Hi, does anybody know how to proceed with this? If not, should I forward this question to the legal list or Infra?
Dominik On 2021/10/05 15:21:22, "Dominik Riemer" <[email protected]> wrote: > Hi all, > > > > this is probably a question to our mentors: > > Users in StreamPipes are able to configure data sinks (e.g., a sink that > stores data in a MySQL database). In the configuration, users can (for > example) enter a database password. > > I'm currently working on an improved authentication/authorization system for > StreamPipes and as part of this, such passwords should be stored in our > internal database in an encrypted way (and decrypted once a pipeline is > started based on a secret key providing by users as an env variable). > > > > For this, we would import packages from javax.crypto and include a library > called Jasypt [1] for encryption/decryption, which is Apache licensed and > approved for export. > > I've read through the ASF regulations on usage of crypto software [2] and > wonder if an ECCN filing for StreamPipes is needed when using this library > or javax.crypto imports? > > > > It would be great to receive some advice on this. > > > > Thanks! > > Dominik > > > > > > [1] https://github.com/jasypt/jasypt > > [2] https://infra.apache.org/crypto.html > > [3] What is Jasypt's export classification in the United States of America? > Although Jasypt does not implement nor distribute in any of its forms any > cryptographic algorithms, it can use them via the Java Cryptography > Extension API and, as such, it is classified under ECCN code 5D002 and > approved for export under License Exception TSU. > > > > > > > >
