You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Venkata Krishnan <fo...@gmail.com> on 2007/09/14 21:26:05 UTC
Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Hi,
We are using Apache Rampart 1.3 to enable ws security into the
ws-binding-axis2 module for Apache Tuscany v1.0 which we hope to release in
a week. Using Rampart seems to bring in the Bouncycastle dependency for
encryption functions. I have followed the instructions on
http://www.apache.org/dev/crypto.html#sources and I have attached the patch
in this mail to include Tuscany to the matrix on
http://www.apache.org/licenses/exports/. I have also run the xsl and the
generated mail sample is also attached in this mail.
Could somebody please help with reviewing and applying the patch. Also, is
there anything else to do with this other than the mention on the Distro
README which we will do.
Thanks.
- Venkat
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Venkata Krishnan <fo...@gmail.com>.
As far as Tuscany is concerned our dependency on BouncyCastle comes thro our
use of Rampart 1.3. I just checked up the Rampart distros and it does have
the bouncy castle jar packed in it - releases and snapshots (eg.
http://people.apache.org/dist/rampart/nightly/rampart-SNAPSHOT.zip). Though
this is an indirect dependency I know its impending on Tuscany to
individually address legal implications. If there is something that Rampart
has followed for this, then I'd like to know that to follow in Tuscany as
well.
Thanks
- Venkat
On 9/16/07, James M Snell <ja...@gmail.com> wrote:
>
> I'll say "Generally Soft". There are a couple of classes that require
> bouncy to compile, but their use is entirely optional. Two of the
> classes are example code that is only shipped in source form -- we test
> compile the examples before shipping them. The other classes are
> optional utility classes that are shipped as part of the optional
> security module. Other crypto providers can be used as an alternative
> and it would literally only take a couple of minutes to remove the
> compile-time dependency.
>
> - James
>
> William A. Rowe, Jr. wrote:
> > James M Snell wrote:
> >> Well, as far as Abdera is concerned, there'd be absolutely no problem
> >> with not shipping the jar. We can easily document how to go off and
> get
> >> the jar and the functions we're using it for can be provided by other
> >> crypto providers. If the board does not want us shipping it, just let
> >> us know and I'll pull it out.
> >
> > Out of curiosity, is it a hard or soft dependency?
> >
> > And I'm still curious to know if bouncycastle has an unencumbered
> alternate
> > download without IDEA.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by James M Snell <ja...@gmail.com>.
I'll say "Generally Soft". There are a couple of classes that require
bouncy to compile, but their use is entirely optional. Two of the
classes are example code that is only shipped in source form -- we test
compile the examples before shipping them. The other classes are
optional utility classes that are shipped as part of the optional
security module. Other crypto providers can be used as an alternative
and it would literally only take a couple of minutes to remove the
compile-time dependency.
- James
William A. Rowe, Jr. wrote:
> James M Snell wrote:
>> Well, as far as Abdera is concerned, there'd be absolutely no problem
>> with not shipping the jar. We can easily document how to go off and get
>> the jar and the functions we're using it for can be provided by other
>> crypto providers. If the board does not want us shipping it, just let
>> us know and I'll pull it out.
>
> Out of curiosity, is it a hard or soft dependency?
>
> And I'm still curious to know if bouncycastle has an unencumbered alternate
> download without IDEA.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
James M Snell wrote:
> Well, as far as Abdera is concerned, there'd be absolutely no problem
> with not shipping the jar. We can easily document how to go off and get
> the jar and the functions we're using it for can be provided by other
> crypto providers. If the board does not want us shipping it, just let
> us know and I'll pull it out.
Out of curiosity, is it a hard or soft dependency?
And I'm still curious to know if bouncycastle has an unencumbered alternate
download without IDEA.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by James M Snell <ja...@gmail.com>.
Well, as far as Abdera is concerned, there'd be absolutely no problem
with not shipping the jar. We can easily document how to go off and get
the jar and the functions we're using it for can be provided by other
crypto providers. If the board does not want us shipping it, just let
us know and I'll pull it out.
