Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 93010 invoked from network); 24 Sep 2005 17:40:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 24 Sep 2005 17:40:55 -0000 Received: (qmail 35882 invoked by uid 500); 24 Sep 2005 17:40:54 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 35183 invoked by uid 500); 24 Sep 2005 17:40:52 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 35168 invoked by uid 99); 24 Sep 2005 17:40:52 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=SPF_FAIL X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Sep 2005 10:40:50 -0700 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id BDFB4121 for ; Sat, 24 Sep 2005 19:40:29 +0200 (CEST) Message-ID: <1176806061.1127583629774.JavaMail.jira@ajax.apache.org> Date: Sat, 24 Sep 2005 19:40:29 +0200 (CEST) From: "David Jencks (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Assigned: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation. In-Reply-To: <735124661.1124106654174.JavaMail.jira@ajax.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ] David Jencks reassigned GERONIMO-880: ------------------------------------- Assign To: David Jencks > Geronimo ships patent-protected bouncycastle IDEA implementation. > ----------------------------------------------------------------- > > Key: GERONIMO-880 > URL: http://issues.apache.org/jira/browse/GERONIMO-880 > Project: Geronimo > Type: Bug > Components: security, console, OpenEJB > Versions: 1.0-M5 > Environment: All > Reporter: Rick McGuire > Assignee: David Jencks > Fix For: 1.0-M5 > Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch > > Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite. > The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it. > The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties. > The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira