Thank you Rob,
Actually, we were wondering about the "dojo-1.10.3-distribution.zip" available under the lib directory of the downloaded broker zip. So from your answers, you only use it in the web console. One last question, what happens if we delete this dependency? Could we still contact the broker via REST using SSL/SASL to manage queues, exchanges, etc? Regards, Adel ________________________________ From: Rob Godfrey <[email protected]> Sent: Wednesday, March 29, 2017 11:38:30 PM To: [email protected] Subject: Re: [Java Broker - 6.0.4] Dojo toolkit dependency Are you talking dojo itself, or the fact that the http-management plugin also notes that it "This bundles portions of crypto-js, which is under the MIT licence". The only "cryptographic functions" used within the web console are those necessary to implement the necessary SASL authentication mechanisms. In particular SHA-1, SHA-256 (and for historical reasons MD5) hashing. There is no encryption used within the console (other than TLS through the standard browser mechanism). The use of crypto-js code was because dojo didn't have an implementation of the necessary HMAC mechanisms for SHA-1 / SHA-256 if I remember correctly. (See https://tools.ietf.org/html/rfc5802 and https://tools.ietf.org/html/rfc7677 for details of the SCRAM-SHA* SASL mechanisms). Hope this helps, Rob On 29 March 2017 at 21:17, Adel Boutros <[email protected]> wrote: > Hello, > > > While our legal team was reviewing the Broker's packaged dependencies and > their licenses, they had some questions regarding Dojo toolkit materials > which I hope you can help me with: > > > * Could you please list all cryptographic means contained in the dojo > materials used? > > > * Could you please describe: > > 1) the purpose(s) for which the dojo materials use these cryptographic > means > > 2) whether these means will be accessible to end users > > > * Why is this dependency needed and could we omit it from distribution? > > > Regards, > > Adel >
