incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Request dev help: Info for required crypto export declaration
Date Thu, 01 Sep 2011 05:00:56 GMT
It is simplified and it isn't.  But we are doing it out of order.

Here is the page that I couldn't remember the location of:


 - Dennis

-----Original Message-----
From: [] On Behalf Of Rob Weir
Sent: Wednesday, August 31, 2011 09:31
Subject: Re: Request dev help: Info for required crypto export declaration

On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton
<> wrote:
> I thought there was a short-circuit/umbrella process that doesn't require all of these
details.  I thought that came up on an old thread, either on the PPMC or in the early days
of this list.
> We do need to collect and update the details, but I am not so sure we need to file a
full-up declaration.  There is apparently a simplified procedure and we should look for it.
(I am not where I can do that right now.)

Uh... but we need to know the details to know whether we can use the
simplified procedure.


> -----Original Message-----
> From: Mathias Bauer []
> Sent: Wednesday, August 31, 2011 07:00
> To:
> Subject: Re: Request dev help: Info for required crypto export declaration
> Moin,
> please take my answers with a decent grain of salt, I'm not an expert
> for that area, Matthias Hütsch and Malte Timmermann certainly could
> answer that better, but I don't know if they are currently contributing
> to this list. Hopefully my remarks can help to look at the right places.
> Am 31.08.2011 15:03, schrieb Rob Weir:
>> There is some paperwork we need to file based on OOo use of
>> cryptography.  Details are on the Apache website [1].  I think I can
>> handle most of the paperwork, provided I can get some help, on this
>> thread, establishing the basic facts.
>> 1) Was something similar every done for  Most software
>> companies are aware of this US export regulation and do this
>> declaration as a matter of routine.  But not all open source projects
>> are as diligent as ASF is.  So it is possible that OOo never did this
>> before.  But if they did, we could reuse much of their paperwork.
> AFAIR Sun did that some time ago, but I'm not 100% sure.
>> 2) We need a list of all uses of cryptographic methods in OOo,
>> including code that we include, but also where we enable 3rd party or
>> OS crypto modules to plugged in.  This includes both symmetrical
>> algorithms (commonly used for encryption) as well as asymmetrical
>> algorithms (for example, public key uses like PGP, RSA, TLS, etc.)
>> 3) For each method, it looks like we need to state whether we authored
>> the crypto, or name the origin of the code if it is a 3rd party.
>> The methods I suspect are in OOo are:
>> a) For password-protected ODF documents, we use the Blowfish block
>> encryption method.   Where did that code come from?
> It was an own implementation from someone who was employed by Sun at
> that time.
> In the new 3.4 code we also use AES code from the openssl library.
>> b) What do we support for other document formats, such as DOC, OOXML
>> or legacy StarOffice formats?  Any other encryption methods?  If so,
>> what are they are what was their origin?
> As none of the former Oracle employed MS filter developers is listening
> here, maybe we could ask Kohei or Caolan from the Libre Office crew.
>> c) We support digital signatures with ODF files as well.  What
>> algorithms are supported?  Is this our original code or 3rd party?
> The code we use is based on the SeaMonkey or nss module. I always get
> confused about them, but in any way the code is "external".
>> d)  Do we support digital signatures with any other file formats?
> No, only our own files format.
>> e) Any other uses of encryption?
>> f) Presumably we places that are at least enabled for SSL via OS-level
>> resolution of https protocol URLs.   Is this correct?
>> g) But do we have any SSL (TLS) code included in our source code?  If
>> so, what is the origin of this?
> Open ssl, maybe something in neon, I don't know.
> Regards,
> Mathias

View raw message