- James
William A. Rowe, Jr. wrote:
> [snip]
> Which is to say we cannot ship it, because we can't inflict that on our
> users, never mind the ASF's exposure.
>
> Bill
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Fwd: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by David Illsley <da...@gmail.com>.
FYI... a discussion on general@incubator because of a Rampart
dependency on bouncycastle...
Start of thread:
http://mail-archives.apache.org/mod_mbox/incubator-general/200709.mbox/%3c33e260400709141226l6c7f5539p6ab3199c15d6045b@mail.gmail.com%3e
---------- Forwarded message ----------
From: William A. Rowe, Jr. <wr...@rowe-clan.net>
Date: 16 Sep 2007 03:03
Subject: Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
To: general@incubator.apache.org
Kevan Miller wrote:
>>
>> That previous discussion was about including a JXTA dependency, for this one
>> I think we're just following what we've seen other Apache projects that
>> support ws-security are doing, so I guess we were assuming was ok. Are you
>> saying its not ok to distribute the BouncyCastle jar (and if so then
>> is the Geronimo jar a drop in replacement)?
>
> I wasn't aware of other projects using BouncyCastle. I would hope that
> they've considered the patent issues regarding BouncyCastle's encryption
> library.
Those would be a problem if there is encumbered code which has not been
licensed to the ASF for distribution, and we are aware of those encumbrances.
So are JXTA/Geronimo/others shipping BouncyCastle? Calling it out as an
optional dependency? A hard dependency?
> I'm not saying that you cannot ship the BouncyCastle jar.
The board does, if it includes an implementation of IDEA and no patent
grant or license is associated with it.
E.g. those projects which ship openssl binaries must do so by inhibiting
the IDEA/MDC2/RC5 algorithms, which is trivial. Do the bouncycastle jar
distros have a similar segregation? An unencumbered flavor we can ship?
> I am saying
> that the Tuscany project should make a decision about what to do with
> the BouncyCastle jar. If you ask my opinion, I would recommend you not
> distribute the BouncyCastle jar, but that's only my opinion.
Actually no, if it's encumbered, it's out of Tuscany's scope to make
that decision.
> I'm not aware of an explicit Apache policy that prohibits shipping the
> jar file (assuming that your license and notice files properly document
> the jar).
You cannot ship any source/binaries from the ASF with known patent violations
without explicit board approval (which might be given if the ASF has reviewed
the claim and we've determined it is without merit/is disputed by prior art,
and so forth.)
> Here's background information for you:
>
> BouncyCastle implements the IDEA algorithm (e.g. in
> bcprov-jdk14-136.jar). The IDEA algorithm is patented and the patent is
> held by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
> variety of commercial/non-commercial licenses for use of the IDEA
> algorithm (e.g.
> http://www.mediacrypt.com/_contents/10_idea/102040_li_nc.asp). IMO,
> BouncyCastle does a horrible job of communicating this information to
> consumers of the BouncyCastle jar. BouncyCastle is aware that they are
> shipping encumbered code --
> http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/engines/IDEAEngine.html
> references the patent. I've seen claims that MediaCrypt will only pursue
> royalties from actual "users" of the algorithm --
> http://www.bouncycastle.org/devmailarchive/msg05065.html.
Which is to say we cannot ship it, because we can't inflict that on our
users, never mind the ASF's exposure.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
--
David Illsley - IBM Web Services Development
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Kevan Miller wrote:
> On Sep 15, 2007, at 10:03 PM, William A. Rowe, Jr. wrote:
>
>> E.g. those projects which ship openssl binaries must do so by inhibiting
>> the IDEA/MDC2/RC5 algorithms, which is trivial. Do the bouncycastle jar
>> distros have a similar segregation? An unencumbered flavor we can ship?
>
> How exactly are the algorithms inhibited in openssl?
