On 9/2/06, Dennis Byrne <[EMAIL PROTECTED]> wrote:
Apache MyFaces has bindings to the javax.crypto API. Configuration parameters,
supplied by an application developer, are passed through to the javax.crypto
API, employing symmetric encryption algorithms with unlimited key lengths.
The following from [1] leads me to believe that Apache Myfaces release
artifacts fall under ECCN 5D002 (Export Control Classification Number).
"the definition of ECCN 5D002, which can be summarized as: ... Software using a
"symmetric algorithm" employing a key length in excess of 56-bits"
However the crypto page [1] also states the following:
"If my project ships a binary that provides bindings to OpenSSL, but does not
include its source or binaries, what notifications must be made?
The only required notification for an Apache project that is specially designed to
use, but doesn't include, such crypto, is just the notification for the ASF product
code."
I think it is reasonable to say "the javax.crypto API" can replace "OpenSSL" here? Can
anyone please clarify what "just the notification for the ASF product code" means?
This just means that the ASF product is still considered to be crypto
since it is specially designed to use other crypto. The point of this
FAQ was to explain that you do not need make any notification about
the crypto that the product is designed to use if it is not actually
included in the product; but you still need to make a notification for
the ASF product, since it is also considered to be crypto according to
the 5D002 definition.
To be honest, the code in question was committed more than six months ago and
there have been at least three releases. Keep in mind that we don't actually
release the software that performs the strong encryption; application
developers have to download this *themselves* from a group like Bouncy Castle
[2]. Such algorithms are not even distributed with a standard JVM release.
Well we haven't had a good understanding nor any docs on what is
required until recently; so it's understandable that we may have
projects today that are not in compliance. However, it's not very
difficult now to fix this.
I can work with you and/or other MyFaces committers to get this done,
but for now, take a look at what James did (you can find their exports
RDF file listed in the registry
(http://www.apache.org/licenses/exports/export-registry.xml). I
haven't yet written docs on the exports RDF format that we came up
with, but you might be able to figure out most of it from just looking
at the James example. The one difference from your project is that
James actually includes the Bouncy Castle stuff in the product, which
is why they have it listed. You would only need to list the ASF
stuff.
Cliff
Thanks to anyone who can help me in this matter,
Dennis Byrne
[1] http://www.apache.org/dev/crypto.html
[2] http://www.bouncycastle.org/latest_releases.html
