You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by Cliff Schmidt <cl...@gmail.com> on 2006/07/05 02:11:19 UTC
Crypto FAQ
I'd like to get an FAQ together that covers the key Q&As that came up
during the ApacheCon BOF last week. To aid my memory of the event
(wish we would have taken notes during the BOF to go straight to the
list), Bill suggested I start with a list of the Q&As that I've had
with BIS, many of which came up during the BOF. Please jump in with
comments or questions to add. I'll add the result of this thread to
the dev/crypto.html page shortly.
Note that no of this can be considered official BIS positions, but
these most of these answers did come from an engineer in the part of
the Washington D.C. admin office that concentrates on crypto issues
(outside of this office, very few BIS folks really understand the
crypto issues). I've also thrown in a couple questions that I've seen
come up on ASF lists that are clearly answered by the EAR. Once we've
locked down how we want to do things and have run out of Q&As, I'll
discuss with our counsel which subset of those we want to get a formal
answer on and get that process started. However, I'm not implying
that anything should be held up while we do this -- let's keep things
moving based on what we know now.
Finally, please note that Q&A 1&2 is something I only recently became
aware of -- we've obviously not complied with this in the past, but
there are several things we haven't done perfectly. Let's just get it
right now and not worry about our past unintentional flaws. Also, Q&A
7, does not say that we are required to notify BIS of any substantial
change in crypto functionality -- only when the manufacturer of the
crypto changes. Some folks have told me they thought there was a
requirement to notify when there is a substantial change in
functionality, but I believe that no longer applies if the URL is
still correct. I've stated this to a BIS engineer, and he couldn't
point to anything refuting my claim.
Q1. When is the first time a notification email must be sent?
A1. Prior to exporting. NOTE: this even includes distribution of
code through publicly accessible servers/repositories before there has
been any official release.
Q2. What are examples of when a crypto item is publicly accessible
through ASF servers?
A2. The obvious example is including something like OpenSSL within a
product distribution from a /dist URL. *The less obvious example*, is
the point at which a subversion repository starts to include code that
is specially designed to work with any other 5D002 item, whether that
item is ever to be included within a product distribution or not. In
other words, a project should send out a notification email just
after making the decision to include code that is specially designed
to work with crypto APIs but before actually committing such code. No
need to worry about surprise JIRA attachments with such code -- only
the event of committing the code to the ASF product repository.
Q3. If we distribute crypto (item controlled by EAR 5D002) previously
distributed/exported by another manufacture/company/open source
project, are we also responsible for ensuring it qualifies under the
TSU exception, including sending a notification email?
A3. Yes. The ASF is responsible for complying with the EAR, whether
or not the item we are exporting has been previously exported under
the TSU exception by another manufacturer.
Q4. If the ASF distributes/exports a particular crypto item within
one product under the TSU exception, must the same item requalify for
the TSU exception when distributed in a different ASF product?
A4. Yes. Each product must qualify separately, which includes
sending notifications for each.
Q5. If the ASF distributes/exports a crypto item after qualifying it
under the TSU exception, must the same product requalify for release
of future versions?
A5. No. As long as the email's notification URL for the source
location still (directly or indirectly) points to the applicable
source for each version's crypto item, no additional process is
required.
Q6. Where must the email's notification URL point to? Must it point
directly to the applicable source, or can it include a level or two of
indirection, such as pointing to a list of links to the crypto source
of all versions of all products, for instance?
A6. The notification URL can point to a page with links to each
applicable source. As long as it would be reasonably obvious for a
BIS official to find the appropriate source for each crypto item being
exported. In other words, it's perfectly fine if every ASF
notification email included the exact same URL, as long as that one
URL contained info to clearly point off to the applicable source for
each crypto item of each version of each product.
Q7. If our notification emails point to a page that is always updated
with the latest URLs for the crypto source of all versions of all
products, when do we ever need to send an additional email beyond the
initial notification email for each product?
