apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: Crypto FAQ
Date Fri, 21 Jul 2006 00:20:41 GMT
On 7/20/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >
> > No -- we were talking about the Product Name earlier in the thread,
> > not the Manufacturer.  Take a look at the first two questions in the
> > FAQ and tell me if this makes sense.  We're always Submitting these
> > things For the ASF about the Products we export that include crypto
> > that we Notify them about, built by one or more Manufacturers, which
> > may or may not include us.
> >
> > FAQ:
> > http://apache.org/dev/crypto.html#faq-productname
> > http://apache.org/dev/crypto.html#faq-manufacturer
>
> Ok, I guess this proves I'm still confused :)

Well -- it is a little confusing.  The reason for that is the don't
provide enough labels in their notification format to answer all the
possibly relevant info.  But here's how one BIS admin guy suggested we
do:

> The concept is that the
> ASF manufactures a "Product" for export from the US.

Yes - they care about the name of the Product to identify the package
that is being exported that happens to contain some sort of controlled
crypto in it.

> This is really the
> difference between an OEM and the Manufacturer.  A similar case would be
> a 802.11 card manufacturer who integrates an Intel chipset; is the BIS's
> interest in the OEM manufacturer, Intel?  Or the company who's assembled
> the chip into a card?  If you can integrate the answer to those two topics,
> Product v.s. Manufacturer, maybe I'd grok this better :)

I think in your example above, the chipset would be the controlled
crypto.  So, here's how a notification would look (if it were software
and qualified for the TSU exception):

SUBMISSION TYPE:      TSU
   SUBMITTED BY:         Fred, the Linksys guy who got suckered into
dealing with export reports
   SUBMITTED FOR:        Linksys, the 802.11 manufacturer
   POINT OF CONTACT:     Fred
   PHONE and/or FAX:     1-802-802-1111
   MANUFACTURER:         Intel
   PRODUCT NAME/MODEL #: WMP54G
   ECCN:                 5D002
   NOTIFICATION:         http://www.linksys.com/legal/export.html

They don't really care about the name of the crypto element inside (no
field for that), but they do care who made it (MANUFACTURER) and where
the source code is (NOTIFICATION).  They also care about who is
exporting something that contains the crypto (SUBMITTED FOR) and what
that thing being exported is called (PRODUCT).

> In the case that the OEM is needed, do we list the
>
> Manufacturer: Apache Software Foundation, OpenSSL Group
>
> as multiple manufacturers when we ship apr-util's crypto?

I also asked about this and there's no one right answer, anything that
is clear is fine.  How you've written it there is how I described it
in the email format in:
http://apache.org/dev/crypto.html#notify

but this is different than my later thought of what would be perfectly
clear, which is addressed in:
http://apache.org/dev/crypto.html#faq-twocryptos (two copies of the
entire form in the same email to more clearly associate manufacturer
with notification url)

Once I get this stuff on asylum working, the format will be generated
automatically -- so a lot of this shouldn't be as confusing -- it will
just ask a few questions and generate the HTML and email formats.
David Reid has done most of this; I just need to tweak it to match the
latest crypto.html doc.

Cliff

Mime
View raw message