You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Rick McGuire (JIRA)" <de...@geronimo.apache.org> on 2005/08/15 13:50:54 UTC
[jira] Created: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Geronimo ships patent-protected bouncycastle IDEA implementation.
------------------------------------------------------------------
Key: GERONIMO-880
URL: http://issues.apache.org/jira/browse/GERONIMO-880
Project: Geronimo
Type: Bug
Components: console, OpenEJB
Environment: All
Reporter: Rick McGuire
Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12318819 ]
Matt Hogstrom commented on GERONIMO-880:
----------------------------------------
I like the idea of throwing an exception so that users are protected from accidental patent infringement. However, I think the message should be a bit clearer. What is needed is a support site where this message could point the user to so that they could obtain a proper understanding of the problem as well as a resolution if they needed to use the algorithm. As far as this issue is concerned a brief description of the problem and how to obtain a full copy of bouncyCastle as well as instructions for how to introduce it back into OpenEJB would be awesome.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: OpenEJB, console
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12318870 ]
Rick McGuire commented on GERONIMO-880:
---------------------------------------
I'm fine with all of that. I didn't intend that the code I attached be the file fix to this, but more of a strawman suggestion for how this might be fixed.
If the openejb cipher suite code is fixed to disable the IDEA algorithms, it is unlikely this exception would ever be seen as a user. If we wish to allow users to use IDEA by downloading the full bouncycastle package, it might be wise to move the cipher suite configuration options into a GBean. That's probably a bit more work though, but it can easily be stated to a future release.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: OpenEJB, console
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
Rick McGuire updated GERONIMO-880:
----------------------------------
Attachment: IDEAEngine.java
An example of how the IDEA code can be disabled. This class would replace the existing IDEAEngine class in the jar file shipped with Geronimo.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: console, OpenEJB
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330988 ]
David Jencks commented on GERONIMO-880:
---------------------------------------
Files moved to correct directories:
head:
Adding modules/util/src/java/org/apache/geronimo/util/asn1/misc/NetscapeRevocationURL.java
Adding modules/util/src/java/org/apache/geronimo/util/asn1/misc/VerisignCzagExtension.java
Deleting modules/util/src/java/org/apache/geronimo/util/jce/provider/NetscapeRevocationURL.java
Deleting modules/util/src/java/org/apache/geronimo/util/jce/provider/VerisignCzagExtension.java
Committed revision 292849.
M5:
Committed revision 292850.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12319007 ]
Rick McGuire commented on GERONIMO-880:
---------------------------------------
I found an interesting item in the bouncycastle dev mailing list. They believe it is not a patent infringement to just distribute the IDEA code, but only if it is being used. From this, it appears it might be sufficient to just disable the IDEA algorithms as options in the openejb code.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: OpenEJB, console
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Assigned: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
David Jencks reassigned GERONIMO-880:
-------------------------------------
Assign To: David Jencks
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
Aaron Mulder updated GERONIMO-880:
----------------------------------
Fix Version: 1.0
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: console, OpenEJB
> Environment: All
> Reporter: Rick McGuire
> Fix For: 1.0
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12322586 ]
Aaron Mulder commented on GERONIMO-880:
---------------------------------------
Whatever we do to disable it, there should be a procedure to enable it if you happen to have a license or whatever. That is to say, if we disable it in OpenEJB, it should probably be via a properties file listing allowed algorithms or something, which the admin could add IDEA to if they believe it's appropriate. If we distribute a lesser JAR, then it should be easy enough to provide directions on how to replace it with the full JAR.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: console, OpenEJB
> Environment: All
> Reporter: Rick McGuire
> Fix For: 1.0
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12319010 ]
Rick McGuire commented on GERONIMO-880:
---------------------------------------
Oops, forgot to include a link to the discussion list item:
http://www.bouncycastle.org/devmailarchive/msg03477.html
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: OpenEJB, console
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Kevan Miller (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330987 ]
Kevan Miller commented on GERONIMO-880:
---------------------------------------
There's a minor problem with two of the files from r291352.
The files
modules/util/src/java/org/apache/geronimo/util/jce/provider/NetscapeRevocationURL.java
modules/util/src/java/org/apache/geronimo/util/jce/provider/VerisignCzagExtension.java
should be moved to
modules/util/src/java/org/apache/geronimo/util/asn1/misc/
This move will make their directory location consistent with their package name. It seems that maven doesn't mind the inconsistency...
