You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Stian Soiland-Reyes <st...@apache.org> on 2016/05/04 12:35:03 UTC
US Export classification & ECCN registration for encryption in commons?
Hi,
Sorry for spotting this..
Apache Commons Crypto is not listed on
http://www.apache.org/licenses/exports/ - does it need to be? (One
would assume so..)
Also it was raised that Commons VFS depends on Bouncy Castle/Apache
Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
perhaps that also needs to be listed and registered?
We only have listed:
Commons Compress
Commons OpenPGP
See guidance on
http://www.apache.org/dev/crypto.html
BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
see if merely using a listed source as a Maven <dependency> means you
also are classified - or if you would need to also bundle the
dependency's binary (which I think we don't do).
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by sebb <se...@gmail.com>.
On 4 May 2016 at 13:35, Stian Soiland-Reyes <st...@apache.org> wrote:
> Hi,
>
> Sorry for spotting this..
>
>
> Apache Commons Crypto is not listed on
> http://www.apache.org/licenses/exports/ - does it need to be? (One
> would assume so..)
>
> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
> perhaps that also needs to be listed and registered?
>
>
> We only have listed:
>
> Commons Compress
> Commons OpenPGP
>
>
> See guidance on
> http://www.apache.org/dev/crypto.html
>
>
> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
> see if merely using a listed source as a Maven <dependency> means you
> also are classified - or if you would need to also bundle the
> dependency's binary (which I think we don't do).
It does not matter if the dependency is bundled or not.
The page says:
" ASF product distributions that contain or are "specially designed"
to use cryptography."
AFAIK:
Compress contains some decryption
OpenPGP is "specially designed" to use cryptography.
I assume the same is true of Crypto.
But note that the rules changed in 2010; the page has yet to be updated.
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Thanks Benedikt and Stian for the instructions!
Will do that.
Regards,
Haifeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Saturday, June 4, 2016 6:52 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
If you are ready to do the Crypto release now, then let's just prepare that ECCN registration email for Commons Crypto alone, no need to wait.
We should send it before we post a Release Candidate of Crypto (In theory before we submit the code to git! ;-/). I'll send it now.
On 4 Jun 2016 11:35 a.m., "Benedikt Ritter" <br...@apache.org> wrote:
> Chen, Haifeng <ha...@intel.com> schrieb am Fr., 3. Juni 2016 um
> 08:20 Uhr:
>
> > Thanks Stian, Dapeng and folks!
> >
> > For Commons Crypto, do we still have to wait for other process to
> > finish or we now can go forward with the first release process?
> >
>
> I don't see any other blockers.
>
> Benedikt
>
>
> >
> > Regards,
> > Haifeng
> >
> > -----Original Message-----
> > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > Sent: Thursday, June 2, 2016 10:36 PM
> > To: Commons Developers List <de...@commons.apache.org>
> > Subject: Re: US Export classification & ECCN registration for
> > encryption in commons?
> >
> > Thanks! It's already on https://www.apache.org/licenses/exports/
> >
> > I've added to the Commons Crypto README:
> >
> > https://github.com/apache/commons-crypto#export-restrictions
> >
> > (if changing, modify this text in pom.xml <description> and
> > regenerate
> > README.md)
> >
> >
> > Shall I add VFS2 as well? Then Gary can send a joint notification
> message.
> >
> >
> >
> >
> > On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> > > Thank Stian for your review!
> > >
> > >>We also need a second <Version> for the (future) source/binary
> > distributions with ControlledSource href=
> > https://www.apache.org/dist/commons/crypto/ - you would need to
> duplicate
> > the OpenSSL and JavaSE <ControlledSource> for that. See other
> > examples in the XML file.
> > > Thank you for pointing it out, we should add it.
> > >
> > >> is it 1.0.0 we're targeting for the first Commons Crypto release?
> > > Yes, 1.0.0 would be the first release.
> > >
> > > I have updated the staging website.
> > > http://www.staging.apache.org/licenses/exports/index.html
> > >
> > >
> > > Regards
> > > Dapeng
> > >
> > > -----Original Message-----
> > > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > > Sent: Tuesday, May 31, 2016 6:45 PM
> > > To: Commons Developers List
> > > Subject: Re: US Export classification & ECCN registration for
> encryption
> > in commons?
> > >
> > > Thanks! Looks good.
> > >
> > > We also need a second <Version> for the (future) source/binary
> > distributions with ControlledSource href=
> > https://www.apache.org/dist/commons/crypto/ - you would need to
> duplicate
> > the OpenSSL and JavaSE <ControlledSource> for that. See other
> > examples in the XML file.
> > >
> > > In the second Version you can say <Names>1.0.0 and later</Names> -
> > > is
> it
> > 1.0.0 we're targeting for the first Commons Crypto release?
> > >
> > > On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> > >> Thank Stian and Haifeng, I have updated the file at my cms workspace.
> > >> If the change is okay for you, I will try to commit it to
> > >> http://www.staging.apache.org/licenses/exports/
> > >>
> > >> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > >> =================================================================
> > >> ==
> > >> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > (revision 1655892)
> > >> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > (working copy)
> > >> @@ -212,6 +212,25 @@
> > >> </Version>
> > >> </Product>
> > >> <Product>
> > >> + <Name>Apache Commons Crypto</Name>
> > >> + <Version>
> > >> + <Names>development</Names>
> > >> + <ECCN>5D002</ECCN>
> > >> + <ControlledSource href="
> > https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> > >> + <Manufacturer>ASF</Manufacturer>
> > >> + <Why>designed for use with encryption library</Why>
> > >> + </ControlledSource>
> > >> + <ControlledSource href="http://www.openssl.org/source/">
> > >> + <Manufacturer>The OpenSSL Project</Manufacturer>
> > >> + <Why>general-purpose cryptography library included with
> > OpenSSL</Why>
> > >> + </ControlledSource>
> > >> + <ControlledSource href="
> > http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> > >> + <Manufacturer>Oracle</Manufacturer>
> > >> + <Why>general-purpose cryptography library (JCE) included
> > >> + with
> > Java</Why>
> > >> + </ControlledSource>
> > >> + </Version>
> > >> + </Product>
> > >> + <Product>
> > >> <Name>Apache Commons OpenPGP</Name>
> > >> <Version>
> > >> <Names>development</Names>
> > >>
> > >>
> > >> Regards
> > >> Dapeng
> > >>
> > >> -----Original Message-----
> > >> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > >> Sent: Monday, May 30, 2016 5:20 PM
> > >> To: Commons Developers List
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> I think we are good to continue as a "normal" 5D002
> self-classification.
> > >>
> > >> Great if you will have a go, let me know if you would like me to
> > >> help
> > or review!
> > >>
> > >> See http://www.apache.org/dev/crypto.html#sources for svn
> > >> details, linking to
> > >> https://svn.apache.org/repos/asf/infrastructure/site/trunk/conten
> > >> t/li c enses/exports/index.page/eccnmatrix.xml
> > >>
> > >> I found just being a committer was enough to update the svn,
> > >> after which it should be live on
> > >> http://www.staging.apache.org/licenses/exports/
> > >>
> > >> If that works fine, then any ASF member can publish it using
> > >> https://cms.apache.org/ for the main website (it can be a bit
> > >> slow)
> > >>
> > >> Normally it is the PMC Chair that sends the registration email
> > >> after
> > that.
> > >> On 30 May 2016 8:09 a.m., "Chen, Haifeng"
> > >> <ha...@intel.com>
> > wrote:
> > >>
> > >> Hi Stian,
> > >> If we decide to go ECCN 5D002 self-classify category, do you have
> > >> an
> > idea that what I can proceed next?
> > >>
> > >> I saw you updated eccnmatrix.xml file for Taverna. Would you
> > >> please
> > help share where is the place of the file and who has the privilege
> > to
> make
> > an similar update for Commons Crypto?
> > >>
> > >> Thanks for your help.
> > >>
> > >> Haifeng
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> > >> Sent: Thursday, May 26, 2016 9:42 AM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> https://issues.apache.org/jira/browse/LEGAL-256 is created and
> > commented to track this.
> > >>
> > >> If we think this analysis makes sense, we will choose to go ECCN
> > >> 5D002
> > self-classify category. Will wait for a few days for feedbacks.
> > >>
> > >> Regards,
> > >> Haifeng
> > >>
> > >> -----Original Message-----
> > >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> > >> Sent: Tuesday, May 24, 2016 3:57 PM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> Thanks Stian and Benedikt!
> > >>
> > >>> Let's create a Jira issue to track the categorisation process.
> > >> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to
> > >> track
> > this?
> > >>
> > >>
> > >> Regards,
> > >> Haifeng
> > >>
> > >> -----Original Message-----
> > >> From: Benedikt Ritter [mailto:britter@apache.org]
> > >> Sent: Monday, May 23, 2016 3:36 PM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: Re: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai
> > >> 2016 um
> > >> 09:34 Uhr:
> > >>
> > >>> On 23 May 2016 3:42 a.m., "Chen, Haifeng"
> > >>> <ha...@intel.com>
> > wrote:
> > >>> >
> > >>> > So how about we go to the process of ECCN 5D002 self-classify
> > >>> > category
> > >>> and registration like Taverna did?
> > >>>
> > >>> Agree on your evaluation, so ECCN 5D002 is good. This makes
> > >>> things a lot easier! :)
> > >>>
> > >>> Let's create a Jira issue to track the categorisation process.
