than the one in your product, and ask you a very pointed question "why aren't you using a version with the latest security patches?".
You then end up in an impossible position of having to explain to your customer (who, like everybody on the internet is a security expert, and has read all about deprecated crypto suites, hash collisions, and doesn't care that e.g. TLS 1.3 removes a bunch of hashes which are still used on some of the CACERT.PEM certificates) that for commercial and technical (e.g. product testing, over many months) reasons you had to freeze your product with MbedTLS v2.8 or whatever.
You also have to explain to your "security expert" customer that most of the mods done in the last couple of years are at best tangential to any concept of secure comms in an embedded product which 99% of the time is running in an environment without physical (access) security, so "nice" stuff like zeroing malloc'd buffers before freeing them does nothing for security because only somebody totally "inside" your box is going to be reading RAM.
So I don't think the license is a problem :)
Peter
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Hi Peter,
Since you've raised this issue of the difficulty of upgrading in the past, I wanted to ask about something you mentioned previously:
I reckon to go from v2 to v3 will cost some 5 digits in implementation and testing cost, and this is repeated a few times a year.
The 2-to-3 transition was a big one (new major version) but releases like this should happen only once every few years or so.
Aside from these big releases, LTS versions (2.28, 3.6) are supported for 3 years and should be API-compatible. In theory upgrading between LTS minor versions should be as easy as recompiling the code.
Is this in fact not the case, and if so what causes the difficulty in upgrading? Are there things we could do to make upgrading between minor versions easier? If there are improvements we can make, it would be great to hear them.
Many thanks, David Horstmann Mbed TLS Developer ________________________________ From: Peter peter@peter2000.co.uk Sent: 06 August 2024 16:22 To: David Horstmann David.Horstmann@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; Kumar, Praveen praveen.m.kumar@philips.com Subject: Re: [mbed-tls] Re: Requesting information for mbed-tls commercial license & support
This topic has without a doubt been silently visited by many MbedTLS users :)
The biggest problem I see is that the MbedTLS devs produce a new version roughly every 2.3 weeks :) And any customer with a brain and internet access will google MbedTLS, discover that the current version is about a year later than the one in your product, and ask you a very pointed question "why aren't you using a version with the latest security patches?".
You then end up in an impossible position of having to explain to your customer (who, like everybody on the internet is a security expert, and has read all about deprecated crypto suites, hash collisions, and doesn't care that e.g. TLS 1.3 removes a bunch of hashes which are still used on some of the CACERT.PEM certificates) that for commercial and technical (e.g. product testing, over many months) reasons you had to freeze your product with MbedTLS v2.8 or whatever.
You also have to explain to your "security expert" customer that most of the mods done in the last couple of years are at best tangential to any concept of secure comms in an embedded product which 99% of the time is running in an environment without physical (access) security, so "nice" stuff like zeroing malloc'd buffers before freeing them does nothing for security because only somebody totally "inside" your box is going to be reading RAM.
So I don't think the license is a problem :)
Peter
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Hello David,
It takes deep understanding of how MbedTLS works to do the integration into a product.
However my point (below) was that one can never have an apparently up to date version in a released product - partly due to time it takes to do it but also because a long testing period is needed before anything is released.
Regards,
Peter
Hi Peter,
Since you've raised this issue of the difficulty of upgrading in the past, I wanted to ask about something you mentioned previously:
?I reckon to go from v2 to v3 will cost some 5 digits in implementation and testing cost, and this is repeated a few times a year.
The 2-to-3 transition was a big one (new major version) but releases like this should happen only once every few years or so.
Aside from these big releases, LTS versions (2.28, 3.6) are supported for 3 years and should be API-compatible. In theory upgrading between LTS minor versions should be as easy as recompiling the code.
Is this in fact not the case, and if so what causes the difficulty in upgrading? Are there things we could do to make upgrading between minor versions easier? If there are improvements we can make, it would be great to hear them.
Many thanks, David Horstmann Mbed TLS Developer ________________________________ From: Peter peter@peter2000.co.uk Sent: 06 August 2024 16:22 To: David Horstmann David.Horstmann@arm.com Cc: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org; Kumar, Praveen praveen.m.kumar@philips.com Subject: Re: [mbed-tls] Re: Requesting information for mbed-tls commercial license & support
This topic has without a doubt been silently visited by many MbedTLS users :)
The biggest problem I see is that the MbedTLS devs produce a new version roughly every 2.3 weeks :) And any customer with a brain and internet access will google MbedTLS, discover that the current version is about a year later than the one in your product, and ask you a very pointed question "why aren't you using a version with the latest security patches?".
You then end up in an impossible position of having to explain to your customer (who, like everybody on the internet is a security expert, and has read all about deprecated crypto suites, hash collisions, and doesn't care that e.g. TLS 1.3 removes a bunch of hashes which are still used on some of the CACERT.PEM certificates) that for commercial and technical (e.g. product testing, over many months) reasons you had to freeze your product with MbedTLS v2.8 or whatever.
