incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Date Sun, 16 Sep 2007 15:15:57 GMT
On Sep 15, 2007, at 10:03 PM, William A. Rowe, Jr. wrote:

> Kevan Miller wrote:
>>> That previous discussion was about including a JXTA dependency,  
>>> for this one
>>> I think we're just following what we've seen other Apache  
>>> projects that
>>> support ws-security are doing, so I guess we were assuming was  
>>> ok. Are you
>>> saying its not ok to distribute the BouncyCastle jar (and if so then
>>> is the Geronimo jar a drop in replacement)?
>> I wasn't aware of other projects using BouncyCastle. I would hope  
>> that
>> they've considered the patent issues regarding BouncyCastle's  
>> encryption
>> library.
> Those would be a problem if there is encumbered code which has not  
> been
> licensed to the ASF for distribution, and we are aware of those  
> encumbrances.
> So are JXTA/Geronimo/others shipping BouncyCastle?  Calling it out  
> as an
> optional dependency?  A hard dependency?

Geronimo has no BouncyCastle dependency.

>> I'm not saying that you cannot ship the BouncyCastle jar.
> The board does, if it includes an implementation of IDEA and no patent
> grant or license is associated with it.
> E.g. those projects which ship openssl binaries must do so by  
> inhibiting
> the IDEA/MDC2/RC5 algorithms, which is trivial.  Do the  
> bouncycastle jar
> distros have a similar segregation?  An unencumbered flavor we can  
> ship?

How exactly are the algorithms inhibited in openssl?

If a project includes the BouncyCastle jar (which contains the IDEA  
algorithm), but the project cannot be configured to use the IDEA  
algorithm, is that "inhibiting"? I think not, but it looks like  
that's what other projects have been assuming... IMO, the encumbered  
BouncyCastle jar file is still present and could be used in ways the  
project may not have intended...

I don't see a an unencumbered BouncyCastle distribution which is not  


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message