So it seems like we need to bail on BC.
I haven't seen anything from OpenEJB on this - David, would it be
possible to a) stop making IDEA a possibility, and b) use something
else for the ASN1 encoding/decoding? Can the directory project's
library be enhanced?
geir
On Sep 6, 2005, at 6:04 AM, Rick McGuire wrote:
Aaron Mulder (JIRA) wrote:
[ http://issues.apache.org/jira/browse/GERONIMO-880?
page=comments#action_12322586 ]
Aaron Mulder commented on GERONIMO-880:
---------------------------------------
Whatever we do to disable it, there should be a procedure to
enable it if you happen to have a license or whatever. That is to
say, if we disable it in OpenEJB, it should probably be via a
properties file listing allowed algorithms or something, which the
admin could add IDEA to if they believe it's appropriate. If we
distribute a lesser JAR, then it should be easy enough to provide
directions on how to replace it with the full JAR.
There are two separate issues here: 1) The jar file containing the
IDEA code, and 2) The hardcoded enabling of the IDEA algorithms in
SSLCipherSuiteDatabase. The combination of these two can lead to
inadvertent use (and unknown) use of the IDEA algorithms. A more
appropriate solution would have SSLCipherSuiteDatabase take the
supported algorithms from a property file or GBean properties, thus
allowing user customization if they choose to move to a fuller
function jar file.
I've also done a little reseach on the bc code. The IDEA algorithm
is not the only patent protected algorithm where royalties for
commercial use are required. the RC5 and RC6 algorithms are also
patent protected, and the Skipjack algorithm is patent pending.
Rick
Geronimo ships patent-protected bouncycastle IDEA implementation.
-----------------------------------------------------------------
Key: GERONIMO-880
URL: http://issues.apache.org/jira/browse/GERONIMO-880
Project: Geronimo
Type: Bug
Components: console, OpenEJB
Environment: All
Reporter: Rick McGuire
Fix For: 1.0
Attachments: IDEAEngine.java
Current Geronimo is shipping the full bouncycastle jar file,
which includes an implementation of the IDEA encryption
algorithm. Additionally, the openejb code explicitly includes
the IDEA algorithm in its supported cryptography suite.
The IDEA algorithm is a bit problematic, since the royalty
agreement is for non-commercial use only...royalties are expected
for commercial use. It's not clear what the definition of
commercial use would actually be, but any user building a
commercial website with Geronimo might be at risk for a patent
claim just from the presence of the code. Additionally, since
there is no way to explicitly enable or discable the IDEA suite,
a user might be using the code for commercial purposes without
even knowing it. The presence of this code is also a problem for
any companies wishing to embed Geronimo in a commercial
offering. Having this code in the Geronomo base would probably
kick in the commercial uses clause and make those companies
subject to royalties.
The IDEA code code in bouncycastle is not easily removed because
the encryption engines are not dyamically loaded. It would be a
simple matter to replace the IDEA engine class with a simple one
that merely threw an exception (see attached class). The openejb
code probably needs to remove the IDEA algorithms from the
supported list as well.
--
Geir Magnusson Jr +1-203-665-6437
[EMAIL PROTECTED]
