geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <ge...@apache.org>
Subject IDEA block cipher inclusion via the "bouncy castle" JCE provider
Date Tue, 30 Aug 2005 11:18:53 GMT
In Apache Geronino and dependencies like OpenEJB, (and probably other  
projects at the ASF...)  we are using an external project known as  
'bouncycastle' (http://www.bouncycastle.org/) , a fairly well known  
implementation of crypto-related stuff in Java.

Inside the distro jar from bouncycastle is an implementation of the  
IDEA algorithm.  This algorithm is patented, and the patent holder,  
MediaCrypt, requires licenses for all implementations of IDEA, and  
there's no unfettered use - even non-commercial distribution requires  
some kind of correspondence with MediaCrypt.

http://www.mediacrypt.com/

You have to find the license section...

So, here's the problem - I don't believe either Geronimo or OpenEJB  
is using the algorithm explicitly but I can't be sure that it isn't  
invoked somewhere, and statements from the MediaCrypt site such as

"Requests by freeware developers to obtain a royalty-free license to  
spread an application program containing the algorithm not for  
commercial purposes must be directed to MediaCrypt"

make me believe that we have to do something to redistribute this  
software.

(I can't help noting how the infinitive "to spread" makes the GPL's  
language on "distribution" look clear.. :)

Of course, there are other terms for commercial users.

So, what should we do?

It may be the case that we need to get a license to redistribute the  
bouncycastle jar (from MediaCrypt).  If this is the case, I suspect  
that we're hosed, as we wouldn't distribute something that requires  
our users who wish to redistribute our software to go get a license  
from someone.

If not, we can provide a warning to our users that our software  
includes the IDEA algorithm which is encumbered, but at this time, I  
can't guarantee that it won't be invoked somehow.

Another approach would be to petition bouncycastle.org to provide a  
distribution of the software w/o the algorithm included.

I've crossposted to the geroninmo dev list for this post - please  
remove to keep discussion on the legal-discuss - interested people  
can come view it here.

geir

-- 
Geir Magnusson Jr                                  +1-203-665-6437
geir@apache.org



Mime
View raw message