./configure no-mdc2 no-rc5 no-idea
The resulting binaries are entirely free of the encumbered algorithms.
Some who ship source code of openssl here in patent-land actually recurse
the source tree and strip any #ifdef sections relating to those defines
entirely from the sources as well. But from the distributing binaries
point of view, there's no difference.
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 16, 2007, at 11:37 AM, ant elder wrote:
> On 9/16/07, Kevan Miller <ke...@gmail.com> wrote:
>
> <snip>
>
> I don't see a an unencumbered BouncyCastle distribution which is not
>> encumbered.
>
>
> Is there any reason we can't just make one? The license seems ok
> for that:
> http://www.bouncycastle.org/licence.html. Is it just the one class
> in the
> bouncycastle jar that has the IDEA algorithm:
> org.bouncycastle.crypto.engines.IDEAEngine?
>
> If we use some jar processor such as the shade-maven-plugin to
> strip out
> that one class and create a new bcprov-no-idea-jdk15-136.jar and
> distribute
> that would that solve this problem? Could even try to get that new jar
> published in a repository somewhere so other projects can use it.
Ant,
If you can do that, I think that effectively inhibits IDEA support in
BouncyCastle. FYI, this email contains some information about
inhibiting IDEA -- http://www.bouncycastle.org/devmailarchive/
msg05065.html
It seems that IDEAEngine is not the only class that requires
modification. There are also some signing issues if you are using JCE...
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Henning Schmiedehausen <he...@apache.org>.
Please be aware that rebuilding the jar means that it is no longer
signed and does not work as a security provider.
Ff you want to use the bouncycastle security provider and this
recompiled jar in the same application, you will get clashes. Class
Loader fun. The whole monty. :-)
The cleanest solution might be at least change the package names just as
Tomcat does with e.g. DBCP.
best regards
Henning
On Sun, 2007-09-16 at 16:37 +0100, ant elder wrote:
> On 9/16/07, Kevan Miller <ke...@gmail.com> wrote:
>
> <snip>
>
> I don't see a an unencumbered BouncyCastle distribution which is not
> > encumbered.
>
>
> Is there any reason we can't just make one? The license seems ok for that:
> http://www.bouncycastle.org/licence.html. Is it just the one class in the
> bouncycastle jar that has the IDEA algorithm:
> org.bouncycastle.crypto.engines.IDEAEngine?
>
> If we use some jar processor such as the shade-maven-plugin to strip out
> that one class and create a new bcprov-no-idea-jdk15-136.jar and distribute
> that would that solve this problem? Could even try to get that new jar
> published in a repository somewhere so other projects can use it.
>
> ...ant
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by ant elder <an...@gmail.com>.
On 9/16/07, Kevan Miller <ke...@gmail.com> wrote:
<snip>
I don't see a an unencumbered BouncyCastle distribution which is not
> encumbered.
Is there any reason we can't just make one? The license seems ok for that:
http://www.bouncycastle.org/licence.html. Is it just the one class in the
bouncycastle jar that has the IDEA algorithm:
org.bouncycastle.crypto.engines.IDEAEngine?
If we use some jar processor such as the shade-maven-plugin to strip out
that one class and create a new bcprov-no-idea-jdk15-136.jar and distribute
that would that solve this problem? Could even try to get that new jar
published in a repository somewhere so other projects can use it.
...ant
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 15, 2007, at 10:03 PM, William A. Rowe, Jr. wrote:
> Kevan Miller wrote:
>>>
>>> That previous discussion was about including a JXTA dependency,
>>> for this one
>>> I think we're just following what we've seen other Apache
>>> projects that
>>> support ws-security are doing, so I guess we were assuming was
>>> ok. Are you
>>> saying its not ok to distribute the BouncyCastle jar (and if so then
>>> is the Geronimo jar a drop in replacement)?
