Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Received-SPF: neutral (asf.osuosl.org: local policy)
Mime-Version: 1.0 (Apple Message framework v733)
In-Reply-To: <43173C11.4030403@gmail.com>
References: <1AB1C8BD-B886-43C3-8D54-47B558B6DD66@apache.org>
 <7b3355cb050830163815d4f2ea@mail.gmail.com>
 <3B680DC6-346C-4F33-905D-84406866FC32@apache.org>
 <43173C11.4030403@gmail.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <AC8B4D5C-8B84-4F80-96DE-37F122196CED@apache.org>
Content-Transfer-Encoding: 7bit
From: "Geir Magnusson Jr." <geirm@apache.org>
Subject: Re: IDEA block cipher inclusion via the "bouncy castle" JCE provider
Date: Thu, 1 Sep 2005 15:45:13 -0400
To: dev@geronimo.apache.org

I was talking to Alan and mentioned this.  He had another suggestion  
- lets just (for now) get the ASN1 code from BC and package it  
ourselves.  Coupled with the suggestion about removing the IDEA  
algorithm as a possibility, we remove the dep on BC in OpenEJB.

Then, we don't ship BC w/ geronimo, but let the console detect if BC  
is present and then show a message and warning where appropriate  
where to get the jar and how to install if not.

Then Geronimo is clean, the functionality is optional, and users have  
no risk of encountering a problem, unless they can't read.

geir

On Sep 1, 2005, at 1:36 PM, Rick McGuire wrote:

> I found an interesting example of the inadverent problems that can  
> be caused by Geronimo's current usage of bouncycastle.  The openejb  
> SunOrb codes specifies a list of supported cipher suites to be used  
> with SSL connections in the class SSLCipherSuiteDatabase.  The  
> supported list includes the IDEA algorithms.  The Sun default JCE  
> implemenation does not include IDEA, so this will not be used  
> unless additional JCE provides are installed which include IDEA  
> support.  So far, so good.  The IDEA code, even though listed as an  
> option, will not get used without explicit knowledge of the  
> Gernonmo administrator.
>
> However, the current console code uses the bouncycastle code to  
> implement its keystore.  This usage is in a manner that requires  
> the BC provider code to be installed programmatically, which the  
> console code does.  Unfortunately, once this is done, the IDEA  
> algorithms are now available for use for SSL connections as well.   
> This server is now potentially a royalty collection target by the  
> IDEA patent holders, since they can demonstrate usage by having a  
> client connect with this server using the IDEA ciphers.  We might  
> even want to consider allowing these algorithms to be controlled by  
> the server config rather than just hard coding them in the class.
>
> One way to fix this is just remove the IDEA algorithms from the  
> SSLCipherSuiteDatabase, so these will not be used for SSL  
> connections.  Another potential solution (yet to be verified) is to  
> use the BC APIs that allow the default JCE provider to be used for  
> encryption services rather than defaulting to the BC provider.
>
> Rick
>
>

-- 
Geir Magnusson Jr                                  +1-203-665-6437
geirm@apache.org