incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Request dev help: Info for required crypto export declaration
Date Wed, 31 Aug 2011 13:03:58 GMT
There is some paperwork we need to file based on OOo use of
cryptography.  Details are on the Apache website [1].  I think I can
handle most of the paperwork, provided I can get some help, on this
thread, establishing the basic facts.


1) Was something similar every done for OpenOffice.org?  Most software
companies are aware of this US export regulation and do this
declaration as a matter of routine.  But not all open source projects
are as diligent as ASF is.  So it is possible that OOo never did this
before.  But if they did, we could reuse much of their paperwork.

2) We need a list of all uses of cryptographic methods in OOo,
including code that we include, but also where we enable 3rd party or
OS crypto modules to plugged in.  This includes both symmetrical
algorithms (commonly used for encryption) as well as asymmetrical
algorithms (for example, public key uses like PGP, RSA, TLS, etc.)

3) For each method, it looks like we need to state whether we authored
the crypto, or name the origin of the code if it is a 3rd party.

The methods I suspect are in OOo are:

a) For password-protected ODF documents, we use the Blowfish block
encryption method.   Where did that code come from?

b) What do we support for other document formats, such as DOC, OOXML
or legacy StarOffice formats?  Any other encryption methods?  If so,
what are they are what was their origin?

c) We support digital signatures with ODF files as well.  What
algorithms are supported?  Is this our original code or 3rd party?

d)  Do we support digital signatures with any other file formats?

e) Any other uses of encryption?

f) Presumably we places that are at least enabled for SSL via OS-level
resolution of https protocol URLs.   Is this correct?

g) But do we have any SSL (TLS) code included in our source code?  If
so, what is the origin of this?

4) In general, are there any other areas of AOOo where we include or
enable the use of cryptographic methods?


[1]: http://www.apache.org/dev/crypto.html

Mime
View raw message