While here, Can Apache projects rely on Mozilla's nss (MPL)?
I looked for alternatives but I only found the java based Bouncy Castle: http://www.bouncycastle.org/ cheers, Pedro. --- On Thu, 9/1/11, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > From: Dennis E. Hamilton <dennis.hamil...@acm.org> > Subject: RE: Request dev help: Info for required crypto export declaration > To: ooo-dev@incubator.apache.org > Date: Thursday, September 1, 2011, 12:00 AM > It is simplified and it isn't. > But we are doing it out of order. > > Here is the page that I couldn't remember the location of: > > <http://www.apache.org/dev/crypto.html> > > - Dennis > > -----Original Message----- > From: rabas...@gmail.com > [mailto:rabas...@gmail.com] > On Behalf Of Rob Weir > Sent: Wednesday, August 31, 2011 09:31 > To: ooo-dev@incubator.apache.org > Subject: Re: Request dev help: Info for required crypto > export declaration > > On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton > <dennis.hamil...@acm.org> > wrote: > > I thought there was a short-circuit/umbrella process > that doesn't require all of these details. I thought > that came up on an old thread, either on the PPMC or in the > early days of this list. > > > > We do need to collect and update the details, but I am > not so sure we need to file a full-up declaration. > There is apparently a simplified procedure and we should > look for it. (I am not where I can do that right now.) > > > > Uh... but we need to know the details to know whether we > can use the > simplified procedure. > > -Rob > > > > -----Original Message----- > > From: Mathias Bauer [mailto:mathias_ba...@gmx.net] > > Sent: Wednesday, August 31, 2011 07:00 > > To: ooo-dev@incubator.apache.org > > Subject: Re: Request dev help: Info for required > crypto export declaration > > > > Moin, > > > > please take my answers with a decent grain of salt, > I'm not an expert > > for that area, Matthias Hütsch and Malte Timmermann > certainly could > > answer that better, but I don't know if they are > currently contributing > > to this list. Hopefully my remarks can help to look at > the right places. > > > > Am 31.08.2011 15:03, schrieb Rob Weir: > > > >> There is some paperwork we need to file based on > OOo use of > >> cryptography. Details are on the Apache > website [1]. I think I can > >> handle most of the paperwork, provided I can get > some help, on this > >> thread, establishing the basic facts. > >> > >> > >> 1) Was something similar every done for > OpenOffice.org? Most software > >> companies are aware of this US export regulation > and do this > >> declaration as a matter of routine. But not > all open source projects > >> are as diligent as ASF is. So it is possible > that OOo never did this > >> before. But if they did, we could reuse much > of their paperwork. > > > > AFAIR Sun did that some time ago, but I'm not 100% > sure. > > > >> 2) We need a list of all uses of cryptographic > methods in OOo, > >> including code that we include, but also where we > enable 3rd party or > >> OS crypto modules to plugged in. This > includes both symmetrical > >> algorithms (commonly used for encryption) as well > as asymmetrical > >> algorithms (for example, public key uses like PGP, > RSA, TLS, etc.) > >> > >> 3) For each method, it looks like we need to state > whether we authored > >> the crypto, or name the origin of the code if it > is a 3rd party. > >> > >> The methods I suspect are in OOo are: > >> > >> a) For password-protected ODF documents, we use > the Blowfish block > >> encryption method. Where did that > code come from? > > > > It was an own implementation from someone who was > employed by Sun at > > that time. > > > > In the new 3.4 code we also use AES code from the > openssl library. > > > >> b) What do we support for other document formats, > such as DOC, OOXML > >> or legacy StarOffice formats? Any other > encryption methods? If so, > >> what are they are what was their origin? > > > > As none of the former Oracle employed MS filter > developers is listening > > here, maybe we could ask Kohei or Caolan from the > Libre Office crew. > > > >> c) We support digital signatures with ODF files as > well. What > >> algorithms are supported? Is this our > original code or 3rd party? > > > > The code we use is based on the SeaMonkey or nss > module. I always get > > confused about them, but in any way the code is > "external". > > > >> d) Do we support digital signatures with any > other file formats? > > > > No, only our own files format. > > > >> e) Any other uses of encryption? > >> > >> f) Presumably we places that are at least enabled > for SSL via OS-level > >> resolution of https protocol > URLs. Is this correct? > >> > >> g) But do we have any SSL (TLS) code included in > our source code? If > >> so, what is the origin of this? > > > > Open ssl, maybe something in neon, I don't know. > > > > Regards, > > Mathias > > > > > > >
