[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330411 ]
David Jencks commented on GERONIMO-880: --------------------------------------- Forgot the openejb part: Checking in etc/project.properties; new revision: 1.57; previous revision: 1.56 Checking in m2/ejb-assembly.pom; new revision: 1.3; previous revision: 1.2 Checking in m2/ejb-core.pom; new revision: 1.4; previous revision: 1.3 Checking in m2/ejb-group.pom; new revision: 1.8; previous revision: 1.7 Checking in modules/core/project.xml; new revision: 1.59; previous revision: 1.58 Checking in modules/core/src/etc/META-INF/geronimo-service.xml; new revision: 1.12; previous revision: 1.11 Checking in modules/core/src/java/org/openejb/corba/security/ClientSecurityInterceptor.java; new revision: 1.9; previous revision: 1.8 Checking in modules/core/src/java/org/openejb/corba/sunorb/SSLCipherSuiteDatabase.java; new revision: 1.3; previous revision: 1.2 Checking in modules/core/src/java/org/openejb/corba/util/Util.java; new revision: 1.21; previous revision: 1.20 Checking in modules/openejb-builder/project.xml; new revision: 1.36; previous revision: 1.35 > Geronimo ships patent-protected bouncycastle IDEA implementation. > ----------------------------------------------------------------- > > Key: GERONIMO-880 > URL: http://issues.apache.org/jira/browse/GERONIMO-880 > Project: Geronimo > Type: Bug > Components: security, console, OpenEJB > Versions: 1.0-M5 > Environment: All > Reporter: Rick McGuire > Assignee: David Jencks > Fix For: 1.0-M5 > Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch > > Current Geronimo is shipping the full bouncycastle jar file, which includes > an implementation of the IDEA encryption algorithm. Additionally, the > openejb code explicitly includes the IDEA algorithm in its supported > cryptography suite. > The IDEA algorithm is a bit problematic, since the royalty agreement is for > non-commercial use only...royalties are expected for commercial use. It's > not clear what the definition of commercial use would actually be, but any > user building a commercial website with Geronimo might be at risk for a > patent claim just from the presence of the code. Additionally, since there > is no way to explicitly enable or discable the IDEA suite, a user might be > using the code for commercial purposes without even knowing it. > The presence of this code is also a problem for any companies wishing to > embed Geronimo in a commercial offering. Having this code in the Geronomo > base would probably kick in the commercial uses clause and make those > companies subject to royalties. > The IDEA code code in bouncycastle is not easily removed because the > encryption engines are not dyamically loaded. It would be a simple matter to > replace the IDEA engine class with a simple one that merely threw an > exception (see attached class). The openejb code probably needs to remove > the IDEA algorithms from the supported list as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