>>
>> I wasn't aware of other projects using BouncyCastle. I would hope
>> that
>> they've considered the patent issues regarding BouncyCastle's
>> encryption
>> library.
>
> Those would be a problem if there is encumbered code which has not
> been
> licensed to the ASF for distribution, and we are aware of those
> encumbrances.
>
> So are JXTA/Geronimo/others shipping BouncyCastle? Calling it out
> as an
> optional dependency? A hard dependency?
Geronimo has no BouncyCastle dependency.
>
>> I'm not saying that you cannot ship the BouncyCastle jar.
>
> The board does, if it includes an implementation of IDEA and no patent
> grant or license is associated with it.
>
> E.g. those projects which ship openssl binaries must do so by
> inhibiting
> the IDEA/MDC2/RC5 algorithms, which is trivial. Do the
> bouncycastle jar
> distros have a similar segregation? An unencumbered flavor we can
> ship?
How exactly are the algorithms inhibited in openssl?
If a project includes the BouncyCastle jar (which contains the IDEA
algorithm), but the project cannot be configured to use the IDEA
algorithm, is that "inhibiting"? I think not, but it looks like
that's what other projects have been assuming... IMO, the encumbered
BouncyCastle jar file is still present and could be used in ways the
project may not have intended...
I don't see a an unencumbered BouncyCastle distribution which is not
encumbered.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Kevan Miller wrote:
>>
>> That previous discussion was about including a JXTA dependency, for this one
>> I think we're just following what we've seen other Apache projects that
>> support ws-security are doing, so I guess we were assuming was ok. Are you
>> saying its not ok to distribute the BouncyCastle jar (and if so then
>> is the Geronimo jar a drop in replacement)?
>
> I wasn't aware of other projects using BouncyCastle. I would hope that
> they've considered the patent issues regarding BouncyCastle's encryption
> library.
Those would be a problem if there is encumbered code which has not been
licensed to the ASF for distribution, and we are aware of those encumbrances.
So are JXTA/Geronimo/others shipping BouncyCastle? Calling it out as an
optional dependency? A hard dependency?
> I'm not saying that you cannot ship the BouncyCastle jar.
The board does, if it includes an implementation of IDEA and no patent
grant or license is associated with it.
E.g. those projects which ship openssl binaries must do so by inhibiting
the IDEA/MDC2/RC5 algorithms, which is trivial. Do the bouncycastle jar
distros have a similar segregation? An unencumbered flavor we can ship?
> I am saying
> that the Tuscany project should make a decision about what to do with
> the BouncyCastle jar. If you ask my opinion, I would recommend you not
> distribute the BouncyCastle jar, but that's only my opinion.
Actually no, if it's encumbered, it's out of Tuscany's scope to make
that decision.
> I'm not aware of an explicit Apache policy that prohibits shipping the
> jar file (assuming that your license and notice files properly document
> the jar).
You cannot ship any source/binaries from the ASF with known patent violations
without explicit board approval (which might be given if the ASF has reviewed
the claim and we've determined it is without merit/is disputed by prior art,
and so forth.)
> Here's background information for you:
>
> BouncyCastle implements the IDEA algorithm (e.g. in
> bcprov-jdk14-136.jar). The IDEA algorithm is patented and the patent is
> held by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
> variety of commercial/non-commercial licenses for use of the IDEA
> algorithm (e.g.
> http://www.mediacrypt.com/_contents/10_idea/102040_li_nc.asp). IMO,
> BouncyCastle does a horrible job of communicating this information to
> consumers of the BouncyCastle jar. BouncyCastle is aware that they are
> shipping encumbered code --
> http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/engines/IDEAEngine.html
> references the patent. I've seen claims that MediaCrypt will only pursue
> royalties from actual "users" of the algorithm --
> http://www.bouncycastle.org/devmailarchive/msg05065.html.
Which is to say we cannot ship it, because we can't inflict that on our
users, never mind the ASF's exposure.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Matt Hogstrom <ma...@hogstrom.org>.
