incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <...@robweir.com>
Subject Re: Request dev help: Info for required crypto export declaration
Date Thu, 01 Sep 2011 15:51:01 GMT
On Thu, Sep 1, 2011 at 11:41 AM, Pedro F. Giffuni <giffunip@tutopia.com> wrote:
> While here,
>
> Can Apache projects rely on Mozilla's nss (MPL)?
>

See this page on current view from Apache legal:

http://www.apache.org/legal/resolved.html#category-b


> I looked for alternatives but I only found the java based
> Bouncy Castle:
>
> http://www.bouncycastle.org/
>
> cheers,
>
> Pedro.
>
> --- On Thu, 9/1/11, Dennis E. Hamilton <dennis.hamilton@acm.org> wrote:
>
>> From: Dennis E. Hamilton <dennis.hamilton@acm.org>
>> Subject: RE: Request dev help: Info for required crypto export declaration
>> To: ooo-dev@incubator.apache.org
>> Date: Thursday, September 1, 2011, 12:00 AM
>> It is simplified and it isn't.
>> But we are doing it out of order.
>>
>> Here is the page that I couldn't remember the location of:
>>
>> <http://www.apache.org/dev/crypto.html>
>>
>>  - Dennis
>>
>> -----Original Message-----
>> From: rabastus@gmail.com
>> [mailto:rabastus@gmail.com]
>> On Behalf Of Rob Weir
>> Sent: Wednesday, August 31, 2011 09:31
>> To: ooo-dev@incubator.apache.org
>> Subject: Re: Request dev help: Info for required crypto
>> export declaration
>>
>> On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton
>> <dennis.hamilton@acm.org>
>> wrote:
>> > I thought there was a short-circuit/umbrella process
>> that doesn't require all of these details.  I thought
>> that came up on an old thread, either on the PPMC or in the
>> early days of this list.
>> >
>> > We do need to collect and update the details, but I am
>> not so sure we need to file a full-up declaration.
>> There is apparently a simplified procedure and we should
>> look for it. (I am not where I can do that right now.)
>> >
>>
>> Uh... but we need to know the details to know whether we
>> can use the
>> simplified procedure.
>>
>> -Rob
>>
>>
>> > -----Original Message-----
>> > From: Mathias Bauer [mailto:Mathias_Bauer@gmx.net]
>> > Sent: Wednesday, August 31, 2011 07:00
>> > To: ooo-dev@incubator.apache.org
>> > Subject: Re: Request dev help: Info for required
>> crypto export declaration
>> >
>> > Moin,
>> >
>> > please take my answers with a decent grain of salt,
>> I'm not an expert
>> > for that area, Matthias Hütsch and Malte Timmermann
>> certainly could
>> > answer that better, but I don't know if they are
>> currently contributing
>> > to this list. Hopefully my remarks can help to look at
>> the right places.
>> >
>> > Am 31.08.2011 15:03, schrieb Rob Weir:
>> >
>> >> There is some paperwork we need to file based on
>> OOo use of
>> >> cryptography.  Details are on the Apache
>> website [1].  I think I can
>> >> handle most of the paperwork, provided I can get
>> some help, on this
>> >> thread, establishing the basic facts.
>> >>
>> >>
>> >> 1) Was something similar every done for
>> OpenOffice.org?  Most software
>> >> companies are aware of this US export regulation
>> and do this
>> >> declaration as a matter of routine.  But not
>> all open source projects
>> >> are as diligent as ASF is.  So it is possible
>> that OOo never did this
>> >> before.  But if they did, we could reuse much
>> of their paperwork.
>> >
>> > AFAIR Sun did that some time ago, but I'm not 100%
>> sure.
>> >
>> >> 2) We need a list of all uses of cryptographic
>> methods in OOo,
>> >> including code that we include, but also where we
>> enable 3rd party or
>> >> OS crypto modules to plugged in.  This
>> includes both symmetrical
>> >> algorithms (commonly used for encryption) as well
>> as asymmetrical
>> >> algorithms (for example, public key uses like PGP,
>> RSA, TLS, etc.)
>> >>
>> >> 3) For each method, it looks like we need to state
>> whether we authored
>> >> the crypto, or name the origin of the code if it
>> is a 3rd party.
>> >>
>> >> The methods I suspect are in OOo are:
>> >>
>> >> a) For password-protected ODF documents, we use
>> the Blowfish block
>> >> encryption method.   Where did that
>> code come from?
>> >
>> > It was an own implementation from someone who was
>> employed by Sun at
>> > that time.
>> >
>> > In the new 3.4 code we also use AES code from the
>> openssl library.
>> >
>> >> b) What do we support for other document formats,
>> such as DOC, OOXML
>> >> or legacy StarOffice formats?  Any other
>> encryption methods?  If so,
>> >> what are they are what was their origin?
>> >
>> > As none of the former Oracle employed MS filter
>> developers is listening
>> > here, maybe we could ask Kohei or Caolan from the
>> Libre Office crew.
>> >
>> >> c) We support digital signatures with ODF files as
>> well.  What
>> >> algorithms are supported?  Is this our
>> original code or 3rd party?
>> >
>> > The code we use is based on the SeaMonkey or nss
>> module. I always get
>> > confused about them, but in any way the code is
>> "external".
>> >
>> >> d)  Do we support digital signatures with any
>> other file formats?
>> >
>> > No, only our own files format.
>> >
>> >> e) Any other uses of encryption?
>> >>
>> >> f) Presumably we places that are at least enabled
>> for SSL via OS-level
>> >> resolution of https protocol
>> URLs.   Is this correct?
>> >>
>> >> g) But do we have any SSL (TLS) code included in
>> our source code?  If
>> >> so, what is the origin of this?
>> >
>> > Open ssl, maybe something in neon, I don't know.
>> >
>> > Regards,
>> > Mathias
>> >
>> >
>>
>>
>>
>

Mime
View raw message