openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Request dev help: Info for required crypto export declaration
Date Wed, 31 Aug 2011 16:29:02 GMT
I thought there was a short-circuit/umbrella process that doesn't require all of these details.
 I thought that came up on an old thread, either on the PPMC or in the early days of this

We do need to collect and update the details, but I am not so sure we need to file a full-up
declaration.  There is apparently a simplified procedure and we should look for it. (I am
not where I can do that right now.)

-----Original Message-----
From: Mathias Bauer [] 
Sent: Wednesday, August 31, 2011 07:00
Subject: Re: Request dev help: Info for required crypto export declaration


please take my answers with a decent grain of salt, I'm not an expert
for that area, Matthias Hütsch and Malte Timmermann certainly could
answer that better, but I don't know if they are currently contributing
to this list. Hopefully my remarks can help to look at the right places.

Am 31.08.2011 15:03, schrieb Rob Weir:

> There is some paperwork we need to file based on OOo use of
> cryptography.  Details are on the Apache website [1].  I think I can
> handle most of the paperwork, provided I can get some help, on this
> thread, establishing the basic facts.
> 1) Was something similar every done for  Most software
> companies are aware of this US export regulation and do this
> declaration as a matter of routine.  But not all open source projects
> are as diligent as ASF is.  So it is possible that OOo never did this
> before.  But if they did, we could reuse much of their paperwork.

AFAIR Sun did that some time ago, but I'm not 100% sure.

> 2) We need a list of all uses of cryptographic methods in OOo,
> including code that we include, but also where we enable 3rd party or
> OS crypto modules to plugged in.  This includes both symmetrical
> algorithms (commonly used for encryption) as well as asymmetrical
> algorithms (for example, public key uses like PGP, RSA, TLS, etc.)
> 3) For each method, it looks like we need to state whether we authored
> the crypto, or name the origin of the code if it is a 3rd party.
> The methods I suspect are in OOo are:
> a) For password-protected ODF documents, we use the Blowfish block
> encryption method.   Where did that code come from?

It was an own implementation from someone who was employed by Sun at
that time.

In the new 3.4 code we also use AES code from the openssl library.

> b) What do we support for other document formats, such as DOC, OOXML
> or legacy StarOffice formats?  Any other encryption methods?  If so,
> what are they are what was their origin?

As none of the former Oracle employed MS filter developers is listening
here, maybe we could ask Kohei or Caolan from the Libre Office crew.

> c) We support digital signatures with ODF files as well.  What
> algorithms are supported?  Is this our original code or 3rd party?

The code we use is based on the SeaMonkey or nss module. I always get
confused about them, but in any way the code is "external".

> d)  Do we support digital signatures with any other file formats?

No, only our own files format.

> e) Any other uses of encryption?
> f) Presumably we places that are at least enabled for SSL via OS-level
> resolution of https protocol URLs.   Is this correct?
> g) But do we have any SSL (TLS) code included in our source code?  If
> so, what is the origin of this?

Open ssl, maybe something in neon, I don't know.


View raw message