A7. Only when any information submitted in the original notification
is no longer true, e.g. a change in the manufacturer.
Q8. If there any BIS requirement to tell users and/or redistributors
of our products of the crypto within our products?
A8. No, but it's a good idea to do so.
Q9. When exporting a product designed to use some third-party crypto
that also includes the third-party crypto itself, does this require
two notifications or one notification with two manufacturers?
A9. Any of the following options are fine: two emails, or one email
with two complete notifications, or one email with one notification
that distinguishes the two items with different manufactures and
different URLs. Note that the URLs for the two items can be identical
if the distinct source code is linked from the listed URL's web page.
However, the preference is to have one email with a complete set of
required information for each crypto item in the product.
Q10. Is there any problem with the ultimate link to the crypto item's
source code pointing to a non-ASF web page?
A10. Not as long as the ASF is confident that such non-ASF page is
likely to remain available for BIS inspection for the foreseeable
future. Should this not be the case at some point, the ASF should
update the link to a location that will remain available.
Q11. What if the object/binary code being distributed/exported was
built from the pointed source but with a particular compiler switch?
Is this okay? Any need to explain what compiler switch was used to
get the resulting object/binary?
A11. It is fine to use whatever compiler switches we like. There is
no need to provide compiler switch info, as long as the pointed source
code is a superset of all the controlled source that ends up being
distributed within the object/binary file.
Q12. Do we ever need to notify the BIS of the location of object/binary files?
A12. No, but whether we are distributing source of object/binary, we
must always make sure a notification has been made pointing (directly
or indirectly) to the applicable source.
Cliff
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
One clarification I know we already discussed...
Cliff Schmidt wrote:
>
> Q2. What are examples of when a crypto item is publicly accessible
> through ASF servers?
> A2. The obvious example is including something like OpenSSL within a
> product distribution from a /dist URL. *The less obvious example*, is
> the point at which a subversion repository starts to include code that
> is specially designed to work with any other 5D002 item, whether that
> item is ever to be included within a product distribution or not. In
> other words, a project should send out a notification email just
> after making the decision to include code that is specially designed
> to work with crypto APIs but before actually committing such code.
[Break this here into Q2.1;
Q2.1. Are public contributions of crypto items to the mailing list, jira
or bugzilla databases considered exports?
A2.1
> No need to worry about surprise JIRA attachments with such code -- only
> the event of committing the code to the ASF product repository.
... The actual poster of these attachments performed the 'export' and in
this respect, open posting and archival of bugzilla/jira/mailing list items
are considered unsolicited and unmoderated discussion. This is markedly
distinct from a committer within the ASF posting files to the web site, the
distribution trees or source code repositories which are covered under Q2,
above.
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Branko Čibej wrote:
> Isn't it somewhat weird that I, who am not a U.S. citizen nor resident,
> should be constrained as to what or how I can commit to an ASF
> repository by some U.S. law?
Not at all, not any more than if you worked for my company from e. eu.
You aren't encumbered. But you can potentially cause a US company no
end of pain, including US trademark lawsuits although there may be no
trademark law in your jurisdiction.
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
I took what David came up with and restructured the XML into something
that includes barely more than absolutely necessary, based upon the
doc that is currently posted at www.apache.org/dev/crypto.html. I
kind of settled on this (subject to unresolved concerns on this list)
a few days ago, but I kept meaning to write up documentation for it,
but I'm now thinking (in the midst of OSCON) that I should just send
it and comment/doc it when I can, allowing anyone on this list to try
to interpret/comment on it without my docs in the mean time.
So, here's an XML doc that would generate the appropriate exports.html
web page for a hypothetical point in a few APR releases from now.
See if you can figure out what was going wrong and if it makes sense.
