You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Joe Brockmeier <jz...@zonker.net> on 2012/10/02 00:49:43 UTC
Re: Crypto export filings for Apache CloudStack (incubating)
On Thu, Sep 27, 2012, at 10:43 AM, Jim Jagielski wrote:
> Forwarding to legal-internal
Jim - thanks for taking that to legal-internal. Has there been any
response? This looks like one of the last remaining hurdles to preparing
a release, so we're hoping to resolve this soon.
Thanks!
Joe
--
Joe Brockmeier
jzb@zonker.net
Twitter: @jzb
http://www.dissociatedpress.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Sam Ruby <ru...@intertwingly.net>.
On Mon, Oct 1, 2012 at 8:53 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> On Oct 1, 2012, at 4:20 PM, Sam Ruby wrote:
>> Is there a strong reason NOT to follow the current requirements?
>> Alternately: does anybody have a proposed patch to the page?
>
> My patch would be to replace the page with the below explanation
> that 5D002 no longer applies to our software.
>
>> If we have a proposed patch that is likely to get consensus here, I am
>> willing to forward it for legal review.
>
> Can we have the following reviewed?
Review is underway,
- Sam Ruby
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Rob Weir <ro...@apache.org>.
On Sun, Oct 7, 2012 at 12:59 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> On Oct 7, 2012, at 9:35 AM, Rob Weir wrote:
>> And let's handle the case where the ASF project
>> actually contains ASF-published encryption source code. It is not the
>> case that all projects rely only on 3rd party libraries.
>
> That would be an entirely different question. What project would
> that be? Note that there is a lot of code under the general topic
> of encryption that is not regulated at all (one-way hashes,
> authentication, etc.).
>
I would suspect projects that need to deal with legacy MS Office
document encryption algorithms, pre-Office 2007.
For example, I see this in POI:
http://svn.apache.org/repos/asf/poi/trunk/src/java/org/apache/poi/hssf/record/crypto/RC4.java
Or, a quick Google search for "site:svn.apache.org blowfish" shows things like:
http://svn.apache.org/repos/asf/apr/apr/trunk/crypto/crypt_blowfish.c,
along with several others.
IMHO it is worth consideration of this possibility in formulating the
ASF policy in this area.
-Rob
> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 7, 2012, at 9:35 AM, Rob Weir wrote:
> And let's handle the case where the ASF project
> actually contains ASF-published encryption source code. It is not the
> case that all projects rely only on 3rd party libraries.
That would be an entirely different question. What project would
that be? Note that there is a lot of code under the general topic
of encryption that is not regulated at all (one-way hashes,
authentication, etc.).
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Rob Weir <ro...@apache.org>.
On Thu, Oct 4, 2012 at 1:26 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> On Oct 4, 2012, at 6:57 AM, Rob Weir wrote:
>> I think it is more complicated than this.
>
> I know you think that, but you don't have the advantage that I have
> of having already done the review (twice) and knowledge of the
> advice given to the ASF by an actual BIS regulator. So, when I tell
> you that the only reason we were 5D002 before is a specific reason
> that is no longer in the regs, it simply doesn't matter what you
> (or I) think it means, and it really makes no difference what a
> FAQ (not part of the regulations) happens to say. Cliff taught me
> that much.
>
> Either way, we need to ask. If we get the answer we want, then
> we hang up the phone. If we don't, then we'll deal with that later.
>
I've had some training on export regs and I have talked to an expert
on this topic as well. So +1 to tracking this down for real rather
than guessing. And let's handle the case where the ASF project
actually contains ASF-published encryption source code. It is not the
case that all projects rely only on 3rd party libraries.
-Rob
> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 4, 2012, at 6:57 AM, Rob Weir wrote:
> I think it is more complicated than this.
I know you think that, but you don't have the advantage that I have
of having already done the review (twice) and knowledge of the
advice given to the ASF by an actual BIS regulator. So, when I tell
you that the only reason we were 5D002 before is a specific reason
that is no longer in the regs, it simply doesn't matter what you
(or I) think it means, and it really makes no difference what a
FAQ (not part of the regulations) happens to say. Cliff taught me
that much.
Either way, we need to ask. If we get the answer we want, then
we hang up the phone. If we don't, then we'll deal with that later.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Rob Weir <ro...@apache.org>.
On Mon, Oct 1, 2012 at 8:53 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> On Oct 1, 2012, at 4:20 PM, Sam Ruby wrote:
>> Is there a strong reason NOT to follow the current requirements?
>> Alternately: does anybody have a proposed patch to the page?
>
> My patch would be to replace the page with the below explanation
> that 5D002 no longer applies to our software.
>
>> If we have a proposed patch that is likely to get consensus here, I am
>> willing to forward it for legal review.
>
> Can we have the following reviewed?
>
>
> Begin forwarded message:
>
>> From: "Roy T. Fielding" <fi...@gbiv.com>
>> Subject: Re: Is a TSU notice needed for software using javax.crypto?
>> Date: February 3, 2012 1:41:42 PM PST
>> To: legal-discuss@apache.org
>> Reply-To: legal-discuss@apache.org
>>
>> On Feb 1, 2012, at 10:28 AM, Nick Burch wrote:
>>
>>> On Tue, 31 Jan 2012, Roy T. Fielding wrote:
>>>> Please note that the BIS requirements have changed since the last time we updated the export requirements. AFAIK, we no longer need to send notices for merely using publicly available crypto packages.
>>>
I think it is more complicated than this.
