Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8FBDD75C5 for ; Fri, 2 Sep 2011 15:00:35 +0000 (UTC) Received: (qmail 97683 invoked by uid 500); 2 Sep 2011 15:00:35 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 97229 invoked by uid 500); 2 Sep 2011 15:00:34 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 97212 invoked by uid 99); 2 Sep 2011 15:00:34 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Sep 2011 15:00:34 +0000 Received: from localhost (HELO mail-ew0-f47.google.com) (127.0.0.1) (smtp-auth username robweir, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Sep 2011 15:00:33 +0000 Received: by ewy5 with SMTP id 5so1553265ewy.6 for ; Fri, 02 Sep 2011 08:00:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.14.16.165 with SMTP id h37mr146577eeh.221.1314975632145; Fri, 02 Sep 2011 08:00:32 -0700 (PDT) Received: by 10.14.188.2 with HTTP; Fri, 2 Sep 2011 08:00:31 -0700 (PDT) In-Reply-To: References: <4E5E3E79.6080206@gmx.net> <00c701cc67fb$193ca9c0$4bb5fd40$@acm.org> <1314933101.93069.YahooMailNeo@web161425.mail.bf1.yahoo.com> Date: Fri, 2 Sep 2011 11:00:31 -0400 Message-ID: Subject: Re: Request dev help: Info for required crypto export declaration From: Rob Weir To: ooo-dev@incubator.apache.org Content-Type: text/plain; charset=UTF-8 Starting fresh. The more I look into this the more I'm starting to think that the Apache export control instructions [1] are leading us in the wrong direction. >From what I've been able to determine, the classification code comes not only from the strength of the encryption, but also the use of the software. For example, strong encryption (based on key length) might end up in different classifications depending on whether it is a general purpose encryption library, a "mass market" product, a server product, etc. It is not just about key length. The Apache instructions seem to say that all paths lead to 5D002. Maybe this is true for strong encryption in the typical Apache developer libraries or server-side products. But OpenOffice.org is not your typical Apache product, is it? If you look at how commercial derivatives of OpenOffice.org are treated, such as IBM Lotus Symphony or LibreOffice Novell Edition, you see that they are classified as 5D992, not 5D002. But I do not see 5D992 mentioned at all on the Apache page on handling cryptography. Until we better understand that discrepancy, I don't think we should blindly follow the 5D002 route. Is there anyone at Apache who really understands these things in a more general way, e.g., understands the implications of "mass market" software? -Rob [1] http://www.apache.org/dev/crypto.html