David Jencks wrote:
On Aug 30, 2005, at 4:38 PM, Bruce Snyder wrote:
On 8/30/05, Geir Magnusson Jr. <[EMAIL PROTECTED]> wrote:
In Apache Geronino and dependencies like OpenEJB, (and probably other
projects at the ASF...) we are using an external project known as
'bouncycastle' (http://www.bouncycastle.org/) , a fairly well known
implementation of crypto-related stuff in Java.
Inside the distro jar from bouncycastle is an implementation of the
IDEA algorithm. This algorithm is patented, and the patent holder,
MediaCrypt, requires licenses for all implementations of IDEA, and
there's no unfettered use - even non-commercial distribution requires
some kind of correspondence with MediaCrypt.
http://www.mediacrypt.com/
You have to find the license section...
So, here's the problem - I don't believe either Geronimo or OpenEJB
is using the algorithm explicitly but I can't be sure that it isn't
invoked somewhere, and statements from the MediaCrypt site such as
"Requests by freeware developers to obtain a royalty-free license to
spread an application program containing the algorithm not for
commercial purposes must be directed to MediaCrypt"
make me believe that we have to do something to redistribute this
software.
(I can't help noting how the infinitive "to spread" makes the GPL's
language on "distribution" look clear.. :)
Of course, there are other terms for commercial users.
So, what should we do?
How about asking the Bouncy Castle people for some advice on what to
do? They're distributing the artifacts affected by these statements
from MediaCrypt, what do they recommend to their user base regarding
redistribution and use?
Good idea. Alternatively for our use, it looks like the directory
project has its own asn1 implementation. IIUC that is all we use in
the openejb corba code. Can we sidestep this problem by using the
directory's asn1 implementation?
The directory's asn1 implementation doesn't include support for X509
names, which is the really the only bit used by the corba code.
Also, the console is using the bouncycastle code to implement its
keystore. Unfortunately, the APIs used for that require the bc code to
be installed as a JCE security provider. A JCE security provider needs
to be in a signed jar, which pretty much precludes just snipping the
idea code from the jar file. This would have worked for the openejb
asn1 support, but not for every use.
Rick
david jencks
Bruce
--
perl -e 'print
unpack("u30","D0G)[EMAIL PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'
The Castor Project
http://www.castor.org/
Apache Geronimo
http://geronimo.apache.org/
