To be honest, I took the easy way out and 1) went with the advice on the BIS web site + 2) assumed the worst case.
So my assumption was that I need to see the library as "tainted" by the fact that it uses encryption code (over and above the signature only parts), and that we need to apply for one thing that covers the library as a whole. We were not planning to build two libraries - one for encryption & one for signature. The different parts leverage off each other and it would be an artificial split for the sake of it, rather than for a good technical reason.
The actual wording in my e-mail is a lift from their web site advising what you need to send them :
http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html
The way I figured was I assume the worst, apply for the whole thing (as an encryption product), and let them tell me I've gone too far (or that I need to separately cover the other pieces).
Much better than trying to narrow it down and then be told I've not covered us.
However happy to send an update if people think this is the wrong approach.
Cheers,
BerinDirk-Willem van Gulik wrote:
Berin,
Just trying to think through 5D002 - would it not be the case that part of the signature code is more under EAR, or perhaps is the generic EAR99, or just under 5D002.a ?
Though I guess we need to apply an ECCN to the -whole- distribution; so that would atomatically be a 5D002, in the introduction to CFR it is not clear if you need to state the 'worst' or 'all'
Dw
On Sun, 4 Jan 2004, Berin Lautenbach wrote:
SUBMISSION TYPE: TSU SUBMITTED BY: Berin Lautenbach SUBMITTED FOR: Apache Software Foundation POINT OF CONTACT: Apache's XML Security Project PHONE and/or FAX: [EMAIL PROTECTED] MANUFACTURER: N/A PRODUCT NAME/MODEL #: XML-Security-C Library ECCN: 5D002
NOTIFICATION: Web site - http://xml.apache.org/security/c CVS Repository - http://cvs.apache.org/viewcvs.cgi/xml-security/c/src/ Download directory - http://www.apache.org/dist/xml/security/c-library/
NOTE : Current downloadable release code does not contain the new XML-Encryption code, only digital signature code. See CVS repository for new code.
