I am in Iran (main part of axis of evil)
we have access to all this crypto code
don't waste your time hiding them!
On 9/2/06, Dennis Byrne
<[EMAIL PROTECTED]> wrote:
Apache MyFaces has bindings to the javax.crypto API. Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths.
The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number).
"the definition of ECCN 5D002, which can be summarized as: ... Software using a "symmetric algorithm" employing a key length in excess of 56-bits"
However the crypto page [1] also states the following:
"If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made?
The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code."
I think it is reasonable to say "the javax.crypto API" can replace "OpenSSL" here? Can anyone please clarify what "just the notification for the ASF product code" means?
To be honest, the code in question was committed more than six months ago and there have been at least three releases. Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2]. Such algorithms are not even distributed with a standard JVM release.
Thanks to anyone who can help me in this matter,
Dennis Byrne
[1] http://www.apache.org/dev/crypto.html
[2] http://www.bouncycastle.org/latest_releases.html
--
Arash Rajaeeyan
