Fwd: Is a TSU notice needed for software using javax.crypto?

[Pid * <pi...@pidster.com>]

FYI


Begin forwarded message:

*From:* "Roy T. Fielding" <fi...@gbiv.com>
*Date:* 3 February 2012 21:41:42 GMT
*To:* legal-discuss@apache.org
*Subject:* *Re: Is a TSU notice needed for software using javax.crypto?*
*Reply-To:* legal-discuss@apache.org

On Feb 1, 2012, at 10:28 AM, Nick Burch wrote:

On Tue, 31 Jan 2012, Roy T. Fielding wrote:

Please note that the BIS requirements have changed since the last time we
updated the export requirements.  AFAIK, we no longer need to send notices
for merely using publicly available crypto packages.


You wouldn't happen to know any references for that change, would you?


With a bit of digging ...

 http://www.bis.doc.gov/encryption/default.htm

and, specifically, Note 3 of

 http://www.bis.doc.gov/encryption/ccl5pt2.pdf

which eliminates the old way of inheriting 5D002 classification
just because we package a binary with OpenSSL or bouncycastle.

(If someone can point me at the new exemption details, then I can have a go
at updating the page to reflect the changes)


Of course, that assumes we can understand the new regs.  In the past,
Cliff actually confirmed our interpretations with some regulator in
the BIS.  I don't know if we need to do that again, or if we can just
proceed based on a reasonable interpretation of the regulations
(and assume they'll tell us otherwise if we are wrong).

....Roy


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org