> > >>>
> > >>
> > >> +1! good work everybody.
> > >>
> > >> -----------------------------------------------------------------
> > >> ---- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >>
> > >> -----------------------------------------------------------------
> > >> ---- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >>
> > >> -----------------------------------------------------------------
> > >> ---- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >
> > >
> > >
> > > --
> > > Stian Soiland-Reyes
> > > Apache Taverna (incubating), Apache Commons
> > > http://orcid.org/0000-0001-9842-9718
> > >
> > > ------------------------------------------------------------------
> > > --- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > > For additional commands, e-mail: dev-help@commons.apache.org
> > >
> >
> >
> >
> > --
> > Stian Soiland-Reyes
> > Apache Taverna (incubating), Apache Commons
> > http://orcid.org/0000-0001-9842-9718
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
If you are ready to do the Crypto release now, then let's just prepare that
ECCN registration email for Commons Crypto alone, no need to wait.
We should send it before we post a Release Candidate of Crypto (In theory
before we submit the code to git! ;-/). I'll send it now.
On 4 Jun 2016 11:35 a.m., "Benedikt Ritter" <br...@apache.org> wrote:
> Chen, Haifeng <ha...@intel.com> schrieb am Fr., 3. Juni 2016 um
> 08:20 Uhr:
>
> > Thanks Stian, Dapeng and folks!
> >
> > For Commons Crypto, do we still have to wait for other process to finish
> > or we now can go forward with the first release process?
> >
>
> I don't see any other blockers.
>
> Benedikt
>
>
> >
> > Regards,
> > Haifeng
> >
> > -----Original Message-----
> > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > Sent: Thursday, June 2, 2016 10:36 PM
> > To: Commons Developers List <de...@commons.apache.org>
> > Subject: Re: US Export classification & ECCN registration for encryption
> > in commons?
> >
> > Thanks! It's already on https://www.apache.org/licenses/exports/
> >
> > I've added to the Commons Crypto README:
> >
> > https://github.com/apache/commons-crypto#export-restrictions
> >
> > (if changing, modify this text in pom.xml <description> and regenerate
> > README.md)
> >
> >
> > Shall I add VFS2 as well? Then Gary can send a joint notification
> message.
> >
> >
> >
> >
> > On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> > > Thank Stian for your review!
> > >
> > >>We also need a second <Version> for the (future) source/binary
> > distributions with ControlledSource href=
> > https://www.apache.org/dist/commons/crypto/ - you would need to
> duplicate
> > the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> > the XML file.
> > > Thank you for pointing it out, we should add it.
> > >
> > >> is it 1.0.0 we're targeting for the first Commons Crypto release?
> > > Yes, 1.0.0 would be the first release.
> > >
> > > I have updated the staging website.
> > > http://www.staging.apache.org/licenses/exports/index.html
> > >
> > >
> > > Regards
> > > Dapeng
> > >
> > > -----Original Message-----
> > > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > > Sent: Tuesday, May 31, 2016 6:45 PM
> > > To: Commons Developers List
> > > Subject: Re: US Export classification & ECCN registration for
> encryption
> > in commons?
> > >
> > > Thanks! Looks good.
> > >
> > > We also need a second <Version> for the (future) source/binary
> > distributions with ControlledSource href=
> > https://www.apache.org/dist/commons/crypto/ - you would need to
> duplicate
> > the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> > the XML file.
> > >
> > > In the second Version you can say <Names>1.0.0 and later</Names> - is
> it
> > 1.0.0 we're targeting for the first Commons Crypto release?
> > >
> > > On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> > >> Thank Stian and Haifeng, I have updated the file at my cms workspace.
> > >> If the change is okay for you, I will try to commit it to
> > >> http://www.staging.apache.org/licenses/exports/
> > >>
> > >> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > >> ===================================================================
> > >> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > (revision 1655892)
> > >> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml
> > (working copy)
> > >> @@ -212,6 +212,25 @@
> > >> </Version>
> > >> </Product>
> > >> <Product>
> > >> + <Name>Apache Commons Crypto</Name>
> > >> + <Version>
> > >> + <Names>development</Names>
> > >> + <ECCN>5D002</ECCN>
> > >> + <ControlledSource href="
> > https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> > >> + <Manufacturer>ASF</Manufacturer>
> > >> + <Why>designed for use with encryption library</Why>
> > >> + </ControlledSource>
> > >> + <ControlledSource href="http://www.openssl.org/source/">
> > >> + <Manufacturer>The OpenSSL Project</Manufacturer>
> > >> + <Why>general-purpose cryptography library included with
> > OpenSSL</Why>
> > >> + </ControlledSource>
> > >> + <ControlledSource href="
> > http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> > >> + <Manufacturer>Oracle</Manufacturer>
> > >> + <Why>general-purpose cryptography library (JCE) included with
> > Java</Why>
> > >> + </ControlledSource>
> > >> + </Version>
> > >> + </Product>
> > >> + <Product>
> > >> <Name>Apache Commons OpenPGP</Name>
> > >> <Version>
> > >> <Names>development</Names>
> > >>
> > >>
> > >> Regards
> > >> Dapeng
> > >>
> > >> -----Original Message-----
> > >> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > >> Sent: Monday, May 30, 2016 5:20 PM
> > >> To: Commons Developers List
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> I think we are good to continue as a "normal" 5D002
> self-classification.
> > >>
> > >> Great if you will have a go, let me know if you would like me to help
> > or review!
> > >>
> > >> See http://www.apache.org/dev/crypto.html#sources for svn details,
> > >> linking to
> > >> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/li
> > >> c enses/exports/index.page/eccnmatrix.xml
> > >>
> > >> I found just being a committer was enough to update the svn, after
> > >> which it should be live on
> > >> http://www.staging.apache.org/licenses/exports/
> > >>
> > >> If that works fine, then any ASF member can publish it using
> > >> https://cms.apache.org/ for the main website (it can be a bit slow)
> > >>
> > >> Normally it is the PMC Chair that sends the registration email after
> > that.
> > >> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com>
> > wrote:
> > >>
> > >> Hi Stian,
> > >> If we decide to go ECCN 5D002 self-classify category, do you have an
> > idea that what I can proceed next?
> > >>
> > >> I saw you updated eccnmatrix.xml file for Taverna. Would you please
> > help share where is the place of the file and who has the privilege to
> make
> > an similar update for Commons Crypto?
> > >>
> > >> Thanks for your help.
> > >>
> > >> Haifeng
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> > >> Sent: Thursday, May 26, 2016 9:42 AM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> https://issues.apache.org/jira/browse/LEGAL-256 is created and
> > commented to track this.
> > >>
> > >> If we think this analysis makes sense, we will choose to go ECCN 5D002
> > self-classify category. Will wait for a few days for feedbacks.
> > >>
> > >> Regards,
> > >> Haifeng
> > >>
> > >> -----Original Message-----
> > >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> > >> Sent: Tuesday, May 24, 2016 3:57 PM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: RE: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> Thanks Stian and Benedikt!
> > >>
> > >>> Let's create a Jira issue to track the categorisation process.
> > >> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track
> > this?
> > >>
> > >>
> > >> Regards,
> > >> Haifeng
> > >>
> > >> -----Original Message-----
> > >> From: Benedikt Ritter [mailto:britter@apache.org]
> > >> Sent: Monday, May 23, 2016 3:36 PM
> > >> To: Commons Developers List <de...@commons.apache.org>
> > >> Subject: Re: US Export classification & ECCN registration for
> > encryption in commons?
> > >>
> > >> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016
> > >> um
> > >> 09:34 Uhr:
> > >>
> > >>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com>
> > wrote:
> > >>> >
> > >>> > So how about we go to the process of ECCN 5D002 self-classify
> > >>> > category
> > >>> and registration like Taverna did?
> > >>>
> > >>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> > >>> lot easier! :)
> > >>>
> > >>> Let's create a Jira issue to track the categorisation process.
> > >>>
> > >>
> > >> +1! good work everybody.
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > >> For additional commands, e-mail: dev-help@commons.apache.org
> > >
> > >
> > >
> > > --
> > > Stian Soiland-Reyes
> > > Apache Taverna (incubating), Apache Commons
> > > http://orcid.org/0000-0001-9842-9718
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > > For additional commands, e-mail: dev-help@commons.apache.org
> > >
> >
> >
> >
> > --
> > Stian Soiland-Reyes
> > Apache Taverna (incubating), Apache Commons
> > http://orcid.org/0000-0001-9842-9718
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Benedikt Ritter <br...@apache.org>.
Chen, Haifeng <ha...@intel.com> schrieb am Fr., 3. Juni 2016 um
08:20 Uhr:
> Thanks Stian, Dapeng and folks!
>
> For Commons Crypto, do we still have to wait for other process to finish
> or we now can go forward with the first release process?
>
I don't see any other blockers.
Benedikt
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Thursday, June 2, 2016 10:36 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption
> in commons?
>
> Thanks! It's already on https://www.apache.org/licenses/exports/
>
> I've added to the Commons Crypto README:
>
> https://github.com/apache/commons-crypto#export-restrictions
>
> (if changing, modify this text in pom.xml <description> and regenerate
> README.md)
>
>
> Shall I add VFS2 as well? Then Gary can send a joint notification message.
