Skip to main content

Open Source and cryptography

1 reply [Last post]
Joined: 2006-05-29

Will the recent move towards open source have any implications on cryptography? I've never understood fully the reasons why the cryptography in the Java language is so much restrained (e.g. the code signing necessary to introduce a new cryptographic provider). Shurely, with all the open source cryptography everywhere, this does only hurt the end user.

I'm also very much interested if the Sun providers will also be open sourced. These are in the sun.* repositories, not so much in the java branch. If they aren't moved into open source, the O/S community should still have to do a lot of work to get an O/S JDK with ample cryptographic functionality. Of course, the javax.smartcardio libraries should also be included, but I suppose that is easier to accomplish.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2006-03-15

[I am not a lawyer]

We are all unhappy with the restrictions in the encryption code. They only exist because of US export laws and some other countries import laws on cryptography. If we did not have those provisions in our code, Sun could not ship crypto as part of the JDK. As to why some software with open source roots is treated differently than commercial software, I have no idea. This is government bureaucracy, so by definition it is not supposed to make sense, but you still have to deal with it.

With that said, we are always looking to make it easier and we have just started to take another look. Open source may help, but since we will continue to offer our previous license terms in parallel, it may not. I would also like to point out that the only place where we have special checks is if you implement an encryption algorithm. There are no limitations for implementing other services, such as SSL, hash algorithms, or XML Digital Signatures. This is more straightforward than other commercial platforms such as Windows XP.

Regarding the source code, we expect to include all the security sources in the full launch in the spring. Due to the legal requirements, the build process may be a little more involved initially, but you will still have access to all the code.