IANAL, but I did go through the new regulations in detail for the ODF
Toolkit Podling back in February. My analysis was posted to this list
at that time but received no comment:
http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201202.mbox/browser
As I read it something may be considered crypto even if it uses only
operating system provided or 3rd party crypto modules. See:
http://www.bis.doc.gov/encryption/question1.htm
"If an item uses encryption functionality, whether or not the code
that performs the encryption is included with the item, then BIS
evaluates the item based on the encryption functionality it uses"
What is more interesting and useful to the ASF (IMHO) is the total
exemption for large swaths of technology based on "Note 4" of the EAR.
There are many, many details, and you can read how I worked through
it in the particular case of the ODF Toolkit, but at a high level the
critical distinction is between software that uses crypto for a
subsidiary ("supporting") function versus software that has a primary
crypto function.
-Rob
>>> You wouldn't happen to know any references for that change, would you?
>>
>> With a bit of digging ...
>>
>> http://www.bis.doc.gov/encryption/default.htm
>>
>> and, specifically, Note 3 of
>>
>> http://www.bis.doc.gov/encryption/ccl5pt2.pdf
>>
>> which eliminates the old way of inheriting 5D002 classification
>> just because we package a binary with OpenSSL or bouncycastle.
>>
>>> (If someone can point me at the new exemption details, then I can have a go at updating the page to reflect the changes)
>>
>> Of course, that assumes we can understand the new regs. In the past,
>> Cliff actually confirmed our interpretations with some regulator in
>> the BIS. I don't know if we need to do that again, or if we can just
>> proceed based on a reasonable interpretation of the regulations
>> (and assume they'll tell us otherwise if we are wrong).
>>
>> ....Roy
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 1, 2012, at 4:20 PM, Sam Ruby wrote:
> Is there a strong reason NOT to follow the current requirements?
> Alternately: does anybody have a proposed patch to the page?
My patch would be to replace the page with the below explanation
that 5D002 no longer applies to our software.
> If we have a proposed patch that is likely to get consensus here, I am
> willing to forward it for legal review.
Can we have the following reviewed?
Begin forwarded message:
> From: "Roy T. Fielding" <fi...@gbiv.com>
> Subject: Re: Is a TSU notice needed for software using javax.crypto?
> Date: February 3, 2012 1:41:42 PM PST
> To: legal-discuss@apache.org
> Reply-To: legal-discuss@apache.org
>
> On Feb 1, 2012, at 10:28 AM, Nick Burch wrote:
>
>> On Tue, 31 Jan 2012, Roy T. Fielding wrote:
>>> Please note that the BIS requirements have changed since the last time we updated the export requirements. AFAIK, we no longer need to send notices for merely using publicly available crypto packages.
>>
>> You wouldn't happen to know any references for that change, would you?
>
> With a bit of digging ...
>
> http://www.bis.doc.gov/encryption/default.htm
>
> and, specifically, Note 3 of
>
> http://www.bis.doc.gov/encryption/ccl5pt2.pdf
>
> which eliminates the old way of inheriting 5D002 classification
> just because we package a binary with OpenSSL or bouncycastle.
>
>> (If someone can point me at the new exemption details, then I can have a go at updating the page to reflect the changes)
>
> Of course, that assumes we can understand the new regs. In the past,
> Cliff actually confirmed our interpretations with some regulator in
> the BIS. I don't know if we need to do that again, or if we can just
> proceed based on a reasonable interpretation of the regulations
> (and assume they'll tell us otherwise if we are wrong).
>
> ....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Sam Ruby <ru...@intertwingly.net>.
On Mon, Oct 1, 2012 at 7:09 PM, Brett Porter <br...@apache.org> wrote:
> I forwarded it there a week ago as well, and at the time said that if CloudStack needed to proceed, I'd advise sticking to the current requirements of the page. I noted that the direction to consult legal-discuss was not added by a member of the legal affairs committee.
>
> I don't think there's any harm in doing so if it is not required. I believe a couple of people have said it wasn't required, but also said we should get that formalised first.
Is there a strong reason NOT to follow the current requirements?
Alternately: does anybody have a proposed patch to the page?
If we have a proposed patch that is likely to get consensus here, I am
willing to forward it for legal review.
> - Brett
- Sam Ruby
> On 02/10/2012, at 8:49 AM, Joe Brockmeier <jz...@zonker.net> wrote:
>
>> On Thu, Sep 27, 2012, at 10:43 AM, Jim Jagielski wrote:
>>> Forwarding to legal-internal
>>
>> Jim - thanks for taking that to legal-internal. Has there been any
>> response? This looks like one of the last remaining hurdles to preparing
>> a release, so we're hoping to resolve this soon.
>>
>> Thanks!
>>
>> Joe
>> --
>> Joe Brockmeier
>> jzb@zonker.net
>> Twitter: @jzb
>> http://www.dissociatedpress.net/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
> http://au.linkedin.com/in/brettporter
> http://twitter.com/brettporter
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Crypto export filings for Apache CloudStack (incubating)
Posted by Brett Porter <br...@apache.org>.
I forwarded it there a week ago as well, and at the time said that if CloudStack needed to proceed, I'd advise sticking to the current requirements of the page. I noted that the direction to consult legal-discuss was not added by a member of the legal affairs committee.
I don't think there's any harm in doing so if it is not required. I believe a couple of people have said it wasn't required, but also said we should get that formalised first.
- Brett
On 02/10/2012, at 8:49 AM, Joe Brockmeier <jz...@zonker.net> wrote:
> On Thu, Sep 27, 2012, at 10:43 AM, Jim Jagielski wrote:
>> Forwarding to legal-internal
>
> Jim - thanks for taking that to legal-internal. Has there been any
> response? This looks like one of the last remaining hurdles to preparing
> a release, so we're hoping to resolve this soon.
>
> Thanks!
>
> Joe
> --
> Joe Brockmeier
> jzb@zonker.net
> Twitter: @jzb
> http://www.dissociatedpress.net/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org