>
>
>
>
> On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> > Thank Stian for your review!
> >
> >>We also need a second <Version> for the (future) source/binary
> distributions with ControlledSource href=
> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> the XML file.
> > Thank you for pointing it out, we should add it.
> >
> >> is it 1.0.0 we're targeting for the first Commons Crypto release?
> > Yes, 1.0.0 would be the first release.
> >
> > I have updated the staging website.
> > http://www.staging.apache.org/licenses/exports/index.html
> >
> >
> > Regards
> > Dapeng
> >
> > -----Original Message-----
> > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > Sent: Tuesday, May 31, 2016 6:45 PM
> > To: Commons Developers List
> > Subject: Re: US Export classification & ECCN registration for encryption
> in commons?
> >
> > Thanks! Looks good.
> >
> > We also need a second <Version> for the (future) source/binary
> distributions with ControlledSource href=
> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> the XML file.
> >
> > In the second Version you can say <Names>1.0.0 and later</Names> - is it
> 1.0.0 we're targeting for the first Commons Crypto release?
> >
> > On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> >> Thank Stian and Haifeng, I have updated the file at my cms workspace.
> >> If the change is okay for you, I will try to commit it to
> >> http://www.staging.apache.org/licenses/exports/
> >>
> >> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> >> ===================================================================
> >> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml
> (revision 1655892)
> >> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml
> (working copy)
> >> @@ -212,6 +212,25 @@
> >> </Version>
> >> </Product>
> >> <Product>
> >> + <Name>Apache Commons Crypto</Name>
> >> + <Version>
> >> + <Names>development</Names>
> >> + <ECCN>5D002</ECCN>
> >> + <ControlledSource href="
> https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> >> + <Manufacturer>ASF</Manufacturer>
> >> + <Why>designed for use with encryption library</Why>
> >> + </ControlledSource>
> >> + <ControlledSource href="http://www.openssl.org/source/">
> >> + <Manufacturer>The OpenSSL Project</Manufacturer>
> >> + <Why>general-purpose cryptography library included with
> OpenSSL</Why>
> >> + </ControlledSource>
> >> + <ControlledSource href="
> http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> >> + <Manufacturer>Oracle</Manufacturer>
> >> + <Why>general-purpose cryptography library (JCE) included with
> Java</Why>
> >> + </ControlledSource>
> >> + </Version>
> >> + </Product>
> >> + <Product>
> >> <Name>Apache Commons OpenPGP</Name>
> >> <Version>
> >> <Names>development</Names>
> >>
> >>
> >> Regards
> >> Dapeng
> >>
> >> -----Original Message-----
> >> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> >> Sent: Monday, May 30, 2016 5:20 PM
> >> To: Commons Developers List
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> I think we are good to continue as a "normal" 5D002 self-classification.
> >>
> >> Great if you will have a go, let me know if you would like me to help
> or review!
> >>
> >> See http://www.apache.org/dev/crypto.html#sources for svn details,
> >> linking to
> >> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/li
> >> c enses/exports/index.page/eccnmatrix.xml
> >>
> >> I found just being a committer was enough to update the svn, after
> >> which it should be live on
> >> http://www.staging.apache.org/licenses/exports/
> >>
> >> If that works fine, then any ASF member can publish it using
> >> https://cms.apache.org/ for the main website (it can be a bit slow)
> >>
> >> Normally it is the PMC Chair that sends the registration email after
> that.
> >> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com>
> wrote:
> >>
> >> Hi Stian,
> >> If we decide to go ECCN 5D002 self-classify category, do you have an
> idea that what I can proceed next?
> >>
> >> I saw you updated eccnmatrix.xml file for Taverna. Would you please
> help share where is the place of the file and who has the privilege to make
> an similar update for Commons Crypto?
> >>
> >> Thanks for your help.
> >>
> >> Haifeng
> >>
> >>
> >> -----Original Message-----
> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> >> Sent: Thursday, May 26, 2016 9:42 AM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> https://issues.apache.org/jira/browse/LEGAL-256 is created and
> commented to track this.
> >>
> >> If we think this analysis makes sense, we will choose to go ECCN 5D002
> self-classify category. Will wait for a few days for feedbacks.
> >>
> >> Regards,
> >> Haifeng
> >>
> >> -----Original Message-----
> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> >> Sent: Tuesday, May 24, 2016 3:57 PM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> Thanks Stian and Benedikt!
> >>
> >>> Let's create a Jira issue to track the categorisation process.
> >> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track
> this?
> >>
> >>
> >> Regards,
> >> Haifeng
> >>
> >> -----Original Message-----
> >> From: Benedikt Ritter [mailto:britter@apache.org]
> >> Sent: Monday, May 23, 2016 3:36 PM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: Re: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016
> >> um
> >> 09:34 Uhr:
> >>
> >>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com>
> wrote:
> >>> >
> >>> > So how about we go to the process of ECCN 5D002 self-classify
> >>> > category
> >>> and registration like Taverna did?
> >>>
> >>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> >>> lot easier! :)
> >>>
> >>> Let's create a Jira issue to track the categorisation process.
> >>>
> >>
> >> +1! good work everybody.
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
> >
> > --
> > Stian Soiland-Reyes
> > Apache Taverna (incubating), Apache Commons
> > http://orcid.org/0000-0001-9842-9718
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Thanks Stian, Dapeng and folks!
For Commons Crypto, do we still have to wait for other process to finish or we now can go forward with the first release process?
Regards,
Haifeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Thursday, June 2, 2016 10:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Thanks! It's already on https://www.apache.org/licenses/exports/
I've added to the Commons Crypto README:
https://github.com/apache/commons-crypto#export-restrictions
(if changing, modify this text in pom.xml <description> and regenerate
README.md)
Shall I add VFS2 as well? Then Gary can send a joint notification message.
On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> Thank Stian for your review!
>
>>We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
> Thank you for pointing it out, we should add it.
>
>> is it 1.0.0 we're targeting for the first Commons Crypto release?
> Yes, 1.0.0 would be the first release.
>
> I have updated the staging website.
> http://www.staging.apache.org/licenses/exports/index.html
>
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Tuesday, May 31, 2016 6:45 PM
> To: Commons Developers List
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> Thanks! Looks good.
>
> We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
>
> In the second Version you can say <Names>1.0.0 and later</Names> - is it 1.0.0 we're targeting for the first Commons Crypto release?
>
> On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
>> Thank Stian and Haifeng, I have updated the file at my cms workspace.
>> If the change is okay for you, I will try to commit it to
>> http://www.staging.apache.org/licenses/exports/
>>
>> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
>> ===================================================================
>> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml (revision 1655892)
>> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml (working copy)
>> @@ -212,6 +212,25 @@
>> </Version>
>> </Product>
>> <Product>
>> + <Name>Apache Commons Crypto</Name>
>> + <Version>
>> + <Names>development</Names>
>> + <ECCN>5D002</ECCN>
>> + <ControlledSource href="https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
>> + <Manufacturer>ASF</Manufacturer>
>> + <Why>designed for use with encryption library</Why>
>> + </ControlledSource>
>> + <ControlledSource href="http://www.openssl.org/source/">
>> + <Manufacturer>The OpenSSL Project</Manufacturer>
>> + <Why>general-purpose cryptography library included with OpenSSL</Why>
>> + </ControlledSource>
>> + <ControlledSource href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">
>> + <Manufacturer>Oracle</Manufacturer>
>> + <Why>general-purpose cryptography library (JCE) included with Java</Why>
>> + </ControlledSource>
>> + </Version>
>> + </Product>
>> + <Product>
>> <Name>Apache Commons OpenPGP</Name>
>> <Version>
>> <Names>development</Names>
>>
>>
>> Regards
>> Dapeng
>>
>> -----Original Message-----
>> From: Stian Soiland-Reyes [mailto:stain@apache.org]
>> Sent: Monday, May 30, 2016 5:20 PM
>> To: Commons Developers List
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> I think we are good to continue as a "normal" 5D002 self-classification.
>>
>> Great if you will have a go, let me know if you would like me to help or review!
>>
>> See http://www.apache.org/dev/crypto.html#sources for svn details,
>> linking to
>> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/li
>> c enses/exports/index.page/eccnmatrix.xml
>>
>> I found just being a committer was enough to update the svn, after
>> which it should be live on
>> http://www.staging.apache.org/licenses/exports/
>>
>> If that works fine, then any ASF member can publish it using
>> https://cms.apache.org/ for the main website (it can be a bit slow)
>>
>> Normally it is the PMC Chair that sends the registration email after that.
>> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>>
>> Hi Stian,
>> If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
>>
>> I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
>>
>> Thanks for your help.
>>
>> Haifeng
>>
>>
>> -----Original Message-----
>> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> Sent: Thursday, May 26, 2016 9:42 AM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
>>
>> If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
>>
>> Regards,
>> Haifeng
>>
>> -----Original Message-----
>> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> Sent: Tuesday, May 24, 2016 3:57 PM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> Thanks Stian and Benedikt!
>>
>>> Let's create a Jira issue to track the categorisation process.
>> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
>>
>>
>> Regards,
>> Haifeng
>>
>> -----Original Message-----
>> From: Benedikt Ritter [mailto:britter@apache.org]
>> Sent: Monday, May 23, 2016 3:36 PM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>>
>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016
>> um
>> 09:34 Uhr:
>>
>>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>>> >
>>> > So how about we go to the process of ECCN 5D002 self-classify
>>> > category
>>> and registration like Taverna did?
