Hi Thilo, On 02/25/2017 06:31 PM, Thilo-Alexander Ginkel wrote: > 1. There is an existing BCrypt implementation for Java, jBCrypt [1, 2] > licensed under the ISC license, which is compatible with the Apache > License 2.0 according to [3]. Do you consider it acceptable to > introduce a new dependency to support a new encryption algorithm? > AFAICS the dependency would need to be added to > org.apache.directory.api:api-ldap-model.
In general that sounds ok. The library is minimal, contains only the one BCrypt class, no further dependencies. (side-note: the same class is meanwhile modified used in Spring Security [5]). Only question is if additional paper work is required [4]? On the other hand, ApacheDS (but not the API) already uses Bouncycastle dependency which also contains a BCrypt implementation. 3rd option: commons-codec has support for other Unix crypt variants, but BCrypt is missing. Maybe it makes sense to add BCrypt there? > 2. Would you prefer an implementation as crypt variant (sub-prefix > $2a$) or a separate algorithm? Using {crypt}$2a$... would be my preferred choice. We already support the MD5 based {crypt} variant and also $5$ and $6$ variants. Kind Regards, Stefan [4] https://www.apache.org/dev/crypto.html [5] https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java [6] https://issues.apache.org/jira/browse/CODEC-133