Geronimo ships patent-protected bouncycastle IDEA implementation.
------------------------------------------------------------------
Key: GERONIMO-880
URL: http://issues.apache.org/jira/browse/GERONIMO-880
Project: Geronimo
Type: Bug
Components: console, OpenEJB
Environment: All
Reporter: Rick McGuire
Current Geronimo is shipping the full bouncycastle jar file, which includes an
implementation of the IDEA encryption algorithm. Additionally, the openejb
code explicitly includes the IDEA algorithm in its supported cryptography suite.
The IDEA algorithm is a bit problematic, since the royalty agreement is for
non-commercial use only...royalties are expected for commercial use. It's not
clear what the definition of commercial use would actually be, but any user
building a commercial website with Geronimo might be at risk for a patent claim
just from the presence of the code. Additionally, since there is no way to
explicitly enable or discable the IDEA suite, a user might be using the code
for commercial purposes without even knowing it.
The presence of this code is also a problem for any companies wishing to embed
Geronimo in a commercial offering. Having this code in the Geronomo base would
probably kick in the commercial uses clause and make those companies subject to
royalties.
The IDEA code code in bouncycastle is not easily removed because the encryption
engines are not dyamically loaded. It would be a simple matter to replace the
IDEA engine class with a simple one that merely threw an exception (see
attached class). The openejb code probably needs to remove the IDEA algorithms
from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
