Re: MyFaces ECCN 5D002
On 9/2/06, Dennis Byrne [EMAIL PROTECTED] wrote: Apache MyFaces has bindings to the javax.crypto API. Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths. The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number). the definition of ECCN 5D002, which can be summarized as: ... Software using a symmetric algorithm employing a key length in excess of 56-bits However the crypto page [1] also states the following: If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made? The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code. I think it is reasonable to say the javax.crypto API can replace OpenSSL here? Can anyone please clarify what just the notification for the ASF product code means? This just means that the ASF product is still considered to be crypto since it is specially designed to use other crypto. The point of this FAQ was to explain that you do not need make any notification about the crypto that the product is designed to use if it is not actually included in the product; but you still need to make a notification for the ASF product, since it is also considered to be crypto according to the 5D002 definition. To be honest, the code in question was committed more than six months ago and there have been at least three releases. Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2]. Such algorithms are not even distributed with a standard JVM release. Well we haven't had a good understanding nor any docs on what is required until recently; so it's understandable that we may have projects today that are not in compliance. However, it's not very difficult now to fix this. I can work with you and/or other MyFaces committers to get this done, but for now, take a look at what James did (you can find their exports RDF file listed in the registry (http://www.apache.org/licenses/exports/export-registry.xml). I haven't yet written docs on the exports RDF format that we came up with, but you might be able to figure out most of it from just looking at the James example. The one difference from your project is that James actually includes the Bouncy Castle stuff in the product, which is why they have it listed. You would only need to list the ASF stuff. Cliff Thanks to anyone who can help me in this matter, Dennis Byrne [1] http://www.apache.org/dev/crypto.html [2] http://www.bouncycastle.org/latest_releases.html
MyFaces ECCN 5D002
Apache MyFaces has bindings to the javax.crypto API. Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths. The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number). the definition of ECCN 5D002, which can be summarized as: ... Software using a symmetric algorithm employing a key length in excess of 56-bits However the crypto page [1] also states the following: If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made? The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code. I think it is reasonable to say the javax.crypto API can replace OpenSSL here? Can anyone please clarify what just the notification for the ASF product code means? To be honest, the code in question was committed more than six months ago and there have been at least three releases. Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2]. Such algorithms are not even distributed with a standard JVM release. Thanks to anyone who can help me in this matter, Dennis Byrne [1] http://www.apache.org/dev/crypto.html [2] http://www.bouncycastle.org/latest_releases.html
Re: MyFaces ECCN 5D002
don't worryI am in Iran (main part of axis of evil)we have access to all this crypto codedon't waste your time hiding them! On 9/2/06, Dennis Byrne [EMAIL PROTECTED] wrote:Apache MyFaces has bindings to the javax.crypto API.Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths.The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number). the definition of ECCN 5D002, which can be summarized as: ... Software using a symmetric algorithm employing a key length in excess of 56-bitsHowever the crypto page [1] also states the following: If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made?The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code. I think it is reasonable to say the javax.crypto API can replace OpenSSL here?Can anyone please clarify what just the notification for the ASF product code means?To be honest, the code in question was committed more than six months ago and there have been at least three releases.Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2].Such algorithms are not even distributed with a standard JVM release. Thanks to anyone who can help me in this matter,Dennis Byrne[1] http://www.apache.org/dev/crypto.html[2] http://www.bouncycastle.org/latest_releases.html-- Arash Rajaeeyan
Re: MyFaces ECCN 5D002
Would you like a medal Arash?On 9/2/06, Arash Rajaeeyan [EMAIL PROTECTED] wrote: don't worryI am in Iran (main part of axis of evil)we have access to all this crypto codedon't waste your time hiding them! On 9/2/06, Dennis Byrne [EMAIL PROTECTED] wrote: Apache MyFaces has bindings to the javax.crypto API.Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths. The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number). the definition of ECCN 5D002, which can be summarized as: ... Software using a symmetric algorithm employing a key length in excess of 56-bits However the crypto page [1] also states the following: If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made? The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code. I think it is reasonable to say the javax.crypto API can replace OpenSSL here?Can anyone please clarify what just the notification for the ASF product code means?To be honest, the code in question was committed more than six months ago and there have been at least three releases.Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2].Such algorithms are not even distributed with a standard JVM release. Thanks to anyone who can help me in this matter,Dennis Byrne[1] http://www.apache.org/dev/crypto.html [2] http://www.bouncycastle.org/latest_releases.html -- Arash Rajaeeyan
Re: MyFaces ECCN 5D002
Hi Cliff, Thanks for your help. I have created an issue for this [1]. If you have time, can you look at the attachment [2]. The only question I have concerns the CryptoSrc element. JAMES used this element to point to a source release, but Apache MyFaces, to my knowledge, has only done source releases for releases which do not have bindings to the crypto APIs (1.1.1 and 1.0.9) . Also, I am curious as to why only the source is tracked. There is no equivalent to CryptoBin ? Dennis Byrne [1] https://issues.apache.org/jira/browse/MYFACES-1400 [2] https://issues.apache.org/jira/secure/attachment/12340100/bis_MYFACES.rdf -Original Message- From: Cliff Schmidt [mailto:[EMAIL PROTECTED] Sent: Saturday, September 2, 2006 02:47 PM To: 'Dennis Byrne' Cc: legal-discuss@apache.org, dev@myfaces.apache.org Subject: Re: MyFaces ECCN 5D002 On 9/2/06, Dennis Byrne [EMAIL PROTECTED] wrote: Apache MyFaces has bindings to the javax.crypto API. Configuration parameters, supplied by an application developer, are passed through to the javax.crypto API, employing symmetric encryption algorithms with unlimited key lengths. The following from [1] leads me to believe that Apache Myfaces release artifacts fall under ECCN 5D002 (Export Control Classification Number). the definition of ECCN 5D002, which can be summarized as: ... Software using a symmetric algorithm employing a key length in excess of 56-bits However the crypto page [1] also states the following: If my project ships a binary that provides bindings to OpenSSL, but does not include its source or binaries, what notifications must be made? The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is just the notification for the ASF product code. I think it is reasonable to say the javax.crypto API can replace OpenSSL here? Can anyone please clarify what just the notification for the ASF product code means? This just means that the ASF product is still considered to be crypto since it is specially designed to use other crypto. The point of this FAQ was to explain that you do not need make any notification about the crypto that the product is designed to use if it is not actually included in the product; but you still need to make a notification for the ASF product, since it is also considered to be crypto according to the 5D002 definition. To be honest, the code in question was committed more than six months ago and there have been at least three releases. Keep in mind that we don't actually release the software that performs the strong encryption; application developers have to download this *themselves* from a group like Bouncy Castle [2]. Such algorithms are not even distributed with a standard JVM release. Well we haven't had a good understanding nor any docs on what is required until recently; so it's understandable that we may have projects today that are not in compliance. However, it's not very difficult now to fix this. I can work with you and/or other MyFaces committers to get this done, but for now, take a look at what James did (you can find their exports RDF file listed in the registry (http://www.apache.org/licenses/exports/export-registry.xml). I haven't yet written docs on the exports RDF format that we came up with, but you might be able to figure out most of it from just looking at the James example. The one difference from your project is that James actually includes the Bouncy Castle stuff in the product, which is why they have it listed. You would only need to list the ASF stuff. Cliff Thanks to anyone who can help me in this matter, Dennis Byrne [1] http://www.apache.org/dev/crypto.html [2] http://www.bouncycastle.org/latest_releases.html