On Thu, Sep 1, 2011 at 7:38 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Please just do it this way:
>
> <http://www.apache.org/dev/crypto.html>
>
> ASF is very clear on what is required for *its* releases and this page appears to be
comprehensive.
The Apache rules break down into reporting to users and notification.
Informing users is important but notification is urgent (making source
available [1] counts as export).
> (I finally found where I saw this before. It has also been discussed here or on the
oooprivate list before. I remembered it as being simpler than it is.)
(It looks worse than it is)
Following the instructions[3], step 1 is to work out whether OOo has
any unusual cryptography beyond ECCN 5D002, which is:
<blockquote cite='http://www.apache.org/dev/crypto.html#classify>
Software specially designed or modified for the development,
production or use of any of the other software of this list, or
software designed to certify other software on this list; or
Software using a "symmetric algorithm" employing a key length in
excess of 56bits; or
Software using an "asymmetric algorithm" where the security of the
algorithm is based on: factorization of integers in excess of 512 bits
(e.g., RSA), computation of discrete logarithms in a multiplicative
group of a finite field of size greater than 512 bits (e.g.,
DiffieHellman over Z/pZ), or other discrete logarithms in a group in
excess of 112 bits (e.g., DiffieHellman over an elliptic curve).
</blockquote>
Does OOo rely on cryptography more exotic than this?
Robert
[1] http://www.apache.org/dev/crypto.html#overview
[2] http://www.apache.org/licenses/exports/
[3] http://www.apache.org/dev/crypto.html#classify
