Return-Path: 
 <ooo-dev-return-4675-apmail-incubator-ooo-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3AAEA8A53
	for <apmail-incubator-ooo-dev-archive@minotaur.apache.org>;
 Thu,  1 Sep 2011 19:32:23 +0000 (UTC)
Received: (qmail 51871 invoked by uid 500); 1 Sep 2011 19:32:23 -0000
Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org
Received: (qmail 51770 invoked by uid 500); 1 Sep 2011 19:32:22 -0000
Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:ooo-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:ooo-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:ooo-dev@incubator.apache.org>
List-Id: <ooo-dev.incubator.apache.org>
Reply-To: ooo-dev@incubator.apache.org
Delivered-To: mailing list ooo-dev@incubator.apache.org
Received: (qmail 51762 invoked by uid 99); 1 Sep 2011 19:32:22 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Sep 2011 19:32:21 +0000
Received: from localhost (HELO mail-ey0-f173.google.com) (127.0.0.1)
  (smtp-auth username robweir, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Thu, 01 Sep 2011 19:32:21 +0000
Received: by eyb7 with SMTP id 7so2062706eyb.18
        for <ooo-dev@incubator.apache.org>;
 Thu, 01 Sep 2011 12:32:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.14.20.76 with SMTP id o52mr53486eeo.221.1314905539734; Thu, 01
 Sep 2011 12:32:19 -0700 (PDT)
Received: by 10.14.188.2 with HTTP; Thu, 1 Sep 2011 12:32:19 -0700 (PDT)
In-Reply-To: 
 <CAKTa1mguj-vXt7Cd=NgpnGCTFhR2hkDugcH+HvNwNdrNfR0hNw@mail.gmail.com>
References: 
 <CAP-ksojaTvK1J3zr=Nx2a2B2WRVNNsZORhR7UaLz=swiVtUDwQ@mail.gmail.com>
	<4E5E3E79.6080206@gmx.net>
	<00c701cc67fb$193ca9c0$4bb5fd40$@acm.org>
	<CAP-ksojXhs0czS7Wmw7HKRZMBmz1PoG4OudZJ=1RZ_Ff3-PVWg@mail.gmail.com>
	<CALKqTu8ZcxbO3STDAxLkSpBuf0JNk_S86Np7TbcE7BgAv_X3TA@mail.gmail.com>
	<CAP-ksogjvGGGnT0FMDtoDQCU3KCZv_JN=SRoYLwPA4y0zXqpMQ@mail.gmail.com>
	<010c01cc68d6$6b44c1e0$41ce45a0$@acm.org>
	<CAKTa1miGfSyfPaG3c1uv+VJeMdGAk3W+Zt60NjXJUn_ru2QuAQ@mail.gmail.com>
	<CAP-ksojP_VXZXvG+NugYdQPYCjx57H0V8VCPei+AsOwEH0K1vw@mail.gmail.com>
	<CAMwm1vGvfkEbgOvcTAtUv+rY6TZG_bU2_HMVDCxd0qnYr92Krg@mail.gmail.com>
	<CAKTa1mguj-vXt7Cd=NgpnGCTFhR2hkDugcH+HvNwNdrNfR0hNw@mail.gmail.com>
Date: Thu, 1 Sep 2011 15:32:19 -0400
Message-ID: 
 <CAP-ksog8CkrMu_SeK80gK0hHtPXoc=9XWmv8GLX-bnQkq3PHrg@mail.gmail.com>
Subject: Re: Request dev help: Info for required crypto export declaration
From: Rob Weir <robweir@apache.org>
To: ooo-dev@incubator.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

So in general OpenOffice supports encryption and digital signatures
and https/SSL.  So we have support for standard algorithms, from
one-way hashes like SHA-1, to block encryption like Blowfish and
AES-256,  to public key cryptography per the W3C's XML Digital
Signatures.   We also support legacy Microsoft Office encryption
algorithms that are generally weaker and used only for backwards
compatibility.

I'm not a crypto expert, so I'm not sure what something exotic would
look like.  I think the strongest thing we have is AES-256.

-Rob

On Thu, Sep 1, 2011 at 3:25 PM, Robert Burrell Donkin
<robertburrelldonkin@gmail.com> wrote:
> On Thu, Sep 1, 2011 at 8:18 PM, Donald Whytock <dwhytock@gmail.com> wrote=
:
>> On Thu, Sep 1, 2011 at 3:00 PM, Rob Weir <rob@robweir.com> wrote:
>>> On Thu, Sep 1, 2011 at 2:51 PM, Robert Burrell Donkin
>>> <robertburrelldonkin@gmail.com> wrote:
>>>> Following the instructions[3], step 1 is to work out whether OOo has
>>>> any unusual cryptography beyond ECCN 5D002, which is:
>>>>
>>>> <blockquote cite=3D'http://www.apache.org/dev/crypto.html#classify>
>>>> =C2=A0 Software specially designed or modified for the development,
>>>> production or use of any of the other software of this list, or
>>>> software designed to certify other software on this list; or
>>>> =C2=A0 Software using a "symmetric algorithm" employing a key length i=
n
>>>> excess of 56-bits; or
>>>> =C2=A0 Software using an "asymmetric algorithm" where the security of =
the
>>>> algorithm is based on: factorization of integers in excess of 512 bits
>>>> (e.g., RSA), computation of discrete logarithms in a multiplicative
>>>> =C2=A0 group of a finite field of size greater than 512 bits (e.g.,
>>>> Diffie-Hellman over Z/pZ), or other discrete logarithms in a group in
>>>> excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve).
>>>> </blockquote>
>>>>
>>>> Does OOo rely on cryptography more exotic than this?
>>>>
>>>
>>> That is where it seems backwards to me. =C2=A0If I'm reading this
>>> correctly, we are OK if we use a symmetrical algorithm with key length
>>> greater than ("in excess of") 56-bits. =C2=A0But if we use an algorithm=
,
>>> with less thanb 56-bits we're considered exotic? =C2=A0Really?
>>>
>>> For example, Calc has a ROT13() spreadsheet function, which
>>> undoubtedly is a weak symmetrical encryption technique, certainly not
>>> one with a key length in excess of 56-bits.
>>>
>>> So what now? =C2=A0In other words, I'm puzzled by the "in excess" part.
>>> They seem to be saying that strong encryption is regulated less than
>>> weak encryption.
>>>
>>> Could you explain where I'm getting this wrong?
>>
>>
>> It looks to me like the key phrase is "any unusual cryptography beyond
>> ECCN 5D002", and the definition of that phrase is the cited block, as
>> opposed to the cited block being a definition of ECCN 5D002.
>>
>> I am having a remarkably hard time finding a definition of ECCN 5D002.
>
> EAR 740.13(e) should be on
> http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=3Decfr&sid=3Dbad7a54a3143=
0303e17ce648c13e51b3&rgn=3Ddiv5&view=3Dtext&node=3D15:2.1.3.4.25&idno=3D15#=
15:2.1.3.4.25.0.1.13
>
> Robert
>