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
Rick McGuire updated GERONIMO-880:
----------------------------------
Attachment: geronimo-bc.patch
openejb-bc.patch
The attached update includes a subset of the bouncycastle code which is sufficient to satisfy the needs of both the openejb code and the Geronimo console code. This is two patches, one to the Geronimo code base, and a second patch to openejb to remove the bouncycastle usage that is dependent on the first patch.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330404 ]
David Jencks commented on GERONIMO-880:
---------------------------------------
That should have been GERONIMO-887
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Alan Cabrera (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
Alan Cabrera updated GERONIMO-880:
----------------------------------
Component: security
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
David Jencks closed GERONIMO-880:
---------------------------------
Resolution: Fixed
Applied in Committed revision 291352.
I made one change: the gbean in applications/console-ear/src/plan/geronimo-application.xml appears to depend on a modified version of GERONIMO-997 being already committed: I commented out this gbean.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Geir Magnusson Jr (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=all ]
Geir Magnusson Jr updated GERONIMO-880:
---------------------------------------
Fix Version: 1.0-M5
(was: 1.0)
Version: 1.0-M5
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12330411 ]
David Jencks commented on GERONIMO-880:
---------------------------------------
Forgot the openejb part:
Checking in etc/project.properties;
new revision: 1.57; previous revision: 1.56
Checking in m2/ejb-assembly.pom;
new revision: 1.3; previous revision: 1.2
Checking in m2/ejb-core.pom;
new revision: 1.4; previous revision: 1.3
Checking in m2/ejb-group.pom;
new revision: 1.8; previous revision: 1.7
Checking in modules/core/project.xml;
new revision: 1.59; previous revision: 1.58
Checking in modules/core/src/etc/META-INF/geronimo-service.xml;
new revision: 1.12; previous revision: 1.11
Checking in modules/core/src/java/org/openejb/corba/security/ClientSecurityInterceptor.java;
new revision: 1.9; previous revision: 1.8
Checking in modules/core/src/java/org/openejb/corba/sunorb/SSLCipherSuiteDatabase.java;
new revision: 1.3; previous revision: 1.2
Checking in modules/core/src/java/org/openejb/corba/util/Util.java;
new revision: 1.21; previous revision: 1.20
Checking in modules/openejb-builder/project.xml;
new revision: 1.36; previous revision: 1.35
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: security, console, OpenEJB
> Versions: 1.0-M5
> Environment: All
> Reporter: Rick McGuire
> Assignee: David Jencks
> Fix For: 1.0-M5
> Attachments: IDEAEngine.java, geronimo-bc.patch, openejb-bc.patch
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-880) Geronimo ships patent-protected bouncycastle IDEA implementation.
Posted by "Rick McGuire (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-880?page=comments#action_12319158 ]
Rick McGuire commented on GERONIMO-880:
---------------------------------------
Hmmm, another problem here. The provider jar file is signed (a requirement for hooking in the JCE), which means we're unable to disable the idea code ourselves. I posted a question about this on the bouncycastle dev list, and they might be willing to build us a jar file without the IDEA code included.
> Geronimo ships patent-protected bouncycastle IDEA implementation.
> -----------------------------------------------------------------
>
> Key: GERONIMO-880
> URL: http://issues.apache.org/jira/browse/GERONIMO-880
> Project: Geronimo
> Type: Bug
> Components: OpenEJB, console
> Environment: All
> Reporter: Rick McGuire
> Attachments: IDEAEngine.java
>
> Current Geronimo is shipping the full bouncycastle jar file, which includes an implementation of the IDEA encryption algorithm. Additionally, the openejb code explicitly includes the IDEA algorithm in its supported cryptography suite.
> The IDEA algorithm is a bit problematic, since the royalty agreement is for non-commercial use only...royalties are expected for commercial use. It's not clear what the definition of commercial use would actually be, but any user building a commercial website with Geronimo might be at risk for a patent claim just from the presence of the code. Additionally, since there is no way to explicitly enable or discable the IDEA suite, a user might be using the code for commercial purposes without even knowing it.
> The presence of this code is also a problem for any companies wishing to embed Geronimo in a commercial offering. Having this code in the Geronomo base would probably kick in the commercial uses clause and make those companies subject to royalties.
> The IDEA code code in bouncycastle is not easily removed because the encryption engines are not dyamically loaded. It would be a simple matter to replace the IDEA engine class with a simple one that merely threw an exception (see attached class). The openejb code probably needs to remove the IDEA algorithms from the supported list as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira