Mladen Turk wrote: > William A. Rowe, Jr. wrote: >> Mladen Turk wrote: >>> William A. Rowe, Jr. wrote: >>>> it's sort of a closed loop problem. Update the info, allow the usual >>>> one hour after updating from minotaur to sync, and then shoot out the >>>> notice referencing the list of notices sent :) >>>> >>> Can we get an example email that needs to be send and an email >>> address? The page you referred looks pretty confusing with lots >>> of links ;) >>> Think wee need to have both JSSE and OpenSSL referenced. >> >> Please review the section "Notify the U.S. Government of the Release" >> and let me know of any suggested changes, or ask about the confusing >> paragraph so I can rewrite it. > > Argh. I was looking at the wrong location. > I'll try running the tool. > > However, not sure what to do with JSSE and how to reference those. > > Is http://java.sun.com/javase/technologies/security/ > enough? They tend to change the uri often ;)
It must be a link from which bis can get to the source code of the open source crypto provider. They provide a link on that page; "Archived JAAS, JCE, and JSSE Optional packages" - however following that link reveals version 1.0.3 of the JSSE alone, so this doesn't satisfy the requirements since there is no way to get to the specific sources. But *wait* - we don't ship the JSSE, we incorporate it but the user must obtain it themselves. The crypto code *we* ship is strictly at openssl or in our own svn repositories. So - incorporate by reference that it leverages JSSE (that link is fine) but since we don't ship it, we don't point them to that 'source code'. Only our own. c.f. derby and geronimo. So follow the geronimo example and the httpd example of openssl notice and I think that covers Tomcat. Now in the case of a few others where they've leveraged BouncyCastle (an IP minefield in it's own right), they have actually shipped those .jar's as I understand it. So their form of notice was correct. Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
