If I understand correctly, since we are not including Java Crypto API libraries in our code, we don't need to declare them specifically. But since we're "designed to use" such libraries we need to register the ODF Toolkit as 5D002.
Note that we do have our own implementation of PKCS #5, per RFC 2898. This is a "password-based key derivation function", which is applied prior to encryption in order to convert "weak" passcodes entered by end users into higher entropy ones. I don't see this as restricted under the export regulations, so I don't think we should declare it. Looking at the process [1] for doing this paperwork, it looks like we need to update this [2] page by updating this [3] source. [1] http://www.apache.org/dev/crypto.html [2] http://www.apache.org/dev/crypto.html [3] http://www.apache.org/licenses/exports/ I don't have permissions to update the source XML directly, but I believe it should be updated to include the following fragment. I have Nick in as the contact, assuming that he will send the declaration per [4]. Once that is done, Devin can check in the encyption/digital signature code, and I can update the README file per [5]. Am I missing anything? -Rob [4] http://www.apache.org/dev/crypto.html#notify [5] http://www.apache.org/dev/crypto.html#inform <Project href="http://incubator.apache.org/odf";> <Name>Apache ODF Toolkit Project</Name> <Contact><Name>Nick Burch</Name></Contact> <Product> <Name>Apache ODF Toolkit</Name> <Version> <Names>development</Names> <ECCN>5D002</ECCN> <ControlledSource href="https://svn.apache.org/repos/asf/incubator/odf/";> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Cryptography Extension (JCE)</Why> </ControlledSource> </Version> <Version> <Names>0.5-incubating and later</Names> <ECCN>5D002</ECCN> <ControlledSource href="http://archive.apache.org/dist/incubator/odftoolkit";> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Cryptography Extension (JCE)</Why> </ControlledSource> </Version> </Product> </Project>