Cliff
<?xml version="1.0"?>
<rdf:RDF xml:lang="en"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<BISData>
<Contact>
<Project rdf:resource="http://apr.apache.org">
Apache Portability Runtime</Project>
<Name>Garrett Rooney</Name>
<Phone>+xx-xxx-xxx-xxxx</Phone>
</Contact>
<Product name="apr-util">
<Distribution versions="pre-release">
<CryptoSrc manufacturer="Apache Software Foundation"
rdf:resource="http://svn.apache.org/viewvc/apr/apr-util/"/>
</Distribution>
<Distribution versions="v1.30-current">
<CryptoSrc manufacturer="Apache Software Foundation"
rdf:resource="http://archive.apache.org/dist/apr/">
<Notes>see apr-util-* links</Notes>
</CryptoSrc>
<CryptoSrc manufacturer="The OpenSSL Project"
rdf:resource="http://www.openssl.org/source/openssl-0.9.8b.tar.gz"/>
</Distribution>
<Distribution versions="v1.28-v1.29">
<CryptoSrc manufacturer="Apache Software Foundation"
rdf:resource="http://archive.apache.org/dist/apr/">
<Notes>see apr-util-* links</Notes>
</CryptoSrc>
<CryptoSrc manufacturer="The OpenSSL Project"
rdf:resource="http://www.openssl.org/source/openssl-0.9.8a.tar.gz"/>
</Distribution>
<Distribution versions="v0.9.3-v1.27">
<CryptoSrc manufacturer="Apache Software Foundation"
rdf:resource="http://archive.apache.org/dist/apr/"/>
</Distribution>
</Product>
</BISData>
</rdf:RDF>
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Cliff Schmidt wrote:
> Well -- it is a little confusing. The reason for that is the don't
> provide enough labels in their notification format to answer all the
> possibly relevant info. But here's how one BIS admin guy suggested we
> do:
wow - that shed a ton of light on things. Thank You for the detailed
explanation!
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/20/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >
> > No -- we were talking about the Product Name earlier in the thread,
> > not the Manufacturer. Take a look at the first two questions in the
> > FAQ and tell me if this makes sense. We're always Submitting these
> > things For the ASF about the Products we export that include crypto
> > that we Notify them about, built by one or more Manufacturers, which
> > may or may not include us.
> >
> > FAQ:
> > http://apache.org/dev/crypto.html#faq-productname
> > http://apache.org/dev/crypto.html#faq-manufacturer
>
> Ok, I guess this proves I'm still confused :)
Well -- it is a little confusing. The reason for that is the don't
provide enough labels in their notification format to answer all the
possibly relevant info. But here's how one BIS admin guy suggested we
do:
> The concept is that the
> ASF manufactures a "Product" for export from the US.
Yes - they care about the name of the Product to identify the package
that is being exported that happens to contain some sort of controlled
crypto in it.
> This is really the
> difference between an OEM and the Manufacturer. A similar case would be
> a 802.11 card manufacturer who integrates an Intel chipset; is the BIS's
> interest in the OEM manufacturer, Intel? Or the company who's assembled
> the chip into a card? If you can integrate the answer to those two topics,
> Product v.s. Manufacturer, maybe I'd grok this better :)
I think in your example above, the chipset would be the controlled
crypto. So, here's how a notification would look (if it were software
and qualified for the TSU exception):
SUBMISSION TYPE: TSU
SUBMITTED BY: Fred, the Linksys guy who got suckered into
dealing with export reports
SUBMITTED FOR: Linksys, the 802.11 manufacturer
POINT OF CONTACT: Fred
PHONE and/or FAX: 1-802-802-1111
MANUFACTURER: Intel
PRODUCT NAME/MODEL #: WMP54G
ECCN: 5D002
NOTIFICATION: http://www.linksys.com/legal/export.html
They don't really care about the name of the crypto element inside (no
field for that), but they do care who made it (MANUFACTURER) and where
the source code is (NOTIFICATION). They also care about who is
exporting something that contains the crypto (SUBMITTED FOR) and what
that thing being exported is called (PRODUCT).