On Sep 16, 2007, at 11:20 AM, Kevan Miller wrote:
>
> I wasn't involved in the forking of the code. However, it is my
> understanding that we only forked the bare minimum function
> (ASN1.codec) that Geronimo required. So, very likely that our code
> would not suit the needs of other projects.
>
If other folks needed additional classes for this functionality
Geronimo could add it. This way there would be a common point for
integration rather than having every project create a one-off solution.
> --kevan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 15, 2007, at 10:27 PM, William A. Rowe, Jr. wrote:
> Kevan Miller wrote:
>>>>
>>>> There was a discussion earlier this year about Tuscany,
>>>> BouncyCastle,
>>>> and a patented IDEA algorithm implemented by BouncyCastle --
>
> http://mail-archives.apache.org/mod_mbox/incubator-general/
> 200702.mbox/%3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
>
> FWIW, the IDEA patent expires on 25-05-2010. I think Geronmio's
> solution
> was a sound one, and can be easily followed by other Java projects
> in the
> incubator. Were there concerns about using this specific fork?
I wasn't involved in the forking of the code. However, it is my
understanding that we only forked the bare minimum function
(ASN1.codec) that Geronimo required. So, very likely that our code
would not suit the needs of other projects.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Kevan Miller wrote:
>>>
>>> There was a discussion earlier this year about Tuscany, BouncyCastle,
>>> and a patented IDEA algorithm implemented by BouncyCastle --
http://mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
FWIW, the IDEA patent expires on 25-05-2010. I think Geronmio's solution
was a sound one, and can be easily followed by other Java projects in the
incubator. Were there concerns about using this specific fork?
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by James M Snell <ja...@gmail.com>.
FWIW, just as a general FYI, Abdera also ships the bouncycastle jar but
use of the jar is limited to the optional security and example modules
and it's use has been documented in several locations.
- James
Kevan Miller wrote:
>
> On Sep 15, 2007, at 5:59 AM, ant elder wrote:
>
>> On 9/15/07, Kevan Miller <ke...@gmail.com> wrote:
>>>
>>>
>>> On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
>>>
>>>> Hi,
>>>>
>>>> We are using Apache Rampart 1.3 to enable ws security into the ws-
>>>> binding-axis2 module for Apache Tuscany v1.0 which we hope to
>>>> release in a week. Using Rampart seems to bring in the
>>>> Bouncycastle dependency for encryption functions. I have followed
>>>> the instructions on http://www.apache.org/dev/crypto.html#sources
>>>> and I have attached the patch in this mail to include Tuscany to
>>>> the matrix on http://www.apache.org/licenses/exports/. I have also
>>>> run the xsl and the generated mail sample is also attached in this
>>>> mail.
>>>>
>>>> Could somebody please help with reviewing and applying the patch.
>>>> Also, is there anything else to do with this other than the mention
>>>> on the Distro README which we will do.
>>>
>>> There was a discussion earlier this year about Tuscany, BouncyCastle,
>>> and a patented IDEA algorithm implemented by BouncyCastle -- http://
>>> mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
>>> 3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
>>>
>>> Here's some background information -- http://mail-archives.apache.org/
>>> mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
>>> B886-43C3-8D54-47B558B6DD66@apache.org%3E
>>>
>>> Did the Tuscany project reach a decision about the patented IDEA
>>> algorithm in BouncyCastle?
>>
>>
>> That previous discussion was about including a JXTA dependency, for
>> this one
>> I think we're just following what we've seen other Apache projects that
>> support ws-security are doing, so I guess we were assuming was ok. Are
>> you
>> saying its not ok to distribute the BouncyCastle jar (and if so then
>> is the
>> Geronimo jar a drop in replacement)?
>
> Hi Ant,
> I wasn't aware of other projects using BouncyCastle. I would hope that
> they've considered the patent issues regarding BouncyCastle's encryption
> library.
