www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: Crypto: Apache product that includes an Apache product that includes crypto interfaces
Date Fri, 23 Feb 2007 10:37:23 GMT
On 2/22/07, Jean T. Anderson <jta@apache.org> wrote:
> Roy T. Fielding wrote:
> > On Feb 22, 2007, at 4:57 PM, Jean T. Anderson wrote:
> >
> >> How's this?
> >>
> >> Q: "If my project ships a binary that uses cryptographic software  via a
> >> standard application interface, but does not provide bindings to it  nor
> >> include its source or binaries, what notifications must be made?"
> >>
> >> A: "No notification is required if a project uses a standard interface
> >> to access cryptographic software and does not include its source or
> >> binaries. For example, notification is not required if the project  uses
> >> standard JDBC or ODBC to access a database that enables cryptographic
> >> features."
> >
> > I don't think that is quite right.  JCE is a "standard interface
> > to access cryptographic software" and its use makes the software
> > 5D002 (because JCE is specifically designed for encryption and
> > anything specifically designed to use a 5D002 product is 5D002).
> >
> > Did you mean "if a product uses a generic interface (not specific
> > to encryption) for optional use of encryption and no encryption
> > features are enabled by default"?
>
> heh. I was attempting to avoid an faq specific to the derby case:
>
> > ... if an Apache project supports Derby
> > (i.e., can use it) but does not include Derby source or jars, it doesn't
> > have to do the BIS notification. Unlike the OpenSSL case of not
> > including source or binaries [1] Derby just uses standard JDBC for the
> > "bindings", there are no Derby-specific bindings a product would have to
> > provide.
>
> "generic interface (not specific to encryption)" would be more
> descriptive than "standard interface".

That would help clear things up.  So, one doing that replacement and
making an edit to replace "cryptographic software" with "software that
uses cryptographic software" and other minor edits would give us:

Q: "If my project ships a binary that uses software that uses
cryptographic software via a
generic interface (not specific to encryption), but does not provide
bindings to the
cryptographic software nor include its source or binaries, what
notifications must be made?"

A: "No notification is required if a project uses a generic interface
(not specific to encryption)
to access software that is specially designed to other cryptography
software if it does not include the source or binaries of the either
such software. For example, notification is not required if the
project uses standard JDBC or ODBC to access a database that doesn't
include, but enables use of cryptographic features."

but, here's another option:

Q: If my program is specially designed to use a program that is
controlled by ECCN 5D002 (and therefore required to an email
notification to qualify under the TSU exception), does that mean my
program is also controlled by ECCN 5D002?

A: Not necessarily.  Your program is only controlled by 5D002 if it
embodies controlled cryptographic functionality or is specially
designed to use other such cryptographic functionality."


Does one or the other seem more useful?  Given this, can you think of
a clearer way to express the idea?

Cliff

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message