You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by David Illsley <da...@gmail.com> on 2007/09/18 13:01:05 UTC
Fwd: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
FYI... a discussion on general@incubator because of a Rampart
dependency on bouncycastle...
Start of thread:
http://mail-archives.apache.org/mod_mbox/incubator-general/200709.mbox/%3c33e260400709141226l6c7f5539p6ab3199c15d6045b@mail.gmail.com%3e
---------- Forwarded message ----------
From: William A. Rowe, Jr. <wr...@rowe-clan.net>
Date: 16 Sep 2007 03:03
Subject: Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
To: general@incubator.apache.org
Kevan Miller wrote:
>>
>> That previous discussion was about including a JXTA dependency, for this one
>> I think we're just following what we've seen other Apache projects that
>> support ws-security are doing, so I guess we were assuming was ok. Are you
>> saying its not ok to distribute the BouncyCastle jar (and if so then
>> is the Geronimo jar a drop in replacement)?
>
> I wasn't aware of other projects using BouncyCastle. I would hope that
> they've considered the patent issues regarding BouncyCastle's encryption
> library.
Those would be a problem if there is encumbered code which has not been
licensed to the ASF for distribution, and we are aware of those encumbrances.
So are JXTA/Geronimo/others shipping BouncyCastle? Calling it out as an
optional dependency? A hard dependency?
> I'm not saying that you cannot ship the BouncyCastle jar.
The board does, if it includes an implementation of IDEA and no patent
grant or license is associated with it.
E.g. those projects which ship openssl binaries must do so by inhibiting
the IDEA/MDC2/RC5 algorithms, which is trivial. Do the bouncycastle jar
distros have a similar segregation? An unencumbered flavor we can ship?
> I am saying
> that the Tuscany project should make a decision about what to do with
> the BouncyCastle jar. If you ask my opinion, I would recommend you not
> distribute the BouncyCastle jar, but that's only my opinion.
Actually no, if it's encumbered, it's out of Tuscany's scope to make
that decision.
> I'm not aware of an explicit Apache policy that prohibits shipping the
> jar file (assuming that your license and notice files properly document
> the jar).
You cannot ship any source/binaries from the ASF with known patent violations
without explicit board approval (which might be given if the ASF has reviewed
the claim and we've determined it is without merit/is disputed by prior art,
and so forth.)
> Here's background information for you:
>
> BouncyCastle implements the IDEA algorithm (e.g. in
> bcprov-jdk14-136.jar). The IDEA algorithm is patented and the patent is
> held by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
> variety of commercial/non-commercial licenses for use of the IDEA
> algorithm (e.g.
> http://www.mediacrypt.com/_contents/10_idea/102040_li_nc.asp). IMO,
> BouncyCastle does a horrible job of communicating this information to
> consumers of the BouncyCastle jar. BouncyCastle is aware that they are
> shipping encumbered code --
> http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/engines/IDEAEngine.html
> references the patent. I've seen claims that MediaCrypt will only pursue
> royalties from actual "users" of the algorithm --
> http://www.bouncycastle.org/devmailarchive/msg05065.html.
Which is to say we cannot ship it, because we can't inflict that on our
users, never mind the ASF's exposure.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
--
David Illsley - IBM Web Services Development