>
> I'm not saying that you cannot ship the BouncyCastle jar. I am saying
> that the Tuscany project should make a decision about what to do with
> the BouncyCastle jar. If you ask my opinion, I would recommend you not
> distribute the BouncyCastle jar, but that's only my opinion.
>
> I'm not aware of an explicit Apache policy that prohibits shipping the
> jar file (assuming that your license and notice files properly document
> the jar). I think the patent issues associated with it should at least
> cause a concern for a project. Ultimately, I think it's a project
> decision. At a minimum, these issues need to be properly documented to
> your users, so they can make an informed decision. The Geronimo project
> decided not to redistribute the BouncyCastle jar. Instead, we copied
> unencumbered code into the Geronimo project (we only needed an
> ASN1.codec implementation).
>
> Here's background information for you:
>
> BouncyCastle implements the IDEA algorithm (e.g. in
> bcprov-jdk14-136.jar). The IDEA algorithm is patented and the patent is
> held by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
> variety of commercial/non-commercial licenses for use of the IDEA
> algorithm (e.g.
> http://www.mediacrypt.com/_contents/10_idea/102040_li_nc.asp). IMO,
> BouncyCastle does a horrible job of communicating this information to
> consumers of the BouncyCastle jar. BouncyCastle is aware that they are
> shipping encumbered code --
> http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/engines/IDEAEngine.html
> references the patent. I've seen claims that MediaCrypt will only pursue
> royalties from actual "users" of the algorithm --
> http://www.bouncycastle.org/devmailarchive/msg05065.html.
>
> --kevan
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 15, 2007, at 5:59 AM, ant elder wrote:
> On 9/15/07, Kevan Miller <ke...@gmail.com> wrote:
>>
>>
>> On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
>>
>>> Hi,
>>>
>>> We are using Apache Rampart 1.3 to enable ws security into the ws-
>>> binding-axis2 module for Apache Tuscany v1.0 which we hope to
>>> release in a week. Using Rampart seems to bring in the
>>> Bouncycastle dependency for encryption functions. I have followed
>>> the instructions on http://www.apache.org/dev/crypto.html#sources
>>> and I have attached the patch in this mail to include Tuscany to
>>> the matrix on http://www.apache.org/licenses/exports/. I have also
>>> run the xsl and the generated mail sample is also attached in this
>>> mail.
>>>
>>> Could somebody please help with reviewing and applying the patch.
>>> Also, is there anything else to do with this other than the mention
>>> on the Distro README which we will do.
>>
>> There was a discussion earlier this year about Tuscany, BouncyCastle,
>> and a patented IDEA algorithm implemented by BouncyCastle -- http://
>> mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
>> 3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
>>
>> Here's some background information -- http://mail-
>> archives.apache.org/
>> mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
>> B886-43C3-8D54-47B558B6DD66@apache.org%3E
>>
>> Did the Tuscany project reach a decision about the patented IDEA
>> algorithm in BouncyCastle?
>
>
> That previous discussion was about including a JXTA dependency, for
> this one
> I think we're just following what we've seen other Apache projects
> that
> support ws-security are doing, so I guess we were assuming was ok.
> Are you
> saying its not ok to distribute the BouncyCastle jar (and if so
> then is the
> Geronimo jar a drop in replacement)?
Hi Ant,
I wasn't aware of other projects using BouncyCastle. I would hope
that they've considered the patent issues regarding BouncyCastle's
encryption library.
I'm not saying that you cannot ship the BouncyCastle jar. I am saying
that the Tuscany project should make a decision about what to do with
the BouncyCastle jar. If you ask my opinion, I would recommend you
not distribute the BouncyCastle jar, but that's only my opinion.
I'm not aware of an explicit Apache policy that prohibits shipping
the jar file (assuming that your license and notice files properly
document the jar). I think the patent issues associated with it
should at least cause a concern for a project. Ultimately, I think
it's a project decision. At a minimum, these issues need to be
properly documented to your users, so they can make an informed
decision. The Geronimo project decided not to redistribute the
BouncyCastle jar. Instead, we copied unencumbered code into the
Geronimo project (we only needed an ASN1.codec implementation).
