[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330404 ]
David Jencks commented on GERONIMO-880: --------------------------------------- That should have been GERONIMO-887 > Geronimo ships patent-protected bouncycastle IDEA implementation. > ----------------------------------------------------------------- > > Key: GERONIMO-880 > URL: http://issues.apache.org/jira/browse/GERONIMO-880 > Project: Geronimo > Type: Bug > Components: security, console, OpenEJB > Versions: 1.0-M5 > Environment: All > Reporter: Rick McGuire > Assignee: David Jencks > Fix For: 1.0-M5 > Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch > > Current Geronimo is shipping the full bouncycastle jar file, which includes > an implementation of the IDEA encryption algorithm. Additionally, the > openejb code explicitly includes the IDEA algorithm in its supported > cryptography suite. > The IDEA algorithm is a bit problematic, since the royalty agreement is for > non-commercial use only...royalties are expected for commercial use. It's > not clear what the definition of commercial use would actually be, but any > user building a commercial website with Geronimo might be at risk for a > patent claim just from the presence of the code. Additionally, since there > is no way to explicitly enable or discable the IDEA suite, a user might be > using the code for commercial purposes without even knowing it. > The presence of this code is also a problem for any companies wishing to > embed Geronimo in a commercial offering. Having this code in the Geronomo > base would probably kick in the commercial uses clause and make those > companies subject to royalties. > The IDEA code code in bouncycastle is not easily removed because the > encryption engines are not dyamically loaded. It would be a simple matter to > replace the IDEA engine class with a simple one that merely threw an > exception (see attached class). The openejb code probably needs to remove > the IDEA algorithms from the supported list as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira