www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Inquiry on Export Control Issues
Date Sun, 13 Mar 2005 07:26:01 GMT
Here is the original members@ post which triggered my forwarding
this issue to the legal-discuss@ community.

The message below seems to answer the question posed to security@apache
quite specifically.  As nice as the ssl-howto.html reference is, that
page (and no other page I can find) answers the actual question of what
ECCN applies to Tomcat/jk (or other ASF projects).  We need one.

Do the statements below still reflect Tomcat/jk distributions 
available now?  Have we injected ANY of the ASF sub projects' jars
which fall into 5D002?  How can we identify this?

It seems a web page documenting which pieces of ASF code were filed
under the TSA exception must be recorded, and publicly, and other
projects need to pay attention when they inject TSA code into their
distributions from other projects.


At 08:24 PM 10/10/2002, Pier Fumagalli wrote:
>On 11/10/02 3:01, "Sally Khudairi" <sallykhudairi@yahoo.com> wrote:
>> Pier! Pier!
>> He's our man
>> If he can't do it
>> No one can.
>Ok, today I got bored of writing my PL-SQL data types conversion thingy for
>Java Beans... And one gets his brain fried between Java Reflections and
>> So...we wait to hear back from Ben, I presume?
>Nope... I just checked... Tomcat _does_not_ ship any Crypto code... To
>provide cryptography it _relies_ on JSSE, which the end user need to
>download from Sun (or any other provider)... From the doccos:
>  [...]
>  To install and configure SSL support on Tomcat 4, you need to follow these
>  simple steps. For more information, read the rest of this HOW-TO.
>  1. Download JSSE 1.0.2 (or later) from http://java.sun.com/products/jsse/
>     and either make it an installed extension on the system, or else set an
>     environment variable JSSE_HOME that points at the directory into which
>     you installed JSSE.
>  [...]
>So, to my understanding of the law (which David and Ben tried to explain me
>once back in the days, but after some pints of good lager), we are safe...
>Therefore, to answer the guy's questions:
>> Did you (ASF) classify the Export Control Classification Number (ECCN)
>> of your Tomcat [v4.0.2] as 5D002 ?
>> If your answer is "no", please describe the reasons why you determined
>> that it was not classified as 5D002.
>Tomcat (any version) does _NOT_ contain any cryptography code. It rather
>relies on the external Java JSSE implementation provided by Sun Microsystems
>or other providers to support the HTTPS protocol and encrypted connections.
>The JSSE implementation, however is _NOT_ bundled with any distribution of
>Tomcat, but _NEEDS_ to be downloaded separately from the end users of our
>product from web sites not affiliated in any way with the Apache Software
>Foundation (Sun Microsystems is one of those providers, and their JSSE
>implementation can be found at <http://java.sun.com/products/jsse/>).
>This is all clearly documented on our web site at
>> If your answer to Q1 is "yes", may I understand the downloading of your
>> Tomcat from your site to us is deamed export but eligible using license
>> exception TSU ?
>The answer to Q1 was no.
>> If your answer to Q2 is "yes", do you (AFS) proceed several obligations
>> such as notification (of the Internet location to BIS and NSA) ?
>The answer to Q1 was no.
>    Pier

DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message