>>>
>>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
>>> lot easier! :)
>>>
>>> Let's create a Jira issue to track the categorisation process.
>>>
>>
>> +1! good work everybody.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
I'll start a separate thread for VFS classification as it has a bit
more dependencies.. :)
On 2 June 2016 at 20:58, Benedikt Ritter <br...@apache.org> wrote:
> If you know how so get this right for VFS, go for it!
>
> Stian Soiland-Reyes <st...@apache.org> schrieb am Do., 2. Juni 2016 um
> 16:35:
>
>> Thanks! It's already on https://www.apache.org/licenses/exports/
>>
>> I've added to the Commons Crypto README:
>>
>> https://github.com/apache/commons-crypto#export-restrictions
>>
>> (if changing, modify this text in pom.xml <description> and regenerate
>> README.md)
>>
>>
>> Shall I add VFS2 as well? Then Gary can send a joint notification message.
>>
>>
>>
>>
>> On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
>> > Thank Stian for your review!
>> >
>> >>We also need a second <Version> for the (future) source/binary
>> distributions with ControlledSource href=
>> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
>> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
>> the XML file.
>> > Thank you for pointing it out, we should add it.
>> >
>> >> is it 1.0.0 we're targeting for the first Commons Crypto release?
>> > Yes, 1.0.0 would be the first release.
>> >
>> > I have updated the staging website.
>> http://www.staging.apache.org/licenses/exports/index.html
>> >
>> >
>> > Regards
>> > Dapeng
>> >
>> > -----Original Message-----
>> > From: Stian Soiland-Reyes [mailto:stain@apache.org]
>> > Sent: Tuesday, May 31, 2016 6:45 PM
>> > To: Commons Developers List
>> > Subject: Re: US Export classification & ECCN registration for encryption
>> in commons?
>> >
>> > Thanks! Looks good.
>> >
>> > We also need a second <Version> for the (future) source/binary
>> distributions with ControlledSource href=
>> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
>> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
>> the XML file.
>> >
>> > In the second Version you can say <Names>1.0.0 and later</Names> - is it
>> 1.0.0 we're targeting for the first Commons Crypto release?
>> >
>> > On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
>> >> Thank Stian and Haifeng, I have updated the file at my cms workspace.
>> >> If the change is okay for you, I will try to commit it to
>> >> http://www.staging.apache.org/licenses/exports/
>> >>
>> >> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
>> >> ===================================================================
>> >> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml
>> (revision 1655892)
>> >> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml
>> (working copy)
>> >> @@ -212,6 +212,25 @@
>> >> </Version>
>> >> </Product>
>> >> <Product>
>> >> + <Name>Apache Commons Crypto</Name>
>> >> + <Version>
>> >> + <Names>development</Names>
>> >> + <ECCN>5D002</ECCN>
>> >> + <ControlledSource href="
>> https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
>> >> + <Manufacturer>ASF</Manufacturer>
>> >> + <Why>designed for use with encryption library</Why>
>> >> + </ControlledSource>
>> >> + <ControlledSource href="http://www.openssl.org/source/">
>> >> + <Manufacturer>The OpenSSL Project</Manufacturer>
>> >> + <Why>general-purpose cryptography library included with
>> OpenSSL</Why>
>> >> + </ControlledSource>
>> >> + <ControlledSource href="
>> http://www.oracle.com/technetwork/java/javase/downloads/index.html">
>> >> + <Manufacturer>Oracle</Manufacturer>
>> >> + <Why>general-purpose cryptography library (JCE) included with
>> Java</Why>
>> >> + </ControlledSource>
>> >> + </Version>
>> >> + </Product>
>> >> + <Product>
>> >> <Name>Apache Commons OpenPGP</Name>
>> >> <Version>
>> >> <Names>development</Names>
>> >>
>> >>
>> >> Regards
>> >> Dapeng
>> >>
>> >> -----Original Message-----
>> >> From: Stian Soiland-Reyes [mailto:stain@apache.org]
>> >> Sent: Monday, May 30, 2016 5:20 PM
>> >> To: Commons Developers List
>> >> Subject: RE: US Export classification & ECCN registration for
>> encryption in commons?
>> >>
>> >> I think we are good to continue as a "normal" 5D002 self-classification.
>> >>
>> >> Great if you will have a go, let me know if you would like me to help
>> or review!
>> >>
>> >> See http://www.apache.org/dev/crypto.html#sources for svn details,
>> >> linking to
>> >> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/lic
>> >> enses/exports/index.page/eccnmatrix.xml
>> >>
>> >> I found just being a committer was enough to update the svn, after
>> >> which it should be live on
>> >> http://www.staging.apache.org/licenses/exports/
>> >>
>> >> If that works fine, then any ASF member can publish it using
>> >> https://cms.apache.org/ for the main website (it can be a bit slow)
>> >>
>> >> Normally it is the PMC Chair that sends the registration email after
>> that.
>> >> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com>
>> wrote:
>> >>
>> >> Hi Stian,
>> >> If we decide to go ECCN 5D002 self-classify category, do you have an
>> idea that what I can proceed next?
>> >>
>> >> I saw you updated eccnmatrix.xml file for Taverna. Would you please
>> help share where is the place of the file and who has the privilege to make
>> an similar update for Commons Crypto?
>> >>
>> >> Thanks for your help.
>> >>
>> >> Haifeng
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> >> Sent: Thursday, May 26, 2016 9:42 AM
>> >> To: Commons Developers List <de...@commons.apache.org>
>> >> Subject: RE: US Export classification & ECCN registration for
>> encryption in commons?
>> >>
>> >> https://issues.apache.org/jira/browse/LEGAL-256 is created and
>> commented to track this.
>> >>
>> >> If we think this analysis makes sense, we will choose to go ECCN 5D002
>> self-classify category. Will wait for a few days for feedbacks.
>> >>
>> >> Regards,
>> >> Haifeng
>> >>
>> >> -----Original Message-----
>> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> >> Sent: Tuesday, May 24, 2016 3:57 PM
>> >> To: Commons Developers List <de...@commons.apache.org>
>> >> Subject: RE: US Export classification & ECCN registration for
>> encryption in commons?
>> >>
>> >> Thanks Stian and Benedikt!
>> >>
>> >>> Let's create a Jira issue to track the categorisation process.
>> >> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track
>> this?
>> >>
>> >>
>> >> Regards,
>> >> Haifeng
>> >>
>> >> -----Original Message-----
>> >> From: Benedikt Ritter [mailto:britter@apache.org]
>> >> Sent: Monday, May 23, 2016 3:36 PM
>> >> To: Commons Developers List <de...@commons.apache.org>
>> >> Subject: Re: US Export classification & ECCN registration for
>> encryption in commons?
>> >>
>> >> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
>> >> 09:34 Uhr:
>> >>
>> >>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com>
>> wrote:
>> >>> >
>> >>> > So how about we go to the process of ECCN 5D002 self-classify
>> >>> > category
>> >>> and registration like Taverna did?
>> >>>
>> >>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
>> >>> lot easier! :)
>> >>>
>> >>> Let's create a Jira issue to track the categorisation process.
>> >>>
>> >>
>> >> +1! good work everybody.
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> >> For additional commands, e-mail: dev-help@commons.apache.org
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> >> For additional commands, e-mail: dev-help@commons.apache.org
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> >> For additional commands, e-mail: dev-help@commons.apache.org
>> >
>> >
>> >
>> > --
>> > Stian Soiland-Reyes
>> > Apache Taverna (incubating), Apache Commons
>> > http://orcid.org/0000-0001-9842-9718
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> > For additional commands, e-mail: dev-help@commons.apache.org
>> >
>>
>>
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Benedikt Ritter <br...@apache.org>.
If you know how so get this right for VFS, go for it!
Stian Soiland-Reyes <st...@apache.org> schrieb am Do., 2. Juni 2016 um
16:35:
> Thanks! It's already on https://www.apache.org/licenses/exports/
>
> I've added to the Commons Crypto README:
>
> https://github.com/apache/commons-crypto#export-restrictions
>
> (if changing, modify this text in pom.xml <description> and regenerate
> README.md)
>
>
> Shall I add VFS2 as well? Then Gary can send a joint notification message.
>
>
>
>
> On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> > Thank Stian for your review!
> >
> >>We also need a second <Version> for the (future) source/binary
> distributions with ControlledSource href=
> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> the XML file.
> > Thank you for pointing it out, we should add it.
> >
> >> is it 1.0.0 we're targeting for the first Commons Crypto release?
> > Yes, 1.0.0 would be the first release.
> >
> > I have updated the staging website.
> http://www.staging.apache.org/licenses/exports/index.html
> >
> >
> > Regards
> > Dapeng
> >
> > -----Original Message-----
> > From: Stian Soiland-Reyes [mailto:stain@apache.org]
> > Sent: Tuesday, May 31, 2016 6:45 PM
> > To: Commons Developers List
> > Subject: Re: US Export classification & ECCN registration for encryption
> in commons?
> >
> > Thanks! Looks good.
> >
> > We also need a second <Version> for the (future) source/binary
> distributions with ControlledSource href=
> https://www.apache.org/dist/commons/crypto/ - you would need to duplicate
> the OpenSSL and JavaSE <ControlledSource> for that. See other examples in
> the XML file.
