geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: IDEA block cipher inclusion via the "bouncy castle" JCE provider
Date Tue, 30 Aug 2005 23:42:34 GMT

On Aug 30, 2005, at 4:38 PM, Bruce Snyder wrote:

> On 8/30/05, Geir Magnusson Jr. <geirm@apache.org> wrote:
>> In Apache Geronino and dependencies like OpenEJB, (and probably other
>> projects at the ASF...)  we are using an external project known as
>> 'bouncycastle' (http://www.bouncycastle.org/) , a fairly well known
>> implementation of crypto-related stuff in Java.
>>
>> Inside the distro jar from bouncycastle is an implementation of the
>> IDEA algorithm.  This algorithm is patented, and the patent holder,
>> MediaCrypt, requires licenses for all implementations of IDEA, and
>> there's no unfettered use - even non-commercial distribution requires
>> some kind of correspondence with MediaCrypt.
>>
>> http://www.mediacrypt.com/
>>
>> You have to find the license section...
>>
>> So, here's the problem - I don't believe either Geronimo or OpenEJB
>> is using the algorithm explicitly but I can't be sure that it isn't
>> invoked somewhere, and statements from the MediaCrypt site such as
>>
>> "Requests by freeware developers to obtain a royalty-free license to
>> spread an application program containing the algorithm not for
>> commercial purposes must be directed to MediaCrypt"
>>
>> make me believe that we have to do something to redistribute this
>> software.
>>
>> (I can't help noting how the infinitive "to spread" makes the GPL's
>> language on "distribution" look clear.. :)
>>
>> Of course, there are other terms for commercial users.
>>
>> So, what should we do?
>
> How about asking the Bouncy Castle people for some advice on what to
> do? They're distributing the artifacts affected by these statements
> from MediaCrypt, what do they recommend to their user base regarding
> redistribution and use?

Good idea.  Alternatively for our use, it looks like the directory 
project has its own asn1 implementation.  IIUC that is all we use in 
the openejb corba code.  Can we sidestep this problem by using the 
directory's asn1 implementation?

david jencks

>
> Bruce
> -- 
> perl -e 'print 
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
>
> The Castor Project
> http://www.castor.org/
>
> Apache Geronimo
> http://geronimo.apache.org/
>


Mime
View raw message