On Thu, Sep 1, 2011 at 7:38 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > Please just do it this way: > > <http://www.apache.org/dev/crypto.html> > > ASF is very clear on what is required for *its* releases and this page > appears to be comprehensive.
The Apache rules break down into reporting to users and notification. Informing users is important but notification is urgent (making source available [1] counts as export). > (I finally found where I saw this before. It has also been discussed here or > on the ooo-private list before. I remembered it as being simpler than it is.) (It looks worse than it is) Following the instructions[3], step 1 is to work out whether OOo has any unusual cryptography beyond ECCN 5D002, which is: <blockquote cite='http://www.apache.org/dev/crypto.html#classify> Software specially designed or modified for the development, production or use of any of the other software of this list, or software designed to certify other software on this list; or Software using a "symmetric algorithm" employing a key length in excess of 56-bits; or Software using an "asymmetric algorithm" where the security of the algorithm is based on: factorization of integers in excess of 512 bits (e.g., RSA), computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ), or other discrete logarithms in a group in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve). </blockquote> Does OOo rely on cryptography more exotic than this? Robert [1] http://www.apache.org/dev/crypto.html#overview [2] http://www.apache.org/licenses/exports/ [3] http://www.apache.org/dev/crypto.html#classify