geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matt Hogstrom (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Date Mon, 15 Aug 2005 17:16:56 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12318819 ] 

Matt Hogstrom commented on GERONIMO-880:
----------------------------------------

I like the idea of throwing an exception so that users are protected from accidental patent
infringement.  However, I think the message should be a bit clearer. What is needed is a support
site where this message could point the user to so that they could obtain a proper understanding
of the problem as well as a resolution if they needed to use the algorithm.  As far as this
issue is concerned a brief description of the problem and how to obtain a full copy of bouncyCastle
as well as instructions for how to introduce it back into OpenEJB would be awesome.

> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
>          Key: GERONIMO-880
>          URL: http://issues.apache.org/jira/browse/GERONIMO-880
>      Project: Geronimo
>         Type: Bug
>   Components: OpenEJB, console
>  Environment: All
>     Reporter: Rick McGuire
>  Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation
of the IDEA encryption algorithm.  Additionally, the openejb code explicitly includes the
IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial
use only...royalties are expected for commercial use.  It's not clear what the definition
of commercial use would actually be, but any user building a commercial website with Geronimo
might be at risk for a patent claim just from the presence of the code.  Additionally, since
there is no way to explicitly enable or discable the IDEA suite, a user might be using the
code for commercial purposes without even knowing it. 
> The presence of this code is also a problem for any companies wishing to embed Geronimo
in a commercial offering.  Having this code in the Geronomo base would probably kick in the
commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines
are not dyamically loaded.  It would be a simple matter to replace the IDEA engine class with
a simple one that merely threw an exception (see attached class).  The openejb code probably
needs to remove the IDEA algorithms from the supported list as well. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message