> >
> > In the second Version you can say <Names>1.0.0 and later</Names> - is it
> 1.0.0 we're targeting for the first Commons Crypto release?
> >
> > On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> >> Thank Stian and Haifeng, I have updated the file at my cms workspace.
> >> If the change is okay for you, I will try to commit it to
> >> http://www.staging.apache.org/licenses/exports/
> >>
> >> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> >> ===================================================================
> >> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml
> (revision 1655892)
> >> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml
> (working copy)
> >> @@ -212,6 +212,25 @@
> >> </Version>
> >> </Product>
> >> <Product>
> >> + <Name>Apache Commons Crypto</Name>
> >> + <Version>
> >> + <Names>development</Names>
> >> + <ECCN>5D002</ECCN>
> >> + <ControlledSource href="
> https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> >> + <Manufacturer>ASF</Manufacturer>
> >> + <Why>designed for use with encryption library</Why>
> >> + </ControlledSource>
> >> + <ControlledSource href="http://www.openssl.org/source/">
> >> + <Manufacturer>The OpenSSL Project</Manufacturer>
> >> + <Why>general-purpose cryptography library included with
> OpenSSL</Why>
> >> + </ControlledSource>
> >> + <ControlledSource href="
> http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> >> + <Manufacturer>Oracle</Manufacturer>
> >> + <Why>general-purpose cryptography library (JCE) included with
> Java</Why>
> >> + </ControlledSource>
> >> + </Version>
> >> + </Product>
> >> + <Product>
> >> <Name>Apache Commons OpenPGP</Name>
> >> <Version>
> >> <Names>development</Names>
> >>
> >>
> >> Regards
> >> Dapeng
> >>
> >> -----Original Message-----
> >> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> >> Sent: Monday, May 30, 2016 5:20 PM
> >> To: Commons Developers List
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> I think we are good to continue as a "normal" 5D002 self-classification.
> >>
> >> Great if you will have a go, let me know if you would like me to help
> or review!
> >>
> >> See http://www.apache.org/dev/crypto.html#sources for svn details,
> >> linking to
> >> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/lic
> >> enses/exports/index.page/eccnmatrix.xml
> >>
> >> I found just being a committer was enough to update the svn, after
> >> which it should be live on
> >> http://www.staging.apache.org/licenses/exports/
> >>
> >> If that works fine, then any ASF member can publish it using
> >> https://cms.apache.org/ for the main website (it can be a bit slow)
> >>
> >> Normally it is the PMC Chair that sends the registration email after
> that.
> >> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com>
> wrote:
> >>
> >> Hi Stian,
> >> If we decide to go ECCN 5D002 self-classify category, do you have an
> idea that what I can proceed next?
> >>
> >> I saw you updated eccnmatrix.xml file for Taverna. Would you please
> help share where is the place of the file and who has the privilege to make
> an similar update for Commons Crypto?
> >>
> >> Thanks for your help.
> >>
> >> Haifeng
> >>
> >>
> >> -----Original Message-----
> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> >> Sent: Thursday, May 26, 2016 9:42 AM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> https://issues.apache.org/jira/browse/LEGAL-256 is created and
> commented to track this.
> >>
> >> If we think this analysis makes sense, we will choose to go ECCN 5D002
> self-classify category. Will wait for a few days for feedbacks.
> >>
> >> Regards,
> >> Haifeng
> >>
> >> -----Original Message-----
> >> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> >> Sent: Tuesday, May 24, 2016 3:57 PM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: RE: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> Thanks Stian and Benedikt!
> >>
> >>> Let's create a Jira issue to track the categorisation process.
> >> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track
> this?
> >>
> >>
> >> Regards,
> >> Haifeng
> >>
> >> -----Original Message-----
> >> From: Benedikt Ritter [mailto:britter@apache.org]
> >> Sent: Monday, May 23, 2016 3:36 PM
> >> To: Commons Developers List <de...@commons.apache.org>
> >> Subject: Re: US Export classification & ECCN registration for
> encryption in commons?
> >>
> >> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
> >> 09:34 Uhr:
> >>
> >>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com>
> wrote:
> >>> >
> >>> > So how about we go to the process of ECCN 5D002 self-classify
> >>> > category
> >>> and registration like Taverna did?
> >>>
> >>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> >>> lot easier! :)
> >>>
> >>> Let's create a Jira issue to track the categorisation process.
> >>>
> >>
> >> +1! good work everybody.
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
> >
> > --
> > Stian Soiland-Reyes
> > Apache Taverna (incubating), Apache Commons
> > http://orcid.org/0000-0001-9842-9718
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
Thanks! It's already on https://www.apache.org/licenses/exports/
I've added to the Commons Crypto README:
https://github.com/apache/commons-crypto#export-restrictions
(if changing, modify this text in pom.xml <description> and regenerate
README.md)
Shall I add VFS2 as well? Then Gary can send a joint notification message.
On 1 June 2016 at 03:01, Sun, Dapeng <da...@intel.com> wrote:
> Thank Stian for your review!
>
>>We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
> Thank you for pointing it out, we should add it.
>
>> is it 1.0.0 we're targeting for the first Commons Crypto release?
> Yes, 1.0.0 would be the first release.
>
> I have updated the staging website. http://www.staging.apache.org/licenses/exports/index.html
>
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Tuesday, May 31, 2016 6:45 PM
> To: Commons Developers List
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> Thanks! Looks good.
>
> We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
>
> In the second Version you can say <Names>1.0.0 and later</Names> - is it 1.0.0 we're targeting for the first Commons Crypto release?
>
> On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
>> Thank Stian and Haifeng, I have updated the file at my cms workspace.
>> If the change is okay for you, I will try to commit it to
>> http://www.staging.apache.org/licenses/exports/
>>
>> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
>> ===================================================================
>> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml (revision 1655892)
>> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml (working copy)
>> @@ -212,6 +212,25 @@
>> </Version>
>> </Product>
>> <Product>
>> + <Name>Apache Commons Crypto</Name>
>> + <Version>
>> + <Names>development</Names>
>> + <ECCN>5D002</ECCN>
>> + <ControlledSource href="https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
>> + <Manufacturer>ASF</Manufacturer>
>> + <Why>designed for use with encryption library</Why>
>> + </ControlledSource>
>> + <ControlledSource href="http://www.openssl.org/source/">
>> + <Manufacturer>The OpenSSL Project</Manufacturer>
>> + <Why>general-purpose cryptography library included with OpenSSL</Why>
>> + </ControlledSource>
>> + <ControlledSource href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">
>> + <Manufacturer>Oracle</Manufacturer>
>> + <Why>general-purpose cryptography library (JCE) included with Java</Why>
>> + </ControlledSource>
>> + </Version>
>> + </Product>
>> + <Product>
>> <Name>Apache Commons OpenPGP</Name>
>> <Version>
>> <Names>development</Names>
>>
>>
>> Regards
>> Dapeng
>>
>> -----Original Message-----
>> From: Stian Soiland-Reyes [mailto:stain@apache.org]
>> Sent: Monday, May 30, 2016 5:20 PM
>> To: Commons Developers List
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> I think we are good to continue as a "normal" 5D002 self-classification.
>>
>> Great if you will have a go, let me know if you would like me to help or review!
>>
>> See http://www.apache.org/dev/crypto.html#sources for svn details,
>> linking to
>> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/lic
>> enses/exports/index.page/eccnmatrix.xml
>>
>> I found just being a committer was enough to update the svn, after
>> which it should be live on
>> http://www.staging.apache.org/licenses/exports/
>>
>> If that works fine, then any ASF member can publish it using
>> https://cms.apache.org/ for the main website (it can be a bit slow)
>>
>> Normally it is the PMC Chair that sends the registration email after that.
>> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>>
>> Hi Stian,
>> If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
>>
>> I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
>>
>> Thanks for your help.
>>
>> Haifeng
>>
>>
>> -----Original Message-----
>> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> Sent: Thursday, May 26, 2016 9:42 AM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
>>
>> If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
>>
>> Regards,
>> Haifeng
>>
>> -----Original Message-----
>> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
>> Sent: Tuesday, May 24, 2016 3:57 PM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>>
>> Thanks Stian and Benedikt!
>>
>>> Let's create a Jira issue to track the categorisation process.
>> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
>>
>>
>> Regards,
>> Haifeng
>>
>> -----Original Message-----
>> From: Benedikt Ritter [mailto:britter@apache.org]
>> Sent: Monday, May 23, 2016 3:36 PM
>> To: Commons Developers List <de...@commons.apache.org>
>> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>>
>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
>> 09:34 Uhr:
>>
>>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>>> >
>>> > So how about we go to the process of ECCN 5D002 self-classify
>>> > category
>>> and registration like Taverna did?
>>>
>>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
>>> lot easier! :)
>>>
>>> Let's create a Jira issue to track the categorisation process.
>>>
>>
>> +1! good work everybody.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Sun, Dapeng" <da...@intel.com>.
Thank Stian for your review!
>We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
Thank you for pointing it out, we should add it.
> is it 1.0.0 we're targeting for the first Commons Crypto release?
Yes, 1.0.0 would be the first release.
I have updated the staging website. http://www.staging.apache.org/licenses/exports/index.html
Regards
Dapeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Tuesday, May 31, 2016 6:45 PM
To: Commons Developers List
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Thanks! Looks good.
