Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 98701 invoked from network); 6 Sep 2005 15:54:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Sep 2005 15:54:01 -0000 Received: (qmail 41985 invoked by uid 500); 6 Sep 2005 15:53:59 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 41299 invoked by uid 500); 6 Sep 2005 15:53:57 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 41285 invoked by uid 99); 6 Sep 2005 15:53:57 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Sep 2005 08:53:57 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [128.241.244.71] (HELO chi.mobile-health-diary.com) (128.241.244.71) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 06 Sep 2005 08:54:09 -0700 Received: (qmail 21063 invoked from network); 6 Sep 2005 15:53:53 -0000 Received: from ool-43560634.dyn.optonline.net (HELO ?10.0.1.172?) (geir@67.86.6.52) by b014.internal.mobile-health-diary.com with SMTP; 6 Sep 2005 15:53:53 -0000 Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <431D69BB.3080807@gmail.com> References: <589097761.1125768690542.JavaMail.jira@ajax.apache.org> <431D69BB.3080807@gmail.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <0967DC5C-F40F-47D7-8AB4-5AE5E55364B6@apache.org> Content-Transfer-Encoding: 7bit From: "Geir Magnusson Jr." Subject: Re: [jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation. Date: Tue, 6 Sep 2005 11:53:52 -0400 To: dev@geronimo.apache.org X-Mailer: Apple Mail (2.734) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N So it seems like we need to bail on BC. I haven't seen anything from OpenEJB on this - David, would it be possible to a) stop making IDEA a possibility, and b) use something else for the ASN1 encoding/decoding? Can the directory project's library be enhanced? geir On Sep 6, 2005, at 6:04 AM, Rick McGuire wrote: > Aaron Mulder (JIRA) wrote: > > >> [ http://issues.apache.org/jira/browse/GERONIMO-880? >> page=comments#action_12322586 ] >> Aaron Mulder commented on GERONIMO-880: >> --------------------------------------- >> >> Whatever we do to disable it, there should be a procedure to >> enable it if you happen to have a license or whatever. That is to >> say, if we disable it in OpenEJB, it should probably be via a >> properties file listing allowed algorithms or something, which the >> admin could add IDEA to if they believe it's appropriate. If we >> distribute a lesser JAR, then it should be easy enough to provide >> directions on how to replace it with the full JAR. >> >> > There are two separate issues here: 1) The jar file containing the > IDEA code, and 2) The hardcoded enabling of the IDEA algorithms in > SSLCipherSuiteDatabase. The combination of these two can lead to > inadvertent use (and unknown) use of the IDEA algorithms. A more > appropriate solution would have SSLCipherSuiteDatabase take the > supported algorithms from a property file or GBean properties, thus > allowing user customization if they choose to move to a fuller > function jar file. > > I've also done a little reseach on the bc code. The IDEA algorithm > is not the only patent protected algorithm where royalties for > commercial use are required. the RC5 and RC6 algorithms are also > patent protected, and the Skipjack algorithm is patent pending. > > Rick > > >> >> >>> Geronimo ships patent-protected bouncycastle IDEA implementation. >>> ----------------------------------------------------------------- >>> >>> Key: GERONIMO-880 >>> URL: http://issues.apache.org/jira/browse/GERONIMO-880 >>> Project: Geronimo >>> Type: Bug >>> Components: console, OpenEJB >>> Environment: All >>> Reporter: Rick McGuire >>> Fix For: 1.0 >>> Attachments: IDEAEngine.java >>> >>> Current Geronimo is shipping the full bouncycastle jar file, >>> which includes an implementation of the IDEA encryption >>> algorithm. Additionally, the openejb code explicitly includes >>> the IDEA algorithm in its supported cryptography suite. >>> The IDEA algorithm is a bit problematic, since the royalty >>> agreement is for non-commercial use only...royalties are expected >>> for commercial use. It's not clear what the definition of >>> commercial use would actually be, but any user building a >>> commercial website with Geronimo might be at risk for a patent >>> claim just from the presence of the code. Additionally, since >>> there is no way to explicitly enable or discable the IDEA suite, >>> a user might be using the code for commercial purposes without >>> even knowing it. The presence of this code is also a problem for >>> any companies wishing to embed Geronimo in a commercial >>> offering. Having this code in the Geronomo base would probably >>> kick in the commercial uses clause and make those companies >>> subject to royalties. >>> The IDEA code code in bouncycastle is not easily removed because >>> the encryption engines are not dyamically loaded. It would be a >>> simple matter to replace the IDEA engine class with a simple one >>> that merely threw an exception (see attached class). The openejb >>> code probably needs to remove the IDEA algorithms from the >>> supported list as well. >>> >> >> >> > > -- Geir Magnusson Jr +1-203-665-6437 geirm@apache.org