incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: Export Notification - Using BouncyCastle in Tuscany Rel 1.0
Date Sat, 15 Sep 2007 17:42:04 GMT

On Sep 15, 2007, at 5:59 AM, ant elder wrote:

> On 9/15/07, Kevan Miller <> wrote:
>> On Sep 14, 2007, at 3:26 PM, Venkata Krishnan wrote:
>>> Hi,
>>> We are using Apache Rampart 1.3 to enable ws security into the ws-
>>> binding-axis2 module for Apache Tuscany v1.0 which we hope to
>>> release in a week.  Using Rampart seems to bring in the
>>> Bouncycastle dependency for encryption functions.  I have followed
>>> the instructions on
>>> and I have attached the patch in this mail to include Tuscany to
>>> the matrix on  I have also
>>> run the xsl and the generated mail sample is also attached in this
>>> mail.
>>> Could somebody please help with reviewing and applying the patch.
>>> Also, is there anything else to do with this other than the mention
>>> on the Distro README which we will do.
>> There was a discussion earlier this year about Tuscany, BouncyCastle,
>> and a patented IDEA algorithm implemented by BouncyCastle -- http://
>> Here's some background information -- http://mail- 
>> mod_mbox/www-legal-discuss/200508.mbox/%3C1AB1C8BD-
>> Did the Tuscany project reach a decision about the patented IDEA
>> algorithm in BouncyCastle?
> That previous discussion was about including a JXTA dependency, for  
> this one
> I think we're just following what we've seen other Apache projects  
> that
> support ws-security are doing, so I guess we were assuming was ok.  
> Are you
> saying its not ok to distribute the BouncyCastle jar (and if so  
> then is the
> Geronimo jar a drop in replacement)?

Hi Ant,
I wasn't aware of other projects using BouncyCastle. I would hope  
that they've considered the patent issues regarding BouncyCastle's  
encryption library.

I'm not saying that you cannot ship the BouncyCastle jar. I am saying  
that the Tuscany project should make a decision about what to do with  
the BouncyCastle jar. If you ask my opinion, I would recommend you  
not distribute the BouncyCastle jar, but that's only my opinion.

I'm not aware of an explicit Apache policy that prohibits shipping  
the jar file (assuming that your license and notice files properly  
document the jar). I think the patent issues associated with it  
should at least cause a concern for a project. Ultimately, I think  
it's a project decision. At a minimum, these issues need to be  
properly documented to your users, so they can make an informed  
decision. The Geronimo project decided not to redistribute the  
BouncyCastle jar. Instead, we copied unencumbered code into the  
Geronimo project (we only needed an ASN1.codec implementation).

Here's background information for you:

BouncyCastle implements the IDEA algorithm (e.g. in bcprov- 
jdk14-136.jar). The IDEA algorithm is patented and the patent is held  
by MediaCrypt ( MediaCrypt provides a  
variety of commercial/non-commercial licenses for use of the IDEA  
algorithm (e.g. 
102040_li_nc.asp). IMO, BouncyCastle does a horrible job of  
communicating this information to consumers of the BouncyCastle jar.  
BouncyCastle is aware that they are shipping encumbered code -- 
engines/IDEAEngine.html references the patent. I've seen claims that  
MediaCrypt will only pursue royalties from actual "users" of the  
algorithm --


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message