One of our product teams has expressed an interest in upgrading to Apache Poi 3.5. I also expect other products to express an interest in future releases. During the third party review process our Legal department expressed some concern regarding Poi's cryptography notice (http://poi.apache.org/legal.html) and its classification as 5D002.C.1 under ECCN. This classification requires us to report all exports of the product (and our products containing the product) twice each year. This is an administratively intensive task for our Legal Department and not one we are currently equipped to handle very efficiently. Therefore we are looking for a solution which allows our products to upgrade to v3.5 without placing an additional burden on our Legal department. Can you answer the following questions which should help us decide what options we have available?
Legal Questions: 1) Does Apache Poi 3.5 use the java.security and javax.crypto packages from the JRE, JCE, or a different product? If it is the JRE packages, then why is the Apache product classified as 5D002. Based upon our legal department's analysis the JRE is classified as 54992 (which is a more favorable classification that does not require reporting). 2) Has the Apache Poi product been reviewed by BIS? Does it have any CCATS#? If Poi 3.5 has been reviewed, was any type of reporting exception granted in the review? Technical Questions: 1) Would it be possible to obtain a copy of Apache POI 3.5 that does not have the encryption (or encryption calls)? Or could we build our own version (without the encryption support)? Thanks. Rob --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
