Re: podling BIS notifications (jars in svn & crypto)

From: Mike Kienenberger (mkienen..mail.com)
Date: Thu Feb 22 2007 - 10:56:43 EST

Next message: Jean T. Anderson: "Re: podling BIS notifications (jars in svn & crypto)"

Previous message: Andrus Adamchik: "Re: podling BIS notifications (jars in svn & crypto)"
In reply to: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Next in thread: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Next in thread: Jean T. Anderson: "Re: podling BIS notifications (jars in svn & crypto)"
Reply: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael,

You're still missing the point. It's not the ROT-13 that would cause
us to have to register. It's an api that allows for plugging in
arbitrary encryption. However, my suspicion is that we're exempt
because our "encryption" only deals with authentication.

On 2/22/07, Michael Gentry <blacknex..mail.com> wrote:
> I certainly don't mind having this cleared by legal and it is a good discussion.
>
> I've had a bit more sleep and caffeine now and went over to
> http://www.apache.org/dev/crypto.html and just read this bit:
>
> "The U.S. Government Department of Commerce, Bureau of Industry and
> Security (BIS), has classified this software as Export Commodity
> Control Number (ECCN) 5D002.C.1, which includes information security
> software using or performing cryptographic functions with asymmetric
> algorithms."
>
> ROT-13 and ROT-47 (the only ones we provide) are symmetrical
> algorithms. To quote the Wikipedia (yeah, I know some people don't
> feel it is definitive about anything):
>
> "An additional feature of the cipher is that it is symmetrical; that
> is, to undo ROT13, the same algorithm is applied, so the same code can
> be used for encoding and decoding. "
>
> This still feels like a non-issue to me, but worthy of discussion and
> perhaps feedback from Apache legal. And if anyone really feels ROT-13
> is secure, I know a 6-year old girl with a sheet of paper that can
> hack their system. (She uses it to send "secret" messages to her
> grandmother.) :-)
>
> Mike K. did raise an interesting point about if Cayenne Modeler starts
> using Derby instead of HSQL, what does that mean for us? Would we
> only need the BIS/etc if we run the preferences DB with encryption (I
> can't imagine we would -- no reason to)?
>
> Thanks again!
>
> /dev/mrg
>
>
> On 2/22/07, Mike Kienenberger <mkienen..mail.com> wrote:
> > Jean,
> >
> > Thank you for looking into this. I guess at some point I should join
> > legal-discuss, but I already feel I'm overloaded with apache mailing
> > lists :-)
> >
> > On 2/22/07, Jean T. Anderson <jt..ristowhill.com> wrote:
> > > Mike Kienenberger wrote:
> > > > ... if we start providing derby as a component of
> > > > cayenne, then we are subject to the export regs.
> > >
> > > I just posted a question to legal-discuss asking if an Apache product
> > > includes any product listed at http://www.apache.org/licenses/exports/,
> > > does it need to also do the BIS notification.
> > >
> > > -jean
> > >
> > >
> >
>

Next message: Jean T. Anderson: "Re: podling BIS notifications (jars in svn & crypto)"
Previous message: Andrus Adamchik: "Re: podling BIS notifications (jars in svn & crypto)"
In reply to: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Next in thread: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Next in thread: Jean T. Anderson: "Re: podling BIS notifications (jars in svn & crypto)"
Reply: Michael Gentry: "Re: podling BIS notifications (jars in svn & crypto)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2.0.0 : Thu Feb 22 2007 - 10:57:14 EST