On Thu, Sep 1, 2011 at 8:00 PM, Rob Weir <r...@robweir.com> wrote: > On Thu, Sep 1, 2011 at 2:51 PM, Robert Burrell Donkin > <robertburrelldon...@gmail.com> wrote: >> On Thu, Sep 1, 2011 at 7:38 PM, Dennis E. Hamilton >> <dennis.hamil...@acm.org> wrote: >>> Please just do it this way: >>> >>> <http://www.apache.org/dev/crypto.html> >>> >>> ASF is very clear on what is required for *its* releases and this page >>> appears to be comprehensive. >> >> The Apache rules break down into reporting to users and notification. >> Informing users is important but notification is urgent (making source >> available [1] counts as export). >> >>> (I finally found where I saw this before. It has also been discussed here >>> or on the ooo-private list before. I remembered it as being simpler than >>> it is.) >> >> (It looks worse than it is) >> >> Following the instructions[3], step 1 is to work out whether OOo has >> any unusual cryptography beyond ECCN 5D002, which is: >> >> <blockquote cite='http://www.apache.org/dev/crypto.html#classify> >> Software specially designed or modified for the development, >> production or use of any of the other software of this list, or >> software designed to certify other software on this list; or >> Software using a "symmetric algorithm" employing a key length in >> excess of 56-bits; or >> Software using an "asymmetric algorithm" where the security of the >> algorithm is based on: factorization of integers in excess of 512 bits >> (e.g., RSA), computation of discrete logarithms in a multiplicative >> group of a finite field of size greater than 512 bits (e.g., >> Diffie-Hellman over Z/pZ), or other discrete logarithms in a group in >> excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve). >> </blockquote> >> >> Does OOo rely on cryptography more exotic than this? >> > > That is where it seems backwards to me. If I'm reading this > correctly, we are OK if we use a symmetrical algorithm with key length > greater than ("in excess of") 56-bits. But if we use an algorithm, > with less thanb 56-bits we're considered exotic? Really?
Remember that we're only interested in strong cryptography :-) IIRC symmetric and asymmetric algorithms weaker than this are not considered strong cryptography, and so don't fall under ECCN 5D002. Cryptography which is neither weak nor covered by those definitions needs special handling. Robert
