incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pedro F. Giffuni" <giffu...@tutopia.com>
Subject RE: Request dev help: Info for required crypto export declaration
Date Thu, 01 Sep 2011 15:41:00 GMT
While here,

Can Apache projects rely on Mozilla's nss (MPL)?

I looked for alternatives but I only found the java based
Bouncy Castle:

http://www.bouncycastle.org/

cheers,

Pedro.

--- On Thu, 9/1/11, Dennis E. Hamilton <dennis.hamilton@acm.org> wrote:

> From: Dennis E. Hamilton <dennis.hamilton@acm.org>
> Subject: RE: Request dev help: Info for required crypto export declaration
> To: ooo-dev@incubator.apache.org
> Date: Thursday, September 1, 2011, 12:00 AM
> It is simplified and it isn't. 
> But we are doing it out of order.
> 
> Here is the page that I couldn't remember the location of:
> 
> <http://www.apache.org/dev/crypto.html>
> 
>  - Dennis
> 
> -----Original Message-----
> From: rabastus@gmail.com
> [mailto:rabastus@gmail.com]
> On Behalf Of Rob Weir
> Sent: Wednesday, August 31, 2011 09:31
> To: ooo-dev@incubator.apache.org
> Subject: Re: Request dev help: Info for required crypto
> export declaration
> 
> On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org>
> wrote:
> > I thought there was a short-circuit/umbrella process
> that doesn't require all of these details.  I thought
> that came up on an old thread, either on the PPMC or in the
> early days of this list.
> >
> > We do need to collect and update the details, but I am
> not so sure we need to file a full-up declaration. 
> There is apparently a simplified procedure and we should
> look for it. (I am not where I can do that right now.)
> >
> 
> Uh... but we need to know the details to know whether we
> can use the
> simplified procedure.
> 
> -Rob
> 
> 
> > -----Original Message-----
> > From: Mathias Bauer [mailto:Mathias_Bauer@gmx.net]
> > Sent: Wednesday, August 31, 2011 07:00
> > To: ooo-dev@incubator.apache.org
> > Subject: Re: Request dev help: Info for required
> crypto export declaration
> >
> > Moin,
> >
> > please take my answers with a decent grain of salt,
> I'm not an expert
> > for that area, Matthias Hütsch and Malte Timmermann
> certainly could
> > answer that better, but I don't know if they are
> currently contributing
> > to this list. Hopefully my remarks can help to look at
> the right places.
> >
> > Am 31.08.2011 15:03, schrieb Rob Weir:
> >
> >> There is some paperwork we need to file based on
> OOo use of
> >> cryptography.  Details are on the Apache
> website [1].  I think I can
> >> handle most of the paperwork, provided I can get
> some help, on this
> >> thread, establishing the basic facts.
> >>
> >>
> >> 1) Was something similar every done for
> OpenOffice.org?  Most software
> >> companies are aware of this US export regulation
> and do this
> >> declaration as a matter of routine.  But not
> all open source projects
> >> are as diligent as ASF is.  So it is possible
> that OOo never did this
> >> before.  But if they did, we could reuse much
> of their paperwork.
> >
> > AFAIR Sun did that some time ago, but I'm not 100%
> sure.
> >
> >> 2) We need a list of all uses of cryptographic
> methods in OOo,
> >> including code that we include, but also where we
> enable 3rd party or
> >> OS crypto modules to plugged in.  This
> includes both symmetrical
> >> algorithms (commonly used for encryption) as well
> as asymmetrical
> >> algorithms (for example, public key uses like PGP,
> RSA, TLS, etc.)
> >>
> >> 3) For each method, it looks like we need to state
> whether we authored
> >> the crypto, or name the origin of the code if it
> is a 3rd party.
> >>
> >> The methods I suspect are in OOo are:
> >>
> >> a) For password-protected ODF documents, we use
> the Blowfish block
> >> encryption method.   Where did that
> code come from?
> >
> > It was an own implementation from someone who was
> employed by Sun at
> > that time.
> >
> > In the new 3.4 code we also use AES code from the
> openssl library.
> >
> >> b) What do we support for other document formats,
> such as DOC, OOXML
> >> or legacy StarOffice formats?  Any other
> encryption methods?  If so,
> >> what are they are what was their origin?
> >
> > As none of the former Oracle employed MS filter
> developers is listening
> > here, maybe we could ask Kohei or Caolan from the
> Libre Office crew.
> >
> >> c) We support digital signatures with ODF files as
> well.  What
> >> algorithms are supported?  Is this our
> original code or 3rd party?
> >
> > The code we use is based on the SeaMonkey or nss
> module. I always get
> > confused about them, but in any way the code is
> "external".
> >
> >> d)  Do we support digital signatures with any
> other file formats?
> >
> > No, only our own files format.
> >
> >> e) Any other uses of encryption?
> >>
> >> f) Presumably we places that are at least enabled
> for SSL via OS-level
> >> resolution of https protocol
> URLs.   Is this correct?
> >>
> >> g) But do we have any SSL (TLS) code included in
> our source code?  If
> >> so, what is the origin of this?
> >
> > Open ssl, maybe something in neon, I don't know.
> >
> > Regards,
> > Mathias
> >
> >
> 
> 
> 

Mime
View raw message