> In the case that the OEM is needed, do we list the
>
> Manufacturer: Apache Software Foundation, OpenSSL Group
>
> as multiple manufacturers when we ship apr-util's crypto?
I also asked about this and there's no one right answer, anything that
is clear is fine. How you've written it there is how I described it
in the email format in:
http://apache.org/dev/crypto.html#notify
but this is different than my later thought of what would be perfectly
clear, which is addressed in:
http://apache.org/dev/crypto.html#faq-twocryptos (two copies of the
entire form in the same email to more clearly associate manufacturer
with notification url)
Once I get this stuff on asylum working, the format will be generated
automatically -- so a lot of this shouldn't be as confusing -- it will
just ask a few questions and generate the HTML and email formats.
David Reid has done most of this; I just need to tweak it to match the
latest crypto.html doc.
Cliff
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Cliff Schmidt wrote:
>
> No -- we were talking about the Product Name earlier in the thread,
> not the Manufacturer. Take a look at the first two questions in the
> FAQ and tell me if this makes sense. We're always Submitting these
> things For the ASF about the Products we export that include crypto
> that we Notify them about, built by one or more Manufacturers, which
> may or may not include us.
>
> FAQ:
> http://apache.org/dev/crypto.html#faq-productname
> http://apache.org/dev/crypto.html#faq-manufacturer
Ok, I guess this proves I'm still confused :) The concept is that the
ASF manufactures a "Product" for export from the US. This is really the
difference between an OEM and the Manufacturer. A similar case would be
a 802.11 card manufacturer who integrates an Intel chipset; is the BIS's
interest in the OEM manufacturer, Intel? Or the company who's assembled
the chip into a card? If you can integrate the answer to those two topics,
Product v.s. Manufacturer, maybe I'd grok this better :)
In the case that the OEM is needed, do we list the
Manufacturer: Apache Software Foundation, OpenSSL Group
as multiple manufacturers when we ship apr-util's crypto?
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/18/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> One nit... we just had a long discussion about 'who's the manufacturer,
> do we report the "APR-util Library" product or "OpenSSL" seperately.
> One thing that leads to the confusion is the example...
>
> MANUFACTURER: {list of origin of all crypto code, e.g.
> "OpenSSL Project" or "Apache Software Foundation."
> If product includes multiple crypto items from
> different origins, list all origins.}
>
> For ASF notifications, shouldn't the 'example' simply be ASF?
No -- we were talking about the Product Name earlier in the thread,
not the Manufacturer. Take a look at the first two questions in the
FAQ and tell me if this makes sense. We're always Submitting these
things For the ASF about the Products we export that include crypto
that we Notify them about, built by one or more Manufacturers, which
may or may not include us.
FAQ:
http://apache.org/dev/crypto.html#faq-productname
http://apache.org/dev/crypto.html#faq-manufacturer
Cliff
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Cliff Schmidt wrote:
> I've just done a major update to the crypto docs page. Take a look
> and tell me what problems you see: http://apache.org/dev/crypto.html.
VERY NICE! Thank you!
One nit... we just had a long discussion about 'who's the manufacturer,
do we report the "APR-util Library" product or "OpenSSL" seperately.
One thing that leads to the confusion is the example...
MANUFACTURER: {list of origin of all crypto code, e.g.
"OpenSSL Project" or "Apache Software Foundation."
If product includes multiple crypto items from
different origins, list all origins.}
For ASF notifications, shouldn't the 'example' simply be ASF?
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
I've just done a major update to the crypto docs page. Take a look
and tell me what problems you see: http://apache.org/dev/crypto.html.