You also have to explain to your "security expert" customer that most of the mods done in the last couple of years are at best tangential to any concept of secure comms in an embedded product which 99% of the time is running in an environment without physical (access) security, so "nice" stuff like zeroing malloc'd buffers before freeing them does nothing for security because only somebody totally "inside" your box is going to be reading RAM.
So I don't think the license is a problem :)
Peter
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls mbed-tls@lists.trustedfirmware.org Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAE7F8.0802FC50]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAE7F8.0802FC50]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAE7F8.0802FC50]https://www.youtube.com/PhilipsHealthcare/videos
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Hi David,
Thanks for your response. We are keen on using the mBed-tls in our product. Do you have any plans to support DTLS v1.3 soon?
Regards, Praveen
From: David Horstmann David.Horstmann@arm.com Sent: Tuesday, August 6, 2024 2:30 PM To: mbed-tls@lists.trustedfirmware.org; Kumar, Praveen praveen.m.kumar@philips.com Subject: Re: Requesting information for mbed-tls commercial license & support
You don't often get email from david.horstmann@arm.commailto:david.horstmann@arm.com. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification Caution: This e-mail originated from outside of Philips, be careful for phishing.
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann Mbed TLS Developer ________________________________ From: Kumar, Praveen via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAEDA3.B7D1C0C0]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAEDA3.B7D1C0C0]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAEDA3.B7D1C0C0]https://www.youtube.com/PhilipsHealthcare/videos
________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Hi Praveen,
[Apologies for the duplicate, I forgot to include the mailing list]
DTLS v1.3 is on our roadmap[1] in the 'Future' column. This means that it is something that we would like to implement but we have not yet scheduled the work. At the moment we are doing a large amount of refactoring in preparation for Mbed TLS 4.0 so unfortunately it's unlikely we'll get round to working on it for at least a year.
We'll make a note of the fact that you're interested in this feature and take it into account when making scheduling decisions for the new features we're working on.
[1] https://mbed-tls.readthedocs.io/en/latest/project/roadmap/
Kind regards, David Horstmann Mbed TLS developer ________________________________ From: Kumar, Praveen praveen.m.kumar@philips.com Sent: 13 August 2024 17:10 To: David Horstmann David.Horstmann@arm.com; mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: RE: Requesting information for mbed-tls commercial license & support
Hi David,
Thanks for your response. We are keen on using the mBed-tls in our product. Do you have any plans to support DTLS v1.3 soon?
Regards,
Praveen
From: David Horstmann David.Horstmann@arm.com Sent: Tuesday, August 6, 2024 2:30 PM To: mbed-tls@lists.trustedfirmware.org; Kumar, Praveen praveen.m.kumar@philips.com Subject: Re: Requesting information for mbed-tls commercial license & support
You don't often get email from david.horstmann@arm.commailto:david.horstmann@arm.com. Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification
Caution: This e-mail originated from outside of Philips, be careful for phishing.
Hi Praveen,
Mbed TLS is distributed under both the Apache 2.0 and GPL 2.0 licenses (dual-licensed), users may use the library under the terms of whichever license they prefer.
The Apache 2.0 license is a permissive license which usually allows commercial use, however you should check the terms of this license for yourself to ensure it is compatible with your usecase.
We do not provide paid support for Mbed TLS. We provide some support via the mailing list (for general support queries) and GitHub (for bug reports) but it is on a best-effort basis only.
I hope that helps.
Kind regards, David Horstmann
Mbed TLS Developer
________________________________
From: Kumar, Praveen via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Sent: 06 August 2024 11:59 To: mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] Requesting information for mbed-tls commercial license & support
Hi,
We are in the process of qualifying a suitable encryption library for our pre-hospital patient monitor and the telemedicine system. I am writing to request your guidance regarding the mbed-tls use for commercial purposes. I look forward to your response.
Regards,
Praveen Kumar
R&D Project Manager
Emergency Care Professional (EC-Pro)
Philips
Tel +44 (0) 1256 362427 Email praveen.m.kumar@philips.commailto:praveen.m.kumar@philips.com
Remote Diagnostic Technologies Limited. Registered office: Ascent 1, Farnborough Aerospace Centre, Aerospace Boulevard, Farnborough GU14 6XW, UK. Registered in England No. 3321782.
[Logo Description automatically generated]http://www.philips.com/
Connect with Philips
[cid:image002.gif@01DAEDA3.B7D1C0C0]https://www.linkedin.com/company/philips/[cid:image003.gif@01DAEDA3.B7D1C0C0]https://twitter.com/PhilipsHealth[cid:image004.gif@01DAEDA3.B7D1C0C0]https://www.youtube.com/PhilipsHealthcare/videos
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
mbed-tls@lists.trustedfirmware.org
-
David Horstmann -
Kumar, Praveen -
Peter