On Thu, Sep 1, 2011 at 8:18 PM, Donald Whytock <dwhytock@gmail.com> wrote:
> On Thu, Sep 1, 2011 at 3:00 PM, Rob Weir <rob@robweir.com> wrote:
>> On Thu, Sep 1, 2011 at 2:51 PM, Robert Burrell Donkin
>> <robertburrelldonkin@gmail.com> wrote:
>>> Following the instructions[3], step 1 is to work out whether OOo has
>>> any unusual cryptography beyond ECCN 5D002, which is:
>>>
>>> <blockquote cite='http://www.apache.org/dev/crypto.html#classify>
>>> Software specially designed or modified for the development,
>>> production or use of any of the other software of this list, or
>>> software designed to certify other software on this list; or
>>> Software using a "symmetric algorithm" employing a key length in
>>> excess of 56bits; or
>>> Software using an "asymmetric algorithm" where the security of the
>>> algorithm is based on: factorization of integers in excess of 512 bits
>>> (e.g., RSA), computation of discrete logarithms in a multiplicative
>>> group of a finite field of size greater than 512 bits (e.g.,
>>> DiffieHellman over Z/pZ), or other discrete logarithms in a group in
>>> excess of 112 bits (e.g., DiffieHellman over an elliptic curve).
>>> </blockquote>
>>>
>>> Does OOo rely on cryptography more exotic than this?
>>>
>>
>> That is where it seems backwards to me. If I'm reading this
>> correctly, we are OK if we use a symmetrical algorithm with key length
>> greater than ("in excess of") 56bits. But if we use an algorithm,
>> with less thanb 56bits we're considered exotic? Really?
>>
>> For example, Calc has a ROT13() spreadsheet function, which
>> undoubtedly is a weak symmetrical encryption technique, certainly not
>> one with a key length in excess of 56bits.
>>
>> So what now? In other words, I'm puzzled by the "in excess" part.
>> They seem to be saying that strong encryption is regulated less than
>> weak encryption.
>>
>> Could you explain where I'm getting this wrong?
>
>
> It looks to me like the key phrase is "any unusual cryptography beyond
> ECCN 5D002", and the definition of that phrase is the cited block, as
> opposed to the cited block being a definition of ECCN 5D002.
>
> I am having a remarkably hard time finding a definition of ECCN 5D002.
EAR 740.13(e) should be on
http://ecfr.gpoaccess.gov/cgi/t/text/textidx?c=ecfr&sid=bad7a54a31430303e17ce648c13e51b3&rgn=div5&view=text&node=15:2.1.3.4.25&idno=15#15:2.1.3.4.25.0.1.13
Robert
