On Thu, Sep 1, 2011 at 11:41 AM, Pedro F. Giffuni <giffu...@tutopia.com> wrote: > While here, > > Can Apache projects rely on Mozilla's nss (MPL)? >
See this page on current view from Apache legal: http://www.apache.org/legal/resolved.html#category-b > I looked for alternatives but I only found the java based > Bouncy Castle: > > http://www.bouncycastle.org/ > > cheers, > > Pedro. > > --- On Thu, 9/1/11, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > >> From: Dennis E. Hamilton <dennis.hamil...@acm.org> >> Subject: RE: Request dev help: Info for required crypto export declaration >> To: ooo-dev@incubator.apache.org >> Date: Thursday, September 1, 2011, 12:00 AM >> It is simplified and it isn't. >> But we are doing it out of order. >> >> Here is the page that I couldn't remember the location of: >> >> <http://www.apache.org/dev/crypto.html> >> >> - Dennis >> >> -----Original Message----- >> From: rabas...@gmail.com >> [mailto:rabas...@gmail.com] >> On Behalf Of Rob Weir >> Sent: Wednesday, August 31, 2011 09:31 >> To: ooo-dev@incubator.apache.org >> Subject: Re: Request dev help: Info for required crypto >> export declaration >> >> On Wed, Aug 31, 2011 at 12:29 PM, Dennis E. Hamilton >> <dennis.hamil...@acm.org> >> wrote: >> > I thought there was a short-circuit/umbrella process >> that doesn't require all of these details. I thought >> that came up on an old thread, either on the PPMC or in the >> early days of this list. >> > >> > We do need to collect and update the details, but I am >> not so sure we need to file a full-up declaration. >> There is apparently a simplified procedure and we should >> look for it. (I am not where I can do that right now.) >> > >> >> Uh... but we need to know the details to know whether we >> can use the >> simplified procedure. >> >> -Rob >> >> >> > -----Original Message----- >> > From: Mathias Bauer [mailto:mathias_ba...@gmx.net] >> > Sent: Wednesday, August 31, 2011 07:00 >> > To: ooo-dev@incubator.apache.org >> > Subject: Re: Request dev help: Info for required >> crypto export declaration >> > >> > Moin, >> > >> > please take my answers with a decent grain of salt, >> I'm not an expert >> > for that area, Matthias Hütsch and Malte Timmermann >> certainly could >> > answer that better, but I don't know if they are >> currently contributing >> > to this list. Hopefully my remarks can help to look at >> the right places. >> > >> > Am 31.08.2011 15:03, schrieb Rob Weir: >> > >> >> There is some paperwork we need to file based on >> OOo use of >> >> cryptography. Details are on the Apache >> website [1]. I think I can >> >> handle most of the paperwork, provided I can get >> some help, on this >> >> thread, establishing the basic facts. >> >> >> >> >> >> 1) Was something similar every done for >> OpenOffice.org? Most software >> >> companies are aware of this US export regulation >> and do this >> >> declaration as a matter of routine. But not >> all open source projects >> >> are as diligent as ASF is. So it is possible >> that OOo never did this >> >> before. But if they did, we could reuse much >> of their paperwork. >> > >> > AFAIR Sun did that some time ago, but I'm not 100% >> sure. >> > >> >> 2) We need a list of all uses of cryptographic >> methods in OOo, >> >> including code that we include, but also where we >> enable 3rd party or >> >> OS crypto modules to plugged in. This >> includes both symmetrical >> >> algorithms (commonly used for encryption) as well >> as asymmetrical >> >> algorithms (for example, public key uses like PGP, >> RSA, TLS, etc.) >> >> >> >> 3) For each method, it looks like we need to state >> whether we authored >> >> the crypto, or name the origin of the code if it >> is a 3rd party. >> >> >> >> The methods I suspect are in OOo are: >> >> >> >> a) For password-protected ODF documents, we use >> the Blowfish block >> >> encryption method. Where did that >> code come from? >> > >> > It was an own implementation from someone who was >> employed by Sun at >> > that time. >> > >> > In the new 3.4 code we also use AES code from the >> openssl library. >> > >> >> b) What do we support for other document formats, >> such as DOC, OOXML >> >> or legacy StarOffice formats? Any other >> encryption methods? If so, >> >> what are they are what was their origin? >> > >> > As none of the former Oracle employed MS filter >> developers is listening >> > here, maybe we could ask Kohei or Caolan from the >> Libre Office crew. >> > >> >> c) We support digital signatures with ODF files as >> well. What >> >> algorithms are supported? Is this our >> original code or 3rd party? >> > >> > The code we use is based on the SeaMonkey or nss >> module. I always get >> > confused about them, but in any way the code is >> "external". >> > >> >> d) Do we support digital signatures with any >> other file formats? >> > >> > No, only our own files format. >> > >> >> e) Any other uses of encryption? >> >> >> >> f) Presumably we places that are at least enabled >> for SSL via OS-level >> >> resolution of https protocol >> URLs. Is this correct? >> >> >> >> g) But do we have any SSL (TLS) code included in >> our source code? If >> >> so, what is the origin of this? >> > >> > Open ssl, maybe something in neon, I don't know. >> > >> > Regards, >> > Mathias >> > >> > >> >> >> >