[
https://issues.apache.org/jira/browse/TAVERNA-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15272522#comment-15272522
]
Stian Soiland-Reyes edited comment on TAVERNA-959 at 5/5/16 3:37 PM:
---------------------------------------------------------------------
My conclusion from LEGAL-250 is that we can shrink the list to only include the
encryption items used or bundled - strict transitivity does not apply.
However we are not generally exempt from registration because those modules do
network communications (wsdl/rest activity) or information security (credential
manager).
I suggest we include the Command Line now - even though its primary function is
"Running workflows" it could be exempt - but when we later (e.g. next cmd line
release) make a binary/ distribution of it available then it would include
"encryption items" like BouncyCastle, Derby and HttpComponents.
was (Author: stain):
My conclusion from LEGAL-250 is that we can shrink the list to only include the
encryption items used or bundled - strict transitivity does not paply.
However we are not generally exempt from registration because those modules do
network communications (wsdl/rest activity) or information security (credential
manager).
I suggest we include the Command Line now - even though its primary function is
"Running workflows" it could be exempt - but when we later (e.g. next cmd line
release) make a binary/ distribution of it available then it would include
"encryption items" like BouncyCastle, Derby and HttpComponents.
> Crypto review and reporting
> ---------------------------
>
> Key: TAVERNA-959
> URL: https://issues.apache.org/jira/browse/TAVERNA-959
> Project: Apache Taverna
> Issue Type: Task
> Components: Taverna Common Activities, Taverna Engine
> Reporter: Stian Soiland-Reyes
> Priority: Critical
> Labels: security
> Fix For: engine 3.1.0, common activities 2.1.0
>
>
> while stumbling over http://www.apache.org/dev/crypto.html
> I come to think about our Credential Manager:
> https://github.com/apache/incubator-taverna-engine/tree/master/taverna-credential-manager
> https://github.com/apache/incubator-taverna-engine/tree/master/taverna-credential-manager-impl
> and the WSDL SSL support in
> https://github.com/apache/incubator-taverna-common-activities/tree/master/taverna-wsdl-activity/src/main/java/org/apache/taverna/activities/wsdl/security
> While we don't have our own encryption code (puh!) we certainly have a fair
> share of plumbing that uses it.
> Credential Manager uses BouncyCastle to keep an encrypted user/password and
> certificate store in the Taverna user home directory - based on a password
> the user provides.
> Obviously we also generally support https:// through Java's normal SSL
> support - the Credential Manager has UI support for managing additional
> client and server certificates and for asking for username/password on
> connections.
> The WSDL activity has support for using WS Security authentication and also
> works with https.
> Looking over the policy at http://www.apache.org/dev/crypto.html I realize
> now that when we distribute the Taverna Command Line (and Workbench) binary
> distribution it would be bundling and using the Bouncy Castle library - which
> would be covered by US Export restrictions.
> Thus this task to review what of our code and distributions would be covered
> by US Export restrictions - if any - and perform the required reporting if
> needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
