Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of jasnell@gmail.com designates
 209.85.198.190 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding;
        b=TpVxDysrCiyJsCY48YN/7Kizit1RL1qtYs2MbPoEivPPsJvjQiaBDR4M5HtNZ/m3I2rQ2ZCzgjnrbgW5j3effHuftjOCS7ZX/I/CcCAHU7tjxN/PfpFNjE3St/2nIvghxUspXC4merj8pfhFSf7J/7KdSi3vYjYoBCyzV3eQGAc=
Message-ID: <46EC23AF.10608@gmail.com>
Date: Sat, 15 Sep 2007 11:25:51 -0700
From: James M Snell <jasnell@gmail.com>
User-Agent: Thunderbird 2.0.0.6 (X11/20070728)
MIME-Version: 1.0
To: general@incubator.apache.org
Subject: Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
References: <33e260400709141226l6c7f5539p6ab3199c15d6045b@mail.gmail.com>
 <698AF826-4064-4B8B-9D6E-B1BE947B6D46@gmail.com>
 <71e1b5740709150259r2efc6166gc86832a02c4e6a10@mail.gmail.com>
 <91EF7315-E4CA-4565-A157-ABA70711DAF6@gmail.com>
In-Reply-To: <91EF7315-E4CA-4565-A157-ABA70711DAF6@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

FWIW, just as a general FYI, Abdera also ships the bouncycastle jar but
use of the jar is limited to the optional security and example modules
and it's use has been documented in several locations.

- James

Kevan Miller wrote:
> 
> On Sep 15, 2007, at 5:59 AM, ant elder wrote:
> 
>> On 9/15/07, Kevan Miller <kevan.miller@gmail.com> wrote:
>>>
>>>
>>> On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
>>>
>>>> Hi,
>>>>
>>>> We are using Apache Rampart 1.3 to enable ws security into the ws-
>>>> binding-axis2 module for Apache Tuscany v1.0 which we hope to
>>>> release in a week.  Using Rampart seems to bring in the
>>>> Bouncycastle dependency for encryption functions.  I have followed
>>>> the instructions on http://www.apache.org/dev/crypto.html#sources
>>>> and I have attached the patch in this mail to include Tuscany to
>>>> the matrix on http://www.apache.org/licenses/exports/.  I have also
>>>> run the xsl and the generated mail sample is also attached in this
>>>> mail.
>>>>
>>>> Could somebody please help with reviewing and applying the patch.
>>>> Also, is there anything else to do with this other than the mention
>>>> on the Distro README which we will do.
>>>
>>> There was a discussion earlier this year about Tuscany, BouncyCastle,
>>> and a patented IDEA algorithm implemented by BouncyCastle -- http://
>>> mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
>>> 3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
>>>
>>> Here's some background information -- http://mail-archives.apache.org/
>>> mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
>>> B886-43C3-8D54-47B558B6DD66@apache.org%3E
>>>
>>> Did the Tuscany project reach a decision about the patented IDEA
>>> algorithm in BouncyCastle?
>>
>>
>> That previous discussion was about including a JXTA dependency, for
>> this one
>> I think we're just following what we've seen other Apache projects that
>> support ws-security are doing, so I guess we were assuming was ok. Are
>> you
>> saying its not ok to distribute the BouncyCastle jar (and if so then
>> is the
>> Geronimo jar a drop in replacement)?
> 
> Hi Ant,
> I wasn't aware of other projects using BouncyCastle. I would hope that
> they've considered the patent issues regarding BouncyCastle's encryption
> library.
> 
> I'm not saying that you cannot ship the BouncyCastle jar. I am saying
> that the Tuscany project should make a decision about what to do with
> the BouncyCastle jar. If you ask my opinion, I would recommend you not
> distribute the BouncyCastle jar, but that's only my opinion.
> 
> I'm not aware of an explicit Apache policy that prohibits shipping the
> jar file (assuming that your license and notice files properly document
> the jar). I think the patent issues associated with it should at least
> cause a concern for a project. Ultimately, I think it's a project
> decision. At a minimum, these issues need to be properly documented to
> your users, so they can make an informed decision. The Geronimo project
> decided not to redistribute the BouncyCastle jar. Instead, we copied
> unencumbered code into the Geronimo project (we only needed an
> ASN1.codec implementation).
> 
> Here's background information for you:
> 
> BouncyCastle implements the IDEA algorithm (e.g. in
> bcprov-jdk14-136.jar). The IDEA algorithm is patented and the patent is
> held by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
> variety of commercial/non-commercial licenses for use of the IDEA
> algorithm (e.g.
> http://www.mediacrypt.com/_contents/10_idea/102040_li_nc.asp). IMO,
> BouncyCastle does a horrible job of communicating this information to
> consumers of the BouncyCastle jar. BouncyCastle is aware that they are
> shipping encumbered code --
> http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/engines/IDEAEngine.html
> references the patent. I've seen claims that MediaCrypt will only pursue
> royalties from actual "users" of the algorithm --
> http://www.bouncycastle.org/devmailarchive/msg05065.html.
> 
> --kevan
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org