[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.

Fri, 09 Sep 2005 03:29:34 -0700 

     [ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]

Geir Magnusson Jr updated GERONIMO-880:
---------------------------------------

    Fix Version: 1.0-M5
                     (was: 1.0)
        Version: 1.0-M5

> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
>          Key: GERONIMO-880
>          URL: http://issues.apache.org/jira/browse/GERONIMO-880
>      Project: Geronimo
>         Type: Bug
>   Components: console, OpenEJB
>     Versions: 1.0-M5
>  Environment: All
>     Reporter: Rick McGuire
>      Fix For: 1.0-M5
>  Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes 
> an implementation of the IDEA encryption algorithm.  Additionally, the 
> openejb code explicitly includes the IDEA algorithm in its supported 
> cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for 
> non-commercial use only...royalties are expected for commercial use.  It's 
> not clear what the definition of commercial use would actually be, but any 
> user building a commercial website with Geronimo might be at risk for a 
> patent claim just from the presence of the code.  Additionally, since there 
> is no way to explicitly enable or discable the IDEA suite, a user might be 
> using the code for commercial purposes without even knowing it. 
> The presence of this code is also a problem for any companies wishing to 
> embed Geronimo in a commercial offering.  Having this code in the Geronomo 
> base would probably kick in the commercial uses clause and make those 
> companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the 
> encryption engines are not dyamically loaded.  It would be a simple matter to 
> replace the IDEA engine class with a simple one that merely threw an 
> exception (see attached class).  The openejb code probably needs to remove 
> the IDEA algorithms from the supported list as well. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to