On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I thought there was a short-circuit/umbrella process that doesn't require all > of these details. I thought that came up on an old thread, either on the > PPMC or in the early days of this list. > > We do need to collect and update the details, but I am not so sure we need to > file a full-up declaration. There is apparently a simplified procedure and > we should look for it. (I am not where I can do that right now.) >
Uh... but we need to know the details to know whether we can use the simplified procedure. -Rob > -----Original Message----- > From: Mathias Bauer [mailto:mathias_ba...@gmx.net] > Sent: Wednesday, August 31, 2011 07:00 > To: ooo-dev@incubator.apache.org > Subject: Re: Request dev help: Info for required crypto export declaration > > Moin, > > please take my answers with a decent grain of salt, I'm not an expert > for that area, Matthias Hütsch and Malte Timmermann certainly could > answer that better, but I don't know if they are currently contributing > to this list. Hopefully my remarks can help to look at the right places. > > Am 31.08.2011 15:03, schrieb Rob Weir: > >> There is some paperwork we need to file based on OOo use of >> cryptography. Details are on the Apache website [1]. I think I can >> handle most of the paperwork, provided I can get some help, on this >> thread, establishing the basic facts. >> >> >> 1) Was something similar every done for OpenOffice.org? Most software >> companies are aware of this US export regulation and do this >> declaration as a matter of routine. But not all open source projects >> are as diligent as ASF is. So it is possible that OOo never did this >> before. But if they did, we could reuse much of their paperwork. > > AFAIR Sun did that some time ago, but I'm not 100% sure. > >> 2) We need a list of all uses of cryptographic methods in OOo, >> including code that we include, but also where we enable 3rd party or >> OS crypto modules to plugged in. This includes both symmetrical >> algorithms (commonly used for encryption) as well as asymmetrical >> algorithms (for example, public key uses like PGP, RSA, TLS, etc.) >> >> 3) For each method, it looks like we need to state whether we authored >> the crypto, or name the origin of the code if it is a 3rd party. >> >> The methods I suspect are in OOo are: >> >> a) For password-protected ODF documents, we use the Blowfish block >> encryption method. Where did that code come from? > > It was an own implementation from someone who was employed by Sun at > that time. > > In the new 3.4 code we also use AES code from the openssl library. > >> b) What do we support for other document formats, such as DOC, OOXML >> or legacy StarOffice formats? Any other encryption methods? If so, >> what are they are what was their origin? > > As none of the former Oracle employed MS filter developers is listening > here, maybe we could ask Kohei or Caolan from the Libre Office crew. > >> c) We support digital signatures with ODF files as well. What >> algorithms are supported? Is this our original code or 3rd party? > > The code we use is based on the SeaMonkey or nss module. I always get > confused about them, but in any way the code is "external". > >> d) Do we support digital signatures with any other file formats? > > No, only our own files format. > >> e) Any other uses of encryption? >> >> f) Presumably we places that are at least enabled for SSL via OS-level >> resolution of https protocol URLs. Is this correct? >> >> g) But do we have any SSL (TLS) code included in our source code? If >> so, what is the origin of this? > > Open ssl, maybe something in neon, I don't know. > > Regards, > Mathias > >