Here's what I changed:
- added the FAQ that I stared this thread with, slightly reworded
- added a few additional follow-on Q&As from this thread
- re-ordered the steps that need to be taken to make a bit more sense
- restructured the page to look like other legal pages I've been
working on (with a section on "purpose & intended audience",
"overview", and "notification of updates to page")
- referenced David Reid's work on project-specific RDF files that
end up building an ASF-wide exports page, and changed the NOTIFICATION
line to the single 'exports.html' page
- added specific details about exactly what info needs to be on the
exports page (primarily to help with the designing the RDF system).
It's a little clunky in its hierarchical presentation, but it's just
temporary until we have a system up and running.
- noted that ASF source URLS might include releases on
archive.apache.org as well as code being committed in /trunk
- added a line to the README text to refer users to http://www.wassenaar.org/
So, in parallel with dealing with whatever problems I've created with
these changes =-o , I think the last thing to do before calling this
final is to help David Reid get this RDF build system done. I'll
focus on this tomorrow.
Cliff
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/8/06, Colm MacCarthaigh <co...@stdlib.net> wrote:
> But more seriously; yes, it is weird that we (non-US committers) have to
> worry so much about US-export law. From the project point of view, it's
> something we have to be a bit wary of, because it tends to create
> incompatible forks.
Incidentally, the EU also has very similar restrictions on the very
same crypto, primarily driven from the Wassenaar Arrangement, which
covers many other nations as well (see
http://www.wassenaar.org/participants/).
> There are already people building apr and httpd binaries for
> distribution which are incompatible with our own because of this. So
> we should keep our eyes open :-)
>
> It's one of the few negatives of being an ASF hosted project, and we
> should work hard to minimise its real-world impact. Based on what I
> heard at the BoF, I see no reason why anyone should really care about
> any of this, it's a total non-problem and compliance is relatively
> trivial.
I agree. We've cumulatively already spent far more work on this issue
than I expect committers to have to spend from this point onward. The
hard part was figuring out exactly what we had to do and how to make
it as easy as possible for our committers.
Cliff
Re: Crypto FAQ
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Sat, Jul 08, 2006 at 09:47:21AM -0400, Justin Erenkrantz wrote:
> And, no, we're not all going to move to Cuba just for this... =) -- justin
It's not *just* this, it's also got better weather. I mean, compared to
Delaware.
But more seriously; yes, it is weird that we (non-US committers) have to
worry so much about US-export law. From the project point of view, it's
something we have to be a bit wary of, because it tends to create
incompatible forks.
There are already people building apr and httpd binaries for
distribution which are incompatible with our own because of this. So
we should keep our eyes open :-)
It's one of the few negatives of being an ASF hosted project, and we
should work hard to minimise its real-world impact. Based on what I
heard at the BoF, I see no reason why anyone should really care about
any of this, it's a total non-problem and compliance is relatively
trivial.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: Crypto FAQ
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On 7/8/06, Branko Čibej <br...@xbc.nu> wrote:
> Isn't it somewhat weird that I, who am not a U.S. citizen nor resident,
> should be constrained as to what or how I can commit to an ASF
> repository by some U.S. law?
No. The ASF is a US-based corporation and has a number of US-based
contributors who are bound by these export laws.
And, no, we're not all going to move to Cuba just for this... =) -- justin
Re: Crypto FAQ
Posted by Branko Čibej <br...@xbc.nu>.
Isn't it somewhat weird that I, who am not a U.S. citizen nor resident,
should be constrained as to what or how I can commit to an ASF
repository by some U.S. law?
-- Brane
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Garrett Rooney wrote:
> On 7/4/06, Cliff Schmidt <cl...@gmail.com> wrote:
>> I'd like to get an FAQ together that covers the key Q&As that came up
>> during the ApacheCon BOF last week. To aid my memory of the event
>> (wish we would have taken notes during the BOF to go straight to the
>> list), Bill suggested I start with a list of the Q&As that I've had
>> with BIS, many of which came up during the BOF. Please jump in with
>> comments or questions to add. I'll add the result of this thread to
>> the dev/crypto.html page shortly.
