You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airavata.apache.org by Chathura Herath <ch...@gmail.com> on 2011/12/28 04:54:50 UTC

Export control issue with jce and criptix jars

Hi,

I am with the Apache Airavata incubator project and i am going through
the release checklist and I want some advice on the export control
issues related to some security jars.

We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution.

1) Will  US export control w.r.t. cryptographic algorithms will
prevent us from shipping criptix jar. I ve pasted the license
agreement in [4].
2)  Java jce jar download page explicitly mentions download will be
for US and Canada only[4]. Does this mean we will not be able to
package it but rather ask the use to manually provide the jar
location.
3) If we could simply package them as is, Will there be a special
download disclaimer that we need to add. In that case should we avoid
mirrors?

I researched usage of these jar in the history and i came across
(http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E);
though it was not clear whether the focus on export license was
resoled explicitly.

Although with some work we may be able to continue the release without
these jars in the first release, going forward we will have these jar
dependencies to interact with Grid Security Infrastructure. Any
insight/advice/suggestion is greatly appreciated.

Thanks and Happy holidays.

-- 
Chathura Herath Ph.D.
https://www.cs.indiana.edu/~cherath/
http://chathurah.blogspot.com/






[1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
[2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/

[3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation

RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
the United States or Canada, you will not be able to download this
software.

[4]Cryptix General License

Copyright (c) 1995-2005 The Cryptix Foundation Limited.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

  1. Redistributions of source code must retain the copyright notice,
     this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in
     the documentation and/or other materials provided with the
     distribution.

THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Re: Export control issue with jce and criptix jars

Posted by Suresh Marru <sm...@cs.indiana.edu>.
Hi Chathura,

I am sorry I am slacking on release more than I expected. I followed the export control procedures, and tracked progress on - https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but my opinion is we are done with required steps for Airavata as per - http://www.apache.org/dev/crypto.html and added the dependencies to - http://www.apache.org/licenses/exports/

Suresh

On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote:

> Hi,
> 
> I am with the Apache Airavata incubator project and i am going through
> the release checklist and I want some advice on the export control
> issues related to some security jars.
> 
> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution.
> 
> 1) Will  US export control w.r.t. cryptographic algorithms will
> prevent us from shipping criptix jar. I ve pasted the license
> agreement in [4].
> 2)  Java jce jar download page explicitly mentions download will be
> for US and Canada only[4]. Does this mean we will not be able to
> package it but rather ask the use to manually provide the jar
> location.
> 3) If we could simply package them as is, Will there be a special
> download disclaimer that we need to add. In that case should we avoid
> mirrors?
> 
> I researched usage of these jar in the history and i came across
> (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E);
> though it was not clear whether the focus on export license was
> resoled explicitly.
> 
> Although with some work we may be able to continue the release without
> these jars in the first release, going forward we will have these jar
> dependencies to interact with Grid Security Infrastructure. Any
> insight/advice/suggestion is greatly appreciated.
> 
> Thanks and Happy holidays.
> 
> -- 
> Chathura Herath Ph.D.
> https://www.cs.indiana.edu/~cherath/
> http://chathurah.blogspot.com/
> 
> 
> 
> 
> 
> 
> [1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
> [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/
> 
> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation
> 
> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
> the United States or Canada, you will not be able to download this
> software.
> 
> [4]Cryptix General License
> 
> Copyright (c) 1995-2005 The Cryptix Foundation Limited.
> All rights reserved.
> 
> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions are
> met:
> 
>  1. Redistributions of source code must retain the copyright notice,
>     this list of conditions and the following disclaimer.
>  2. Redistributions in binary form must reproduce the above copyright
>     notice, this list of conditions and the following disclaimer in
>     the documentation and/or other materials provided with the
>     distribution.
> 
> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.