views:

216

answers:

2

I'm required to write a JCE provider. I have learned that I need to use the bouncy castle clean room implementation. Could you please tell me what "clean room implementation" means in in this context?

+2  A: 

Clean room implementation means that the code was written only from the description and specification, but not with access to any code.

This is important as the Sun source code previously was under a license which was incompatible with especially GPL distributions. By ensuring that the code was not written without any access to such code, it is guaranteed that the Sun license could not later be found to apply to the clean room implementation, and then again be incompatible with the GPL license or any other restrictions.

In other words, it is a guarantee that the license shown will hold.

Thorbjørn Ravn Andersen
I have to install the clean code implementation before writing my provider. right ?
You _will_ need a JCE framework installed, or the supportive code is not there. BouncyCastle use the MIT X11 license, which is as good as it gets in terms of reuse, so you can peek at their code as much as you want in order to write your own, without influencing the license of your finished product.
Thorbjørn Ravn Andersen
The problem is that JCE providers must be signed by Sun *if* you use Sun's JRE. I suppose if you use a third party JCE implementation that doesn't enforce this then you are ok. It is important to distinguish between the JCE and the providers for the JCE. An example of JCE class is the MessageDigest class. The provider contains the implementation(s) of the actual digests, such as SHA1, that are retrieved through the getInstance factory methods. Bouncycastle I know provides a signed provider, I don't if they provide a JCE framework though.
GregS
I did not know about the signing requirement.
Thorbjørn Ravn Andersen
+1  A: 

Despite the name, most re-implementations are done in rooms with mostly empty beer cans and pizza boxes. This is speaking from past experience, you understand :-)

However, in the context of chip development, a clean room is one where small imperfections (like dust) can cause serious problems at the nano scale. So they're kept incredibly clean, with air scrubbers, protective suits (protecting the environment, notvthe wearer) etc.

By analogy, software clean room development is done without any access to imperfections that could cause problems. In the case of open-source software, this means not having access to an implementation that might be "tainted" by an incompatible license. (It's not just GPL, but this is commonly cited due to its viral nature). However, this also applies to closed source reverse engineering projects, like the creation of the IBM compatible BIOS that opened the market to IBM clones back in the 80's.

AlBlue