>
> Note that this is great stuff, and I think I sort of understand what
> is being discussed, but for those of us who haven't done ANY sort of
> research into this stuff, it probably makes sense to start with some
> sort of summary of what rules we're trying to follow, who makes those
> rules, what the various acronyms stand for, that sort of thing. For
> example, you start off throwing about terms like BIS, TSU, etc, but
> never actually define them.
>
> I mean I get the general idea here (we need to notify some government
> agency before we start distributing crypto code), but it'd be good to
> get the actual specifics someplace we can expect people to read,
> before diving into the FAQ.
Absolutely. I'm picturing;
http://www.apache.org/dev/crypto.html
\--> http://www.apache.org/dev/cryptoFAQ.html
or some structure like that
> Also, another question I've got is who the point of contact on the
> notification email should be. Is that the PMC chair? And where does
> this email get sent to anyway?
The contact is the PMC chair (nominally, the most stable individual in
the project. practically, the one who has the authority to speak for the
foundation as opposed to speaking for themself.)
> -garrett (who has not been spending nearly as much time as he should
> following this thread, and is hoping that Cliff will rescue him with a
> nice "you need to do this, this, and this to keep us from breaking the
> law" kind of recipie soon ;-)
it's in the first hyperlink I mentioned above, but that page is still
improving / under construction :)
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/6/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >>
> >> -garrett (who has not been spending nearly as much time as he should
> >> following this thread, and is hoping that Cliff will rescue him with a
> >> nice "you need to do this, this, and this to keep us from breaking the
> >> law" kind of recipie soon ;-)
> >
> > fair enough -- however, could you tell me if these comments come after
> > having read http://apache.org/dev/crypto.html? I was kind of hoping
> > that page comes close to providing the background and list of what
> > steps must be taken.
>
> As you notice from the OpenSSL question, Cliff, there are two strong
> positions. One Says we notify BIS of our export of the "OpenSSL Product"
> under various circumstances. The Other Says we would only do that if we
> offer a product called "OpenSSL", and if we distribute a binary including
> or linking to OpenSSL, it's a dependency and we just notify the BIS of the
> "APR-util Library Product".
The latter (the "Other") position is more correct. Here's a few
guidelines that might help:
- The product is the name of the thing we (the ASF, as the notifier)
are distributing/exporting.
- The manufacture is the name of the individual/organization that
built the crypto item included in the product.
- The source code *notification* URL (whether directly in the email or
indirectly through an intermediate web page) should point to the
source code for the crypto item built by the listed *manufacturer*
that is distributed within the ASF *product*.
- If the *product* includes more than one crypto items, such as a
third-party item included within the product, in addition to original
code manufactured by the same distributor/notifier, either the email
or the web page that the email points to should list source locations
associated with each manufacturer-specific crypto item in that
product.
Would it be helpful I put copied the above guidelines into the crypto.html page?
Also, how about I modify the form listed in
http://apache.org/dev/crypto.html#notify as follows:
----
" MANUFACTURER: {list of all origin of crypto code, e.g.
OpenSSL Project or Apache Software Foundation. If product includes
multiple crypto items from different origins, list all origins}"
&
" NOTIFICATION: http://www.apache.org/legal/export.html
This page must list all applicable pairings of manufacture & source
code URL for the product that is the subject of the notification
email."
----
I didn't follow what all the ideas were for the ASF-wide URL, but the
one above is what I was thinking (taking into account Roy's suggestion
for it to be export.html instead of crypto.html). And, of course, now
the last thing we need to do is build the format for the page, based
on David Reid's ideas for the projects.a.o file.
Cliff
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Cliff Schmidt wrote:
>>
>> -garrett (who has not been spending nearly as much time as he should
>> following this thread, and is hoping that Cliff will rescue him with a
>> nice "you need to do this, this, and this to keep us from breaking the
>> law" kind of recipie soon ;-)
>
> fair enough -- however, could you tell me if these comments come after
> having read http://apache.org/dev/crypto.html? I was kind of hoping
> that page comes close to providing the background and list of what
> steps must be taken.