We also need a second <Version> for the (future) source/binary distributions with ControlledSource href=https://www.apache.org/dist/commons/crypto/ - you would need to duplicate the OpenSSL and JavaSE <ControlledSource> for that. See other examples in the XML file.
In the second Version you can say <Names>1.0.0 and later</Names> - is it 1.0.0 we're targeting for the first Commons Crypto release?
On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> Thank Stian and Haifeng, I have updated the file at my cms workspace.
> If the change is okay for you, I will try to commit it to
> http://www.staging.apache.org/licenses/exports/
>
> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> ===================================================================
> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml (revision 1655892)
> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml (working copy)
> @@ -212,6 +212,25 @@
> </Version>
> </Product>
> <Product>
> + <Name>Apache Commons Crypto</Name>
> + <Version>
> + <Names>development</Names>
> + <ECCN>5D002</ECCN>
> + <ControlledSource href="https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> + <Manufacturer>ASF</Manufacturer>
> + <Why>designed for use with encryption library</Why>
> + </ControlledSource>
> + <ControlledSource href="http://www.openssl.org/source/">
> + <Manufacturer>The OpenSSL Project</Manufacturer>
> + <Why>general-purpose cryptography library included with OpenSSL</Why>
> + </ControlledSource>
> + <ControlledSource href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> + <Manufacturer>Oracle</Manufacturer>
> + <Why>general-purpose cryptography library (JCE) included with Java</Why>
> + </ControlledSource>
> + </Version>
> + </Product>
> + <Product>
> <Name>Apache Commons OpenPGP</Name>
> <Version>
> <Names>development</Names>
>
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Monday, May 30, 2016 5:20 PM
> To: Commons Developers List
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> I think we are good to continue as a "normal" 5D002 self-classification.
>
> Great if you will have a go, let me know if you would like me to help or review!
>
> See http://www.apache.org/dev/crypto.html#sources for svn details,
> linking to
> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/lic
> enses/exports/index.page/eccnmatrix.xml
>
> I found just being a committer was enough to update the svn, after
> which it should be live on
> http://www.staging.apache.org/licenses/exports/
>
> If that works fine, then any ASF member can publish it using
> https://cms.apache.org/ for the main website (it can be a bit slow)
>
> Normally it is the PMC Chair that sends the registration email after that.
> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>
> Hi Stian,
> If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
>
> I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
>
> Thanks for your help.
>
> Haifeng
>
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Thursday, May 26, 2016 9:42 AM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
>
> If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Tuesday, May 24, 2016 3:57 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> Thanks Stian and Benedikt!
>
>> Let's create a Jira issue to track the categorisation process.
> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
>
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Benedikt Ritter [mailto:britter@apache.org]
> Sent: Monday, May 23, 2016 3:36 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
> 09:34 Uhr:
>
>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>> >
>> > So how about we go to the process of ECCN 5D002 self-classify
>> > category
>> and registration like Taverna did?
>>
>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
>> lot easier! :)
>>
>> Let's create a Jira issue to track the categorisation process.
>>
>
> +1! good work everybody.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
Thanks! Looks good.
We also need a second <Version> for the (future) source/binary
distributions with ControlledSource
href=https://www.apache.org/dist/commons/crypto/ - you would need to
duplicate the OpenSSL and JavaSE <ControlledSource> for that. See
other examples in the XML file.
In the second Version you can say <Names>1.0.0 and later</Names> - is
it 1.0.0 we're targeting for the first Commons Crypto release?
On 31 May 2016 at 11:03, Sun, Dapeng <da...@intel.com> wrote:
> Thank Stian and Haifeng, I have updated the file at my cms workspace. If the change is okay for you, I will try to commit it to http://www.staging.apache.org/licenses/exports/
>
> Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
> ===================================================================
> --- trunk/content/licenses/exports/index.page/eccnmatrix.xml (revision 1655892)
> +++ trunk/content/licenses/exports/index.page/eccnmatrix.xml (working copy)
> @@ -212,6 +212,25 @@
> </Version>
> </Product>
> <Product>
> + <Name>Apache Commons Crypto</Name>
> + <Version>
> + <Names>development</Names>
> + <ECCN>5D002</ECCN>
> + <ControlledSource href="https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
> + <Manufacturer>ASF</Manufacturer>
> + <Why>designed for use with encryption library</Why>
> + </ControlledSource>
> + <ControlledSource href="http://www.openssl.org/source/">
> + <Manufacturer>The OpenSSL Project</Manufacturer>
> + <Why>general-purpose cryptography library included with OpenSSL</Why>
> + </ControlledSource>
> + <ControlledSource href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">
> + <Manufacturer>Oracle</Manufacturer>
> + <Why>general-purpose cryptography library (JCE) included with Java</Why>
> + </ControlledSource>
> + </Version>
> + </Product>
> + <Product>
> <Name>Apache Commons OpenPGP</Name>
> <Version>
> <Names>development</Names>
>
>
> Regards
> Dapeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Monday, May 30, 2016 5:20 PM
> To: Commons Developers List
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> I think we are good to continue as a "normal" 5D002 self-classification.
>
> Great if you will have a go, let me know if you would like me to help or review!
>
> See http://www.apache.org/dev/crypto.html#sources for svn details, linking to https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
>
> I found just being a committer was enough to update the svn, after which it should be live on http://www.staging.apache.org/licenses/exports/
>
> If that works fine, then any ASF member can publish it using https://cms.apache.org/ for the main website (it can be a bit slow)
>
> Normally it is the PMC Chair that sends the registration email after that.
> On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>
> Hi Stian,
> If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
>
> I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
>
> Thanks for your help.
>
> Haifeng
>
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Thursday, May 26, 2016 9:42 AM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
>
> If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Tuesday, May 24, 2016 3:57 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> Thanks Stian and Benedikt!
>
>> Let's create a Jira issue to track the categorisation process.
> Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
>
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Benedikt Ritter [mailto:britter@apache.org]
> Sent: Monday, May 23, 2016 3:36 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
> 09:34 Uhr:
>
>> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>> >
>> > So how about we go to the process of ECCN 5D002 self-classify
>> > category
>> and registration like Taverna did?
>>
>> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
>> lot easier! :)
>>
>> Let's create a Jira issue to track the categorisation process.
>>
>
> +1! good work everybody.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Sun, Dapeng" <da...@intel.com>.
Thank Stian and Haifeng, I have updated the file at my cms workspace. If the change is okay for you, I will try to commit it to http://www.staging.apache.org/licenses/exports/
Index: trunk/content/licenses/exports/index.page/eccnmatrix.xml
===================================================================
--- trunk/content/licenses/exports/index.page/eccnmatrix.xml (revision 1655892)
+++ trunk/content/licenses/exports/index.page/eccnmatrix.xml (working copy)
@@ -212,6 +212,25 @@
</Version>
</Product>
<Product>
+ <Name>Apache Commons Crypto</Name>
+ <Version>
+ <Names>development</Names>
+ <ECCN>5D002</ECCN>
+ <ControlledSource href="https://git-wip-us.apache.org/repos/asf/commons-crypto.git">
+ <Manufacturer>ASF</Manufacturer>
+ <Why>designed for use with encryption library</Why>
+ </ControlledSource>
+ <ControlledSource href="http://www.openssl.org/source/">
+ <Manufacturer>The OpenSSL Project</Manufacturer>
+ <Why>general-purpose cryptography library included with OpenSSL</Why>
+ </ControlledSource>
+ <ControlledSource href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">
+ <Manufacturer>Oracle</Manufacturer>
+ <Why>general-purpose cryptography library (JCE) included with Java</Why>
+ </ControlledSource>
+ </Version>
+ </Product>
+ <Product>
<Name>Apache Commons OpenPGP</Name>
<Version>
<Names>development</Names>
Regards
Dapeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Monday, May 30, 2016 5:20 PM
To: Commons Developers List
Subject: RE: US Export classification & ECCN registration for encryption in commons?
I think we are good to continue as a "normal" 5D002 self-classification.
Great if you will have a go, let me know if you would like me to help or review!
See http://www.apache.org/dev/crypto.html#sources for svn details, linking to https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
I found just being a committer was enough to update the svn, after which it should be live on http://www.staging.apache.org/licenses/exports/
If that works fine, then any ASF member can publish it using https://cms.apache.org/ for the main website (it can be a bit slow)
Normally it is the PMC Chair that sends the registration email after that.
On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
Hi Stian,
If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
Thanks for your help.
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Thursday, May 26, 2016 9:42 AM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
Regards,
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Tuesday, May 24, 2016 3:57 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
Thanks Stian and Benedikt!
> Let's create a Jira issue to track the categorisation process.
Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
Regards,
Haifeng
-----Original Message-----
From: Benedikt Ritter [mailto:britter@apache.org]
Sent: Monday, May 23, 2016 3:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify
> > category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> lot easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
I think we are good to continue as a "normal" 5D002 self-classification.
Great if you will have a go, let me know if you would like me to help or
review!
See http://www.apache.org/dev/crypto.html#sources for svn details, linking
to
https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
I found just being a committer was enough to update the svn, after which it
should be live on http://www.staging.apache.org/licenses/exports/
If that works fine, then any ASF member can publish it using
https://cms.apache.org/ for the main website (it can be a bit slow)
Normally it is the PMC Chair that sends the registration email after that.
