geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <>
Subject Re: [jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Date Tue, 06 Sep 2005 15:53:52 GMT
So it seems like we need to bail on BC.

I haven't seen anything from OpenEJB on this - David, would it be  
possible to a) stop making IDEA a possibility, and b) use something  
else for the ASN1 encoding/decoding?  Can the directory project's  
library be enhanced?


On Sep 6, 2005, at 6:04 AM, Rick McGuire wrote:

> Aaron Mulder (JIRA) wrote:
>>    [ 
>> page=comments#action_12322586 ]
>> Aaron Mulder commented on GERONIMO-880:
>> ---------------------------------------
>> Whatever we do to disable it, there should be a procedure to  
>> enable it if you happen to have a license or whatever.  That is to  
>> say, if we disable it in OpenEJB, it should probably be via a  
>> properties file listing allowed algorithms or something, which the  
>> admin could add IDEA to if they believe it's appropriate.  If we  
>> distribute a lesser JAR, then it should be easy enough to provide  
>> directions on how to replace it with the full JAR.
> There are two separate issues here:  1) The jar file containing the  
> IDEA code, and 2) The hardcoded enabling of the IDEA algorithms in  
> SSLCipherSuiteDatabase.   The combination of these two can lead to  
> inadvertent use (and unknown) use of the IDEA algorithms.  A more  
> appropriate solution would have SSLCipherSuiteDatabase take the  
> supported algorithms from a property file or GBean properties, thus  
> allowing user customization if they choose to move to a fuller  
> function jar file.
> I've also done a little reseach on the bc code.  The IDEA algorithm  
> is not the only patent protected algorithm where royalties for  
> commercial use are required.  the RC5 and RC6 algorithms are also  
> patent protected, and the Skipjack algorithm is patent pending.
> Rick
>>> Geronimo ships patent-protected bouncycastle IDEA implementation.
>>> -----------------------------------------------------------------
>>>         Key: GERONIMO-880
>>>         URL:
>>>     Project: Geronimo
>>>        Type: Bug
>>>  Components: console, OpenEJB
>>> Environment: All
>>>    Reporter: Rick McGuire
>>>     Fix For: 1.0
>>> Attachments:
>>> Current Geronimo is shipping the full bouncycastle jar file,  
>>> which includes an implementation of the IDEA encryption  
>>> algorithm.  Additionally, the openejb code explicitly includes  
>>> the IDEA algorithm in its supported cryptography suite.
>>> The IDEA algorithm is a bit problematic, since the royalty  
>>> agreement is for non-commercial use only...royalties are expected  
>>> for commercial use.  It's not clear what the definition of  
>>> commercial use would actually be, but any user building a  
>>> commercial website with Geronimo might be at risk for a patent  
>>> claim just from the presence of the code.  Additionally, since  
>>> there is no way to explicitly enable or discable the IDEA suite,  
>>> a user might be using the code for commercial purposes without  
>>> even knowing it. The presence of this code is also a problem for  
>>> any companies wishing to embed Geronimo in a commercial  
>>> offering.  Having this code in the Geronomo base would probably  
>>> kick in the commercial uses clause and make those companies  
>>> subject to royalties.
>>> The IDEA code code in bouncycastle is not easily removed because  
>>> the encryption engines are not dyamically loaded.  It would be a  
>>> simple matter to replace the IDEA engine class with a simple one  
>>> that merely threw an exception (see attached class).  The openejb  
>>> code probably needs to remove the IDEA algorithms from the  
>>> supported list as well.

Geir Magnusson Jr                                  +1-203-665-6437

View raw message