As you notice from the OpenSSL question, Cliff, there are two strong
positions. One Says we notify BIS of our export of the "OpenSSL Product"
under various circumstances. The Other Says we would only do that if we
offer a product called "OpenSSL", and if we distribute a binary including
or linking to OpenSSL, it's a dependency and we just notify the BIS of the
"APR-util Library Product".
You are in the thread to help explain this to us all :)
Bill
Re: Crypto FAQ
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 7/6/06, Cliff Schmidt <cl...@gmail.com> wrote:
> On 7/5/06, Garrett Rooney <ro...@electricjellyfish.net> wrote:
> > I mean I get the general idea here (we need to notify some government
> > agency before we start distributing crypto code), but it'd be good to
> > get the actual specifics someplace we can expect people to read,
> > before diving into the FAQ.
> >
> > Also, another question I've got is who the point of contact on the
> > notification email should be. Is that the PMC chair? And where does
> > this email get sent to anyway?
> >
> > -garrett (who has not been spending nearly as much time as he should
> > following this thread, and is hoping that Cliff will rescue him with a
> > nice "you need to do this, this, and this to keep us from breaking the
> > law" kind of recipie soon ;-)
>
> fair enough -- however, could you tell me if these comments come after
> having read http://apache.org/dev/crypto.html? I was kind of hoping
> that page comes close to providing the background and list of what
> steps must be taken. I guess I think a rev of the current
> cryppto.html page + a rev of this FAQ should be very close to the
> needed docs. Agree?
That clarified things quite nicely, I somehow missed that page...
FWIW, I suggest putting the FAQ right at the bottom of that page, so
it's impossible to get the whole picture.
-garrett
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/6/06, Cliff Schmidt <cl...@gmail.com> wrote:
> On 7/6/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> > If you say any/either, I suggest rolling in OpenSSL source notification
> > into the APR source notification (one notice, once, links at /crypto.html
> > or whatever) is a low-maintenance, low-headache, simplest path.
>
> Not sure if this is exactly what you are talking about, but take
Never mind -- re-reading it, I see that your statement was not
applicable since I did answer each question with exactly one choice.
See the other response I sent where I provide some guidelines and a
modification to the email form template at crypto.html for what I was
trying to get across.
Cliff
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/6/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >
> > fair enough -- however, could you tell me if these comments come after
> > having read http://apache.org/dev/crypto.html? I was kind of hoping
> > that page comes close to providing the background and list of what
> > steps must be taken. I guess I think a rev of the current
> > cryppto.html page + a rev of this FAQ should be very close to the
> > needed docs. Agree?
>
> Cliff; we need one ABSOLUTE STATEMENT out of you :-)
>
> "APR Project, if you ship an APR binary that includes libssl/libcrypto,
> you must:"
>
> a. " produce an 'OpenSSL Product notification' seperately"
> or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
> 'APR-util Product' "
definitely b
> If you don't ship OpenSSL but provide the bindings to it, you must
>
> a. " produce an 'OpenSSL Product notification' seperately as it's implied"
> or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
> 'APR-util Product' as it's implied"
> or c. " do nothing w.r.t. OpenSSL's source code."
definitely c
(of course, you'll have to point to APR-util source since it is crypto
due to its bindings to OpenSSL).
> Help?
I think the above answers are consistent with FAQ Q&A 9,10 -- however,
I think your questions above require an explicit Q&A for these two
situations. The product is always the Apache product. The
manufacturer is either the ASF or wherever the third-party crypto
comes from; in cases where the ASF product includes code from one or
more other manufacturers, there will likely be a need for more than
one notice for the same product.
