geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <>
Subject Re: [jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Date Tue, 06 Sep 2005 10:04:43 GMT
Aaron Mulder (JIRA) wrote:

>    [
>Aaron Mulder commented on GERONIMO-880:
>Whatever we do to disable it, there should be a procedure to enable it if you happen to
have a license or whatever.  That is to say, if we disable it in OpenEJB, it should probably
be via a properties file listing allowed algorithms or something, which the admin could add
IDEA to if they believe it's appropriate.  If we distribute a lesser JAR, then it should be
easy enough to provide directions on how to replace it with the full JAR.
There are two separate issues here:  1) The jar file containing the IDEA 
code, and 2) The hardcoded enabling of the IDEA algorithms in 
SSLCipherSuiteDatabase.   The combination of these two can lead to 
inadvertent use (and unknown) use of the IDEA algorithms.  A more 
appropriate solution would have SSLCipherSuiteDatabase take the 
supported algorithms from a property file or GBean properties, thus 
allowing user customization if they choose to move to a fuller function 
jar file.

I've also done a little reseach on the bc code.  The IDEA algorithm is 
not the only patent protected algorithm where royalties for commercial 
use are required.  the RC5 and RC6 algorithms are also patent protected, 
and the Skipjack algorithm is patent pending.


>>Geronimo ships patent-protected bouncycastle IDEA implementation.
>>         Key: GERONIMO-880
>>         URL:
>>     Project: Geronimo
>>        Type: Bug
>>  Components: console, OpenEJB
>> Environment: All
>>    Reporter: Rick McGuire
>>     Fix For: 1.0
>> Attachments:
>>Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation
of the IDEA encryption algorithm.  Additionally, the openejb code explicitly includes the
IDEA algorithm in its supported cryptography suite.
>>The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial
use only...royalties are expected for commercial use.  It's not clear what the definition
of commercial use would actually be, but any user building a commercial website with Geronimo
might be at risk for a patent claim just from the presence of the code.  Additionally, since
there is no way to explicitly enable or discable the IDEA suite, a user might be using the
code for commercial purposes without even knowing it. 
>>The presence of this code is also a problem for any companies wishing to embed Geronimo
in a commercial offering.  Having this code in the Geronomo base would probably kick in the
commercial uses clause and make those companies subject to royalties.
>>The IDEA code code in bouncycastle is not easily removed because the encryption engines
are not dyamically loaded.  It would be a simple matter to replace the IDEA engine class with
a simple one that merely threw an exception (see attached class).  The openejb code probably
needs to remove the IDEA algorithms from the supported list as well. 

View raw message