Hi Julius,

it's great to see that you finally got the proposal ball rolling :-)

I didn't look into your code, so my comments are based on the proposal
itself and on your web page. I like the positive attitude with which
you present the advantages of the project. However, I a missing a
clear definition of the _project_scope_. That may seem like a small
detail, but it really is a precondition for finding both an appropriate
name and home for your code base.
>From your description, I understand that the purpose is
- giving easy access to different types of key material and certificates
- verifying certificates and certificate chains
- bridging different Java APIs (?)

The working title "Commons-SSL" does not really reflect this. Do you
plan to implement the SSL protocol as part of the project? Probably
not, so the title is misleading. An all-encompassing name might also
be offensive to people working on other SSL-related projects. I think
you should spend the time and define not only a motto, but a very clear
scope of the project. Both in terms of what's in scope as well as what's
out of scope. From there on, we can work on finding a name and home.

Please do not underestimate the importance of this step. Finding a
name may seem like a minor detail, but the problem of defining the
scope is very real. Only a few months ago, there was a long discussion
on this list about a proposal for "testing.apache.org". I haven't read
anything about it anymore after the supporters realized that a scope of
"everything that has to do with testing" was overly broad. We don't
want to see that happen to your proposal.


I am also a little worried about this statement on your web page:

> The PKCS12 key derivation function (for some PKCS8 version 1.5 encrypted
> keys) was cut & paste from BouncyCastle (bouncycastle.org). They
> originally got it from RSA's PKCS12 specification
> (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf),
> so we hope this copy & paste operation is okay!

The BouncyCastle license (http://bouncycastle.org/licence.html)
is quite specific that the license must remain intact. You can
not just relicense their code under the Apache License. That's
assuming that the part you copied and pasted was not explicitly
released with a different license.

cheers,
  Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to