On Sep 15, 2007, at 5:59 AM, ant elder wrote:
On 9/15/07, Kevan Miller <[EMAIL PROTECTED]> wrote:
On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
Hi,
We are using Apache Rampart 1.3 to enable ws security into the ws-
binding-axis2 module for Apache Tuscany v1.0 which we hope to
release in a week. Using Rampart seems to bring in the
Bouncycastle dependency for encryption functions. I have followed
the instructions on http://www.apache.org/dev/crypto.html#sources
and I have attached the patch in this mail to include Tuscany to
the matrix on http://www.apache.org/licenses/exports/. I have also
run the xsl and the generated mail sample is also attached in this
mail.
Could somebody please help with reviewing and applying the patch.
Also, is there anything else to do with this other than the mention
on the Distro README which we will do.
There was a discussion earlier this year about Tuscany, BouncyCastle,
and a patented IDEA algorithm implemented by BouncyCastle -- http://
mail-archives.apache.org/mod_mbox/incubator-general/200702.mbox/%
[EMAIL PROTECTED]
Here's some background information -- http://mail-
archives.apache.org/
mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
[EMAIL PROTECTED]
Did the Tuscany project reach a decision about the patented IDEA
algorithm in BouncyCastle?
That previous discussion was about including a JXTA dependency, for
this one
I think we're just following what we've seen other Apache projects
that
support ws-security are doing, so I guess we were assuming was ok.
Are you
saying its not ok to distribute the BouncyCastle jar (and if so
then is the
Geronimo jar a drop in replacement)?
Hi Ant,
I wasn't aware of other projects using BouncyCastle. I would hope
that they've considered the patent issues regarding BouncyCastle's
encryption library.
I'm not saying that you cannot ship the BouncyCastle jar. I am saying
that the Tuscany project should make a decision about what to do with
the BouncyCastle jar. If you ask my opinion, I would recommend you
not distribute the BouncyCastle jar, but that's only my opinion.
I'm not aware of an explicit Apache policy that prohibits shipping
the jar file (assuming that your license and notice files properly
document the jar). I think the patent issues associated with it
should at least cause a concern for a project. Ultimately, I think
it's a project decision. At a minimum, these issues need to be
properly documented to your users, so they can make an informed
decision. The Geronimo project decided not to redistribute the
BouncyCastle jar. Instead, we copied unencumbered code into the
Geronimo project (we only needed an ASN1.codec implementation).
Here's background information for you:
BouncyCastle implements the IDEA algorithm (e.g. in bcprov-
jdk14-136.jar). The IDEA algorithm is patented and the patent is held
by MediaCrypt (http://www.mediacrypt.com). MediaCrypt provides a
variety of commercial/non-commercial licenses for use of the IDEA
algorithm (e.g. http://www.mediacrypt.com/_contents/10_idea/
102040_li_nc.asp). IMO, BouncyCastle does a horrible job of
communicating this information to consumers of the BouncyCastle jar.
BouncyCastle is aware that they are shipping encumbered code --
http://www.bouncycastle.org/docs/docs1.4/org/bouncycastle/crypto/
engines/IDEAEngine.html references the patent. I've seen claims that
MediaCrypt will only pursue royalties from actual "users" of the
algorithm -- http://www.bouncycastle.org/devmailarchive/msg05065.html.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
