On Tue, 2 Mar 2010, Robert Hafner wrote:
Reposting the following questions since I have not seen a follow up
response yet.
As you probably guessed from the deafening silence, you appear to know
more about US crypto rules than all of us put together... I think as a
general rule we all only know what's listed at
http://www.apache.org/dev/crypto.html !
SVN informs me that the export notice for POI went in on 2009-08-06. This
was in response to the contribution from Maxim in bug #47652 -
https://issues.apache.org/bugzilla/show_bug.cgi?id=47652
I think the notice would also be needed for the digital signature support
(see <http://mail-archives.apache.org/mod_mbox/poi-dev/200910.mbox/%[email protected]%3e>)
if it were to be re-commited.
* Does this encrypt the password (or other file protection data) only or
does it also encrypt the contents of the workbook?
The two main commits around this are:
http://svn.apache.org/viewvc?view=revision&revision=801890
http://svn.apache.org/viewvc?view=revision&revision=804381
I think all of the contents are encrypted, as the main work is on
inserting a decryption layer between the record creation and the
underlying stream
* What is the strength (or key length) of the algorithm as implemented .
. . usually between 40 and 128 bits?
I think from looking at the code it's 40 bytes, BICBW
* Has this use been reviewed by BIS? If so, is there a CCATS#
I'm not sure who BIS are, or what a CCATS number is when it's at home...
So it's unlikely but certainly not impossible! We followed all the rules
laid down in http://www.apache.org/dev/crypto.html but didn't do anything
more.
If there's some magic form we should fill in and send off to the US
government to make the lives of our users easier, and someone can tell use
what to put in said form, we'll happily do so! However I think at the
moment our knowledge of US crypto policy is pretty much "follow these
incantations and everything is ok, neglect to follow them and the ASF gets
into trouble, so just follow them" and that's it...
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
