On Tue, 14 Feb 2012, Rob Weir wrote:
If I understand correctly, since we are not including Java Crypto API
libraries in our code, we don't need to declare them specifically. But
since we're "designed to use" such libraries we need to register the ODF
Toolkit as 5D002.
I think this case is actually a 5x992 one, rather than a 5d002 one, but
the rules did change fairly recently and we're in the process of figuring
out the new policy.
Note that we do have our own implementation of PKCS #5, per RFC 2898.
This is a "password-based key derivation function", which is applied
prior to encryption in order to convert "weak" passcodes entered by
end users into higher entropy ones. I don't see this as restricted
under the export regulations, so I don't think we should declare it.
I think that's correct. What you feed the password bytes too may well be
5D002 / 5x992 restricted (or similar), but I don't think the work to turn
the string into bytes is
Looking at the process [1] for doing this paperwork, it looks like we
need to update this [2] page by updating this [3] source.
[1] http://www.apache.org/dev/crypto.html
[2] http://www.apache.org/dev/crypto.html
[3] http://www.apache.org/licenses/exports/
Those guides refer to the old system, and are probably not now appropriate
for this case. What should now be done is being discussed on the
legal-discuss list:
<http://mail-archives.apache.org/mod_mbox/www-legal-discuss/>
Are you able and willing to put a bit of work in on this? The 5d002 and
based-on-5d002 cases are going to be a bit harder, but the 5x992 case
(like this one) ought to be simpler. It does need someone to read up on
the rules, check if the current understanding on legal-discuss looks
correct, verify this with the BIS, and then finally we can update the
documentation.
Nick