Here's background information for you:
BouncyCastle implements the IDEA algorithm (e.g. in bcprov-
jdk14-136.jar). The IDEA algorithm is patented and the patent is held
by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
variety of commercial/non-commercial licenses for use of the IDEA
algorithm (e.g. http://www.mediacrypt.com/_contents/10_idea/
102040_li_nc.asp). IMO, BouncyCastle does a horrible job of
communicating this information to consumers of the BouncyCastle jar.
BouncyCastle is aware that they are shipping encumbered code --
http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/
engines/IDEAEngine.html references the patent. I've seen claims that
MediaCrypt will only pursue royalties from actual "users" of the
algorithm -- http://www.bouncycastle.org/devmailarchive/msg05065.html.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by ant elder <an...@gmail.com>.
On 9/15/07, Kevan Miller <ke...@gmail.com> wrote:
>
>
> On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
>
> > Hi,
> >
> > We are using Apache Rampart 1.3 to enable ws security into the ws-
> > binding-axis2 module for Apache Tuscany v1.0 which we hope to
> > release in a week. Using Rampart seems to bring in the
> > Bouncycastle dependency for encryption functions. I have followed
> > the instructions on http://www.apache.org/dev/crypto.html#sources
> > and I have attached the patch in this mail to include Tuscany to
> > the matrix on http://www.apache.org/licenses/exports/. I have also
> > run the xsl and the generated mail sample is also attached in this
> > mail.
> >
> > Could somebody please help with reviewing and applying the patch.
> > Also, is there anything else to do with this other than the mention
> > on the Distro README which we will do.
>
> There was a discussion earlier this year about Tuscany, BouncyCastle,
> and a patented IDEA algorithm implemented by BouncyCastle -- http://
> mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
> 3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
>
> Here's some background information -- http://mail-archives.apache.org/
> mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
> B886-43C3-8D54-47B558B6DD66@apache.org%3E
>
> Did the Tuscany project reach a decision about the patented IDEA
> algorithm in BouncyCastle?
That previous discussion was about including a JXTA dependency, for this one
I think we're just following what we've seen other Apache projects that
support ws-security are doing, so I guess we were assuming was ok. Are you
saying its not ok to distribute the BouncyCastle jar (and if so then is the
Geronimo jar a drop in replacement)?
...ant
Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by Kevan Miller <ke...@gmail.com>.
On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
> Hi,
>
> We are using Apache Rampart 1.3 to enable ws security into the ws-
> binding-axis2 module for Apache Tuscany v1.0 which we hope to
> release in a week. Using Rampart seems to bring in the
> Bouncycastle dependency for encryption functions. I have followed
> the instructions on http://www.apache.org/dev/crypto.html#sources
> and I have attached the patch in this mail to include Tuscany to
> the matrix on http://www.apache.org/licenses/exports/. I have also
> run the xsl and the generated mail sample is also attached in this
> mail.
>
> Could somebody please help with reviewing and applying the patch.
> Also, is there anything else to do with this other than the mention
> on the Distro README which we will do.
There was a discussion earlier this year about Tuscany, BouncyCastle,
and a patented IDEA algorithm implemented by BouncyCastle -- http://
mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
3c8044E00A-9746-4ECC-9104-F6AF96731FC5@yahoo.com%3e
Here's some background information -- http://mail-archives.apache.org/
mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
B886-43C3-8D54-47B558B6DD66@apache.org%3E
Did the Tuscany project reach a decision about the patented IDEA
algorithm in BouncyCastle?
--kevan
RE: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Posted by "Noel J. Bergman" <no...@devtech.com>.
You ought to be able to use the JAMES export notification as a sample, since
we worked with Cliff to do it.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org