On 30 May 2016 8:09 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
Hi Stian,
If we decide to go ECCN 5D002 self-classify category, do you have an idea
that what I can proceed next?
I saw you updated eccnmatrix.xml file for Taverna. Would you please help
share where is the place of the file and who has the privilege to make an
similar update for Commons Crypto?
Thanks for your help.
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Thursday, May 26, 2016 9:42 AM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in
commons?
https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to
track this.
If we think this analysis makes sense, we will choose to go ECCN 5D002
self-classify category. Will wait for a few days for feedbacks.
Regards,
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Tuesday, May 24, 2016 3:57 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in
commons?
Thanks Stian and Benedikt!
> Let's create a Jira issue to track the categorisation process.
Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
Regards,
Haifeng
-----Original Message-----
From: Benedikt Ritter [mailto:britter@apache.org]
Sent: Monday, May 23, 2016 3:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in
commons?
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify
> > category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> lot easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Hi Stian,
If we decide to go ECCN 5D002 self-classify category, do you have an idea that what I can proceed next?
I saw you updated eccnmatrix.xml file for Taverna. Would you please help share where is the place of the file and who has the privilege to make an similar update for Commons Crypto?
Thanks for your help.
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Thursday, May 26, 2016 9:42 AM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
Regards,
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Tuesday, May 24, 2016 3:57 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
Thanks Stian and Benedikt!
> Let's create a Jira issue to track the categorisation process.
Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
Regards,
Haifeng
-----Original Message-----
From: Benedikt Ritter [mailto:britter@apache.org]
Sent: Monday, May 23, 2016 3:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify
> > category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> lot easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
https://issues.apache.org/jira/browse/LEGAL-256 is created and commented to track this.
If we think this analysis makes sense, we will choose to go ECCN 5D002 self-classify category. Will wait for a few days for feedbacks.
Regards,
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Tuesday, May 24, 2016 3:57 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
Thanks Stian and Benedikt!
> Let's create a Jira issue to track the categorisation process.
Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
Regards,
Haifeng
-----Original Message-----
From: Benedikt Ritter [mailto:britter@apache.org]
Sent: Monday, May 23, 2016 3:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify
> > category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> lot easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Thanks Stian and Benedikt!
> Let's create a Jira issue to track the categorisation process.
Do you mean to create a JIRA in LEGAL similar to LEGAL-250 to track this?
Regards,
Haifeng
-----Original Message-----
From: Benedikt Ritter [mailto:britter@apache.org]
Sent: Monday, May 23, 2016 3:36 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify
> > category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a
> lot easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Benedikt Ritter <br...@apache.org>.
Stian Soiland-Reyes <st...@apache.org> schrieb am Mo., 23. Mai 2016 um
09:34 Uhr:
> On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
> >
> > So how about we go to the process of ECCN 5D002 self-classify category
> and registration like Taverna did?
>
> Agree on your evaluation, so ECCN 5D002 is good. This makes things a lot
> easier! :)
>
> Let's create a Jira issue to track the categorisation process.
>
+1! good work everybody.
RE: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
On 23 May 2016 3:42 a.m., "Chen, Haifeng" <ha...@intel.com> wrote:
>
> So how about we go to the process of ECCN 5D002 self-classify category
and registration like Taverna did?
Agree on your evaluation, so ECCN 5D002 is good. This makes things a lot
easier! :)
Let's create a Jira issue to track the categorisation process.
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
>> Are you sure this is the case for commons-crypto? I thought we only supported JCE encryption and Open SSL encryption.
From the definition of "OCI", I tend to not consider Commons Crypto is an Open cryptographic interface. The algorithm and key lengths it support are fixed.
I would tend to be a ECCN 5D002 self-classify category considering the following:
a " Cryptographic items":
NO. Commons Crypto doesn't implement the cryptographic algorithms. Instead it wraps to JCE or OpenSSL and it will also not pack any JCE or OpenSSL in its dist.
It is more a use of cryptographic items and provide classes for easy of Java usage.
b. "Open Cryptographic Interface" items.
NO. From the definition of "OCI", I tend to not consider Commons Crypto is an Open cryptographic interface. The algorithm and key lengths it support are fixed.
c. Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs).
NO. Commons Crypto is more a utility class library. And it is for ease of use for developers. Not for operating systems and cryptographic service providers as mentioned.
So how about we go to the process of ECCN 5D002 self-classify category and registration like Taverna did?
Regards,
Haifeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Friday, May 20, 2016 4:10 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
On 20 May 2016 at 08:53, Benedikt Ritter <br...@apache.org> wrote:
> b. "Open Cryptographic Interface" items. [740.17(b)(2)] looks correct.
> But this is just my lucky guess.
I'm struggling to find the official definition of "OCI", but I think it's this:
https://www.bis.doc.gov/index.php/forms-documents/doc_view/838-772
> (Open cryptographic interface - A mechanism which is designed to allow
> a customer or other party to insert cryptographic functionality
> without the intervention, help or assistance of the manufacturer or
> its agents (i.e., manufacturer's signing of cryptographic code or
> proprietary interfaces). If the cryptographic interface implements a
> fixed set of cryptographic algorithms, key lengths or key exchange
> management systems, that cannot be changed, it will not be considered an "open"
> cryptographic interface. All general application programming
> interfaces (i.e., those that accept either a cryptographic or
> non-cryptographic interface, but do not themselves maintain any
> cryptographic
> functionality) will not be considered "open" cryptographic interfaces
> either.)
Are you sure this is the case for commons-crypto? I thought we only supported JCE encryption and Open SSL encryption.
If it is the case it seems we have to submit a formal "encryption classification request", and export would be more restricted on which countries are permitted.
See:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
--
Stian Soiland-Reyes
Apache Commons, Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
On 20 May 2016 at 08:53, Benedikt Ritter <br...@apache.org> wrote:
> b. "Open Cryptographic Interface" items. [740.17(b)(2)]
> looks correct. But this is just my lucky guess.
I'm struggling to find the official definition of "OCI", but I think it's this:
https://www.bis.doc.gov/index.php/forms-documents/doc_view/838-772
> (Open cryptographic interface - A mechanism which is designed to allow a
> customer or other party to insert cryptographic functionality without
> the intervention, help or assistance of the manufacturer or its agents
> (i.e., manufacturer's signing of cryptographic code or proprietary
> interfaces). If the cryptographic interface implements a fixed set of
> cryptographic algorithms, key lengths or key exchange management
> systems, that cannot be changed, it will not be considered an "open"
> cryptographic interface. All general application programming interfaces
> (i.e., those that accept either a cryptographic or non-cryptographic
> interface, but do not themselves maintain any cryptographic
> functionality) will not be considered "open" cryptographic interfaces
> either.)
Are you sure this is the case for commons-crypto? I thought we only
supported JCE encryption and Open SSL encryption.
If it is the case it seems we have to submit a formal "encryption
classification request", and export would be more restricted on which
countries are permitted.
See:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
--
Stian Soiland-Reyes
Apache Commons, Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Benedikt Ritter <br...@apache.org>.
Hello Haifeng,
Chen, Haifeng <ha...@intel.com> schrieb am Fr., 20. Mai 2016 um
07:39 Uhr:
> [Resend for correcting some text format problems]
>
> Thanks Stian for your help.
> Based on the current understanding, we can conclude that Commons Crypto is
> Category 5, Part 2 controlled. And so the encryption registration is needed.
> For the encryption registration, Commons Crypto goes to ECCN 5D002
> self-classify category. (I tend to think that Commons Crypto module doesn't
> create any encryption algorithms, instead it is only use to provide
> usability functionalities)
>
> As to the encryption classification list in
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification,
> not sure whether Commons Crypto belongs to the following items and thus
> need an encryption classification request.
> a. "Cryptographic items". [740.17(b)(2)]
> b. "Open Cryptographic Interface" items. [740.17(b)(2)]
> c. Cryptographic libraries, modules, development kits and toolkits,
> including for operating systems and cryptographic service providers (CSPs).
> [740.17(b)(3)]
>
To me
b. "Open Cryptographic Interface" items. [740.17(b)(2)]
looks correct. But this is just my lucky guess.
Benedikt
>
> What folks think about this?
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Friday, May 20, 2016 1:28 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption
> in commons?
>
> Thanks Stian for your help.
> Based on the current understanding, we can conclude that Commons Crypto is
> Category 5, Part 2 controlled. And so the encryption registration is needed.
> For the encryption registration, Commons Crypto goes to ECCN 5D002
> self-classify category. (I tend to think that Commons Crypto module doesn't
> create any encryption algorithms, instead it is only use to provide
> usability functionalities)
>
> As to the encryption classification list in
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification,
> not sure whether Commons Crypto belongs to the following items and thus
> need an encryption classification request.
> ◾"Cryptographic items". [740.17(b)(2)]
> ◾"Open Cryptographic Interface" items. [740.17(b)(2)] ◾Cryptographic
> libraries, modules, development kits and toolkits, including for operating
> systems and cryptographic service providers (CSPs). [740.17(b)(3)]
>
> What folks this about this?
>
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Stian Soiland-Reyes [mailto:stain@apache.org]
> Sent: Thursday, May 19, 2016 4:10 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption
> in commons?