> If you say any/either, I suggest rolling in OpenSSL source notification
> into the APR source notification (one notice, once, links at /crypto.html
> or whatever) is a low-maintenance, low-headache, simplest path.
Not sure if this is exactly what you are talking about, but take
another look at Q&A 9. I should probably revise A9 since it gives too
many options and just list what I mention is the preferred option:
"However, the preference is to have one email with a complete set of
required information for each crypto item in the product." Anyone
prefer one of the other options?
Cliff
Re: Crypto FAQ
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Cliff Schmidt wrote:
>
> fair enough -- however, could you tell me if these comments come after
> having read http://apache.org/dev/crypto.html? I was kind of hoping
> that page comes close to providing the background and list of what
> steps must be taken. I guess I think a rev of the current
> cryppto.html page + a rev of this FAQ should be very close to the
> needed docs. Agree?
Cliff; we need one ABSOLUTE STATEMENT out of you :-)
"APR Project, if you ship an APR binary that includes libssl/libcrypto,
you must:"
a. " produce an 'OpenSSL Product notification' seperately"
or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
'APR-util Product' "
If you don't ship OpenSSL but provide the bindings to it, you must
a. " produce an 'OpenSSL Product notification' seperately as it's implied"
or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
'APR-util Product' as it's implied"
or c. " do nothing w.r.t. OpenSSL's source code."
Help?
If you say any/either, I suggest rolling in OpenSSL source notification
into the APR source notification (one notice, once, links at /crypto.html
or whatever) is a low-maintenance, low-headache, simplest path.
Bill
Re: Crypto FAQ
Posted by Cliff Schmidt <cl...@gmail.com>.
On 7/5/06, Garrett Rooney <ro...@electricjellyfish.net> wrote:
> I mean I get the general idea here (we need to notify some government
> agency before we start distributing crypto code), but it'd be good to
> get the actual specifics someplace we can expect people to read,
> before diving into the FAQ.
>
> Also, another question I've got is who the point of contact on the
> notification email should be. Is that the PMC chair? And where does
> this email get sent to anyway?
>
> -garrett (who has not been spending nearly as much time as he should
> following this thread, and is hoping that Cliff will rescue him with a
> nice "you need to do this, this, and this to keep us from breaking the
> law" kind of recipie soon ;-)
fair enough -- however, could you tell me if these comments come after
having read http://apache.org/dev/crypto.html? I was kind of hoping
that page comes close to providing the background and list of what
steps must be taken. I guess I think a rev of the current
cryppto.html page + a rev of this FAQ should be very close to the
needed docs. Agree?
Cliff
Re: Crypto FAQ
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 7/4/06, Cliff Schmidt <cl...@gmail.com> wrote:
> I'd like to get an FAQ together that covers the key Q&As that came up
> during the ApacheCon BOF last week. To aid my memory of the event
> (wish we would have taken notes during the BOF to go straight to the
> list), Bill suggested I start with a list of the Q&As that I've had
> with BIS, many of which came up during the BOF. Please jump in with
> comments or questions to add. I'll add the result of this thread to
> the dev/crypto.html page shortly.
Note that this is great stuff, and I think I sort of understand what
is being discussed, but for those of us who haven't done ANY sort of
research into this stuff, it probably makes sense to start with some
sort of summary of what rules we're trying to follow, who makes those
rules, what the various acronyms stand for, that sort of thing. For
example, you start off throwing about terms like BIS, TSU, etc, but
never actually define them.
I mean I get the general idea here (we need to notify some government
agency before we start distributing crypto code), but it'd be good to
get the actual specifics someplace we can expect people to read,
before diving into the FAQ.
Also, another question I've got is who the point of contact on the
notification email should be. Is that the PMC chair? And where does
this email get sent to anyway?
-garrett (who has not been spending nearly as much time as he should
following this thread, and is hoping that Cliff will rescue him with a
nice "you need to do this, this, and this to keep us from breaking the
law" kind of recipie soon ;-)