I would be happy if Taverna doesn't meet the ECCN registration criteria :)
I think we are not exempt overall from the 2010 decontrolling: https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three because we do a lot of "sending and receiving information" - or at least most Taverna workflows do that. I would think our Credential Manager is "designed to use encryption functionality" - We register handlers with JSSE, in particular to manage user-accepted client/server certificates (as in the browser). We don't require JCE Strong Encryption, but recommend you do (as otherwise your passphrase is limited to 6 characters!) - we also use Bouncy Castle (ECCN classified) APIs directly for managing the keychain. https://github.com/apache/incubator-taverna-engine/#export-restrictions Our web service integration use WSS4J and XML Security (also ECCN classified), and of course the REST service can make https connections using the above certificate handling. https://github.com/apache/incubator-taverna-common-activities/#export-restrictions While the immediate release won't include a binary distribution for dist.apache.org, we plan that for later releases, and they would include JARs like Bouncy Castle, HTTPComponent and WSS4J - so while it could be unclear right now what "use" means - there will be "include" later. Likewise some of our Maven Central JARs could include shading of say Apache HTTPComponents, which is EECN-classified. On 5 May 2016 at 18:48, John D. Ament <john.d.am...@gmail.com> wrote: > Ted, > > I think that's my point. It sounds like taverna doesn't meet the criteria. > > John > On May 5, 2016 13:07, "Ted Dunning" <ted.dunn...@gmail.com> wrote: > >> John, >> >> I love what you do and respect what you say, but do you have a citation for >> that registration requirement? Taverna isn't distributing JSSE and it >> allows weak encryption. >> >> >> >> On Wed, May 4, 2016 at 7:36 PM, John D. Ament <johndam...@apache.org> >> wrote: >> >> > That's the thing, JSSE is an add-on encryption component in Java. If the >> > product requires it, you have to register it. >> > >> > Ideally the product shouldn't require it and make it an optional feature >> to >> > enable. >> > >> > The latter is just my $0.02 >> > >> > John >> > On May 4, 2016 21:30, "Ted Dunning" <ted.dunn...@gmail.com> wrote: >> > >> > I am pretty dubious that simply building a credential store using >> standard >> > JSSE requires registration. Same for HTTPS support. >> > >> > >> > >> > On Wed, May 4, 2016 at 6:23 PM, Ted Dunning <ted.dunn...@gmail.com> >> wrote: >> > >> > > >> > > My guess is that this would fall to me. >> > > >> > > There is considerable analysis to be done to determine whether filing >> is >> > > required. >> > > >> > > Are you guys documenting the decision points? >> > > >> > > >> > > >> > > On Wed, May 4, 2016 at 4:45 AM, Stian Soiland-Reyes <st...@apache.org> >> > > wrote: >> > > >> > >> On 2 May 2016 at 03:23, Stian Soiland-Reyes <st...@apache.org> wrote: >> > >> >> > >> > Formally - would it need to be the Incubator PMC chair sending the >> > >> > ECCN encryption email? >> > >> >> > >> Could anyone from IPMC (e.g. our mentors) do it, or just Ted Dunning? >> > >> >> > >> -- >> > >> Stian Soiland-Reyes >> > >> Apache Taverna (incubating), Apache Commons RDF (incubating) >> > >> http://orcid.org/0000-0001-9842-9718 >> > >> >> > >> --------------------------------------------------------------------- >> > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> > >> For additional commands, e-mail: general-h...@incubator.apache.org >> > >> >> > >> >> > > >> > >> -- Stian Soiland-Reyes Apache Taverna (incubating), Apache Commons RDF (incubating) http://orcid.org/0000-0001-9842-9718 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
