incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <...@robweir.com>
Subject Re: Request dev help: Info for required crypto export declaration
Date Wed, 31 Aug 2011 16:30:36 GMT
On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> I thought there was a short-circuit/umbrella process that doesn't require all of these
details.  I thought that came up on an old thread, either on the PPMC or in the early days
of this list.
>
> We do need to collect and update the details, but I am not so sure we need to file a
full-up declaration.  There is apparently a simplified procedure and we should look for it.
(I am not where I can do that right now.)
>

Uh... but we need to know the details to know whether we can use the
simplified procedure.

-Rob


> -----Original Message-----
> From: Mathias Bauer [mailto:Mathias_Bauer@gmx.net]
> Sent: Wednesday, August 31, 2011 07:00
> To: ooo-dev@incubator.apache.org
> Subject: Re: Request dev help: Info for required crypto export declaration
>
> Moin,
>
> please take my answers with a decent grain of salt, I'm not an expert
> for that area, Matthias Hütsch and Malte Timmermann certainly could
> answer that better, but I don't know if they are currently contributing
> to this list. Hopefully my remarks can help to look at the right places.
>
> Am 31.08.2011 15:03, schrieb Rob Weir:
>
>> There is some paperwork we need to file based on OOo use of
>> cryptography.  Details are on the Apache website [1].  I think I can
>> handle most of the paperwork, provided I can get some help, on this
>> thread, establishing the basic facts.
>>
>>
>> 1) Was something similar every done for OpenOffice.org?  Most software
>> companies are aware of this US export regulation and do this
>> declaration as a matter of routine.  But not all open source projects
>> are as diligent as ASF is.  So it is possible that OOo never did this
>> before.  But if they did, we could reuse much of their paperwork.
>
> AFAIR Sun did that some time ago, but I'm not 100% sure.
>
>> 2) We need a list of all uses of cryptographic methods in OOo,
>> including code that we include, but also where we enable 3rd party or
>> OS crypto modules to plugged in.  This includes both symmetrical
>> algorithms (commonly used for encryption) as well as asymmetrical
>> algorithms (for example, public key uses like PGP, RSA, TLS, etc.)
>>
>> 3) For each method, it looks like we need to state whether we authored
>> the crypto, or name the origin of the code if it is a 3rd party.
>>
>> The methods I suspect are in OOo are:
>>
>> a) For password-protected ODF documents, we use the Blowfish block
>> encryption method.   Where did that code come from?
>
> It was an own implementation from someone who was employed by Sun at
> that time.
>
> In the new 3.4 code we also use AES code from the openssl library.
>
>> b) What do we support for other document formats, such as DOC, OOXML
>> or legacy StarOffice formats?  Any other encryption methods?  If so,
>> what are they are what was their origin?
>
> As none of the former Oracle employed MS filter developers is listening
> here, maybe we could ask Kohei or Caolan from the Libre Office crew.
>
>> c) We support digital signatures with ODF files as well.  What
>> algorithms are supported?  Is this our original code or 3rd party?
>
> The code we use is based on the SeaMonkey or nss module. I always get
> confused about them, but in any way the code is "external".
>
>> d)  Do we support digital signatures with any other file formats?
>
> No, only our own files format.
>
>> e) Any other uses of encryption?
>>
>> f) Presumably we places that are at least enabled for SSL via OS-level
>> resolution of https protocol URLs.   Is this correct?
>>
>> g) But do we have any SSL (TLS) code included in our source code?  If
>> so, what is the origin of this?
>
> Open ssl, maybe something in neon, I don't know.
>
> Regards,
> Mathias
>
>

Mime
View raw message