[jira] [Commented] (LEGAL-256) Commons Crypto encryption classfication and registration

["Jerry Chen (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/LEGAL-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15301282#comment-15301282 ] 

Jerry Chen commented on LEGAL-256:
----------------------------------

For the items needs an encryption classification (https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification), we filtered out the unrelated ones and list the ones may related as following:
a. "Cryptographic items". [740.17(b)(2)]
b. "Open Cryptographic Interface" items. [740.17(b)(2)]
c. Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs). [740.17(b)(3)]

As to the definition of "Open Cryptographic Interface" (OCI), Stian helped find the following reference definitions:

https://www.bis.doc.gov/index.php/forms-documents/doc_view/838-772

>(Open cryptographic interface - A mechanism which is designed to allow a customer or other party to insert cryptographic functionality without the intervention, help or assistance of the manufacturer or its agents (i.e., manufacturer's signing of cryptographic code or proprietary interfaces). If the cryptographic interface implements a fixed set of cryptographic algorithms, key lengths or key exchange management systems, that cannot be changed, it will not be considered an "open" cryptographic interface. All general application programming interfaces (i.e., those that accept either a cryptographic or non-cryptographic interface, but do not themselves maintain any cryptographic functionality) will not be considered "open" cryptographic interfaces either.)

Let's answer each of the above items as following:
a " Cryptographic items": 
NO. Commons Crypto doesn't implement the cryptographic algorithms. Instead it wraps to JCE or OpenSSL and it will also not pack any JCE or OpenSSL in its dist. 
It is more a use of cryptographic items and provide classes for easy of Java usage.

b. "Open Cryptographic Interface" items.
NO. From the definition of "OCI", I tend to not consider Commons Crypto is an Open cryptographic interface. The algorithm and key lengths it support are fixed.

c. Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
NO. Commons Crypto is more a utility class library.  And it is for ease of use for developers. Not for operating systems and cryptographic service providers as mentioned.

So I would tend to consider Commons Crypto to be a ECCN 5D002 self-classify category. By now community folks in the mail list agrees this and let's see whether there are different opinions.


> Commons Crypto encryption classfication and registration
> --------------------------------------------------------
>
>                 Key: LEGAL-256
>                 URL: https://issues.apache.org/jira/browse/LEGAL-256
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Jerry Chen
>
> Based on the understanding from https://issues.apache.org/jira/browse/LEGAL-250, we can conclude that Commons Crypto is Category 5, Part 2 controlled. And so the encryption registration is needed.
> While for encryption classification, we need discuss whether it falls to ECCN 5D002 self-classify category or an encryption classification request is needed.
> Discussing in the mail list by now, we tend to consider Commons Crypto as ECCN 5D002 self-classify category. This JIRA provides the track of this legal discussion and collecting more feedbacks if exists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org