www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: MyFaces ECCN 5D002
Date Sat, 02 Sep 2006 18:47:22 GMT
On 9/2/06, Dennis Byrne <dennis@dbyrne.net> wrote:
> Apache MyFaces has bindings to the javax.crypto API.  Configuration parameters, supplied
by an application developer, are passed through to the javax.crypto API, employing symmetric
encryption algorithms with unlimited key lengths.
> The following from [1] leads me to believe that Apache Myfaces release artifacts fall
under ECCN 5D002 (Export Control Classification Number).
> "the definition of ECCN 5D002, which can be summarized as: ... Software using a "symmetric
algorithm" employing a key length in excess of 56-bits"
> However the crypto page [1] also states the following:
> "If my project ships a binary that provides bindings to OpenSSL, but does not include
its source or binaries, what notifications must be made?
> The only required notification for an Apache project that is specially designed to use,
but doesn't include, such crypto, is just the notification for the ASF product code."
> I think it is reasonable to say "the javax.crypto API" can replace "OpenSSL" here?  Can
anyone please clarify what "just the notification for the ASF product code" means?

This just means that the ASF product is still considered to be crypto
since it is specially designed to use other crypto.  The point of this
FAQ was to explain that you do not need make any notification about
the crypto that the product is designed to use if it is not actually
included in the product; but you still need to make a notification for
the ASF product, since it is also considered to be crypto according to
the 5D002 definition.

> To be honest, the code in question was committed more than six months ago and there have
been at least three releases.  Keep in mind that we don't actually release the software that
performs the strong encryption; application developers have to download this *themselves*
from a group like Bouncy Castle [2].  Such algorithms are not even distributed with a standard
JVM release.

Well we haven't had a good understanding nor any docs on what is
required until recently; so it's understandable that we may have
projects today that are not in compliance.  However, it's not very
difficult now to fix this.

I can work with you and/or other MyFaces committers to get this done,
but for now, take a look at what James did (you can find their exports
RDF file listed in the registry
(http://www.apache.org/licenses/exports/export-registry.xml).  I
haven't yet written docs on the exports RDF format that we came up
with, but you might be able to figure out most of it from just looking
at the James example.  The one difference from your project is that
James actually includes the Bouncy Castle stuff in the product, which
is why they have it listed.  You would only need to list the ASF


> Thanks to anyone who can help me in this matter,
> Dennis Byrne
> [1] http://www.apache.org/dev/crypto.html
> [2] http://www.bouncycastle.org/latest_releases.html

DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message