>
> Hi, for Taverna the question mainly came down to:
>
> 1) What encryption functionality have we designed to use? (e.g. we use
> BouncyCastle for encryption, but our use of Derby does not use
> encryption)
>
> 2) What encryption items (e.g. JARs) will we include in distros (we will
> bundle BouncyCastle, Derby, etc)
>
>
> With Commons Crypto you have to be careful also about the ECCN
> classification if it can be seen as a development toolkit for creating
> encryption algorithms.
>
>
> See
>
>
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
>
>
> From the linked "Flow chart 1" I find for Commons Crypto:
>
> Designed to use or contain cryptography? Yes Specifically designed for
> medical? No Exempt by Note 4? No (Primary function is "Information
> security") Limited to DRM stuff? No
> -> Category 5, Part 2 controlled
>
> So then we go through
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
>
> Flow chart 2:
>
> Is the item publicly available encryption source code? Yes.
> -> ECCN 5D002 self-classify
>
>
> For the classification listing on
> https://www.apache.org/licenses/exports/ you basically just list that you
> are designed to be used with OpenSSL and JCE, with links to them.
>
>
>
> But note:
>
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
>
> Do any of those apply to Commons Crypto?
>
>
>
> On 19 May 2016 at 07:45, Chen, Haifeng <ha...@intel.com> wrote:
> > Hi Stian,
> > I saw you worked actively on same registration issue for Taverna. Do you
> have any suggestions on what steps we should take for Crypto registration?
> > We are keenly to get a first release of Crypto.
> >
> > Regards,
> > Haifeng
> >
> > -----Original Message-----
> > From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> > Sent: Friday, May 13, 2016 1:39 PM
> > To: Commons Developers List <de...@commons.apache.org>
> > Subject: RE: US Export classification & ECCN registration for encryption
> in commons?
> >
> > Hi folks,
> > From LEGAL-250 discussion, it showed that Commons Crypto should be
> registered.
> > Shall we also add Commons Crypto to ECCN Matrix in
> http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as
> what Apache Taverna did?
> >
> > Regards,
> > Haifeng
> >
> > -----Original Message-----
> > From: sebb [mailto:sebbaz@gmail.com]
> > Sent: Monday, May 9, 2016 7:48 PM
> > To: Commons Developers List <de...@commons.apache.org>
> > Subject: Re: US Export classification & ECCN registration for encryption
> in commons?
> >
> > On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
> >> My take:
> >>
> >> (But we can also ask Legal separately as LEGAL-250 got a bit long
> >> thread)
> >
> > +1
> >
> >>
> >> The exception for open source means we just need to self-classify as
> >> 5D002 and send a notification email according to
> >> http://www.apache.org/dev/crypto.html
> >>
> >>
> >> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
> >> i ng-encryption-items has some updated guidance after the 2010
> >> changes:
> >>
> >>> Almost all items controlled under Category 5, Part 2 of the EAR are
> controlled because they include encryption functionality. Items may be
> controlled as encryption items even if the encryption is actually performed
> by the operating system, an external library, a third-party product or a
> cryptographic processor. If an item uses encryption functionality, whether
> or not the code that performs the encryption is included with the item,
> then BIS evaluates the item based on the encryption functionality it uses.
> >>
> >> By not making binary distributions with third-party JARs we would not
> >> be INCLUDING the encryption functionality. However we would in some
> >> cases USE the encryption functionality.
> >>
> >>
> >> There IS an exemption from being classified at all in
> >> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
> >> i
> >> ng-encryption-items#Three
> >>
> >>
> >>
> >>> Note 4: Category 5, Part 2 does not apply to items incorporating or
> using "cryptography" and meeting all of the following:
> >>>
> >>> (a) The primary function or set of functions is not any of the
> following:
> >>> (1) "Information security";
> >>> (2) A computer, including operating systems, parts and components
> therefor;
> >>> (3) Sending, receiving or storing information (except in support
> of entertainment, mass commercial broadcasts, digital rights
> >>> management or medical records management); or
> >>> (4) Networking (includes operation, administration, management
> >>> and provisioning);
> >>> > (b) The cryptographic functionality is limited to supporting their
> >>> > primary function or set of functions; and
> >>> (c) When necessary, details of the items are accessible and will be
> provided, upon request, to the appropriate authority in the exporter’s
> >>> country in order to ascertain compliance with conditions described
> in paragraphs (a) and (b) above.
> >>
> >> meaning that say Commons Imaging would be exempt from any
> >> registration
> >> - even if it included support for reading encrypted images.
> >>
> >> (however some software using such a hypothetical Commons Imaging
> >> w/crypto, and incidentally also doing sending/receiving/storing
> >> information, WOULD need to classify)
> >>
> >>
> >> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
> >> "Sending, receiving or storing information", and would by having
> >> strong bindings to Apache SSHd (itself listed) and JSCH which
> >> encryption functionality VFS would be using.
> >
> > Commons NET would also need to register then.
> >
> >> The test dependency on Bouncy Castle is ironically not cause for
> >> registration as VFS code is not designed to use BCProv, and do not
> >> bundle the Bouncy Castle implementation.
> >>
> >>
> >>
> >> Commons Crypto would be doing "information security" and Iwould say
> >> also need to be registered.
> >>
> >> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
> >>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
> >>> available encryption source code - which the dev/crypto.html page
> >>> says applies to the ASF.
> >>>
> >>> I think we need to wait for guidance from Legal.
> >>>
> >>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
> >>>> Hi,
> >>>>
> >>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
> >>>> um
> >>>> 14:35 Uhr:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> Sorry for spotting this..
> >>>>>
> >>>>>
> >>>>> Apache Commons Crypto is not listed on
> >>>>> http://www.apache.org/licenses/exports/ - does it need to be?
> >>>>> (One would assume so..)
> >>>>>
> >>>>> Also it was raised that Commons VFS depends on Bouncy
> >>>>> Castle/Apache Mina/Jetty/SSHD/Hadoop/jsch and has encryption
> >>>>> binding for AES128 - perhaps that also needs to be listed and
> registered?
> >>>>>
> >>>>
> >>>> Thank you for pointing this out. I've reported this as
> >>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved
> >>>> in VFS, but I've seen that the discussion about that has already
> >>>> started on the vote for VFS 2.0 rc1.
> >>>>
> >>>> Benedikt
> >>>>
> >>>>
> >>>>>
> >>>>>
> >>>>> We only have listed:
> >>>>>
> >>>>> Commons Compress
> >>>>> Commons OpenPGP
> >>>>>
> >>>>>
> >>>>> See guidance on
> >>>>> http://www.apache.org/dev/crypto.html
> >>>>>
> >>>>>
> >>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
> >>>>> to see if merely using a listed source as a Maven <dependency>
> >>>>> means you also are classified - or if you would need to also
> >>>>> bundle the dependency's binary (which I think we don't do).
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Stian Soiland-Reyes
> >>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
> >>>>> http://orcid.org/0000-0001-9842-9718
> >>>>>
> >>>>> ------------------------------------------------------------------
> >>>>> -
> >>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >>>>> For additional commands, e-mail: dev-help@commons.apache.org
> >>>>>
> >>>>>
> >>>
> >>> --------------------------------------------------------------------
> >>> - To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >>> For additional commands, e-mail: dev-help@commons.apache.org
> >>>
> >>
> >>
> >>
> >> --
> >> Stian Soiland-Reyes
> >> Apache Taverna (incubating), Apache Commons RDF (incubating)
> >> http://orcid.org/0000-0001-9842-9718
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
[Resend for correcting some text format problems]
Thanks Stian for your help.
Based on the current understanding, we can conclude that Commons Crypto is Category 5, Part 2 controlled. And so the encryption registration is needed.
For the encryption registration, Commons Crypto goes to ECCN 5D002 self-classify category. (I tend to think that Commons Crypto module doesn't create any encryption algorithms, instead it is only use to provide usability functionalities)
As to the encryption classification list in https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification, not sure whether Commons Crypto belongs to the following items and thus need an encryption classification request.
a. "Cryptographic items". [740.17(b)(2)]
b. "Open Cryptographic Interface" items. [740.17(b)(2)]
c. Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs). [740.17(b)(3)]
What folks think about this?
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Friday, May 20, 2016 1:28 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
Thanks Stian for your help.
Based on the current understanding, we can conclude that Commons Crypto is Category 5, Part 2 controlled. And so the encryption registration is needed.
For the encryption registration, Commons Crypto goes to ECCN 5D002 self-classify category. (I tend to think that Commons Crypto module doesn't create any encryption algorithms, instead it is only use to provide usability functionalities)
As to the encryption classification list in https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification, not sure whether Commons Crypto belongs to the following items and thus need an encryption classification request.
◾"Cryptographic items". [740.17(b)(2)]
◾"Open Cryptographic Interface" items. [740.17(b)(2)] ◾Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs). [740.17(b)(3)]
What folks this about this?
Regards,
Haifeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Thursday, May 19, 2016 4:10 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Hi, for Taverna the question mainly came down to:
1) What encryption functionality have we designed to use? (e.g. we use BouncyCastle for encryption, but our use of Derby does not use
encryption)
2) What encryption items (e.g. JARs) will we include in distros (we will bundle BouncyCastle, Derby, etc)
With Commons Crypto you have to be careful also about the ECCN classification if it can be seen as a development toolkit for creating encryption algorithms.
See
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
From the linked "Flow chart 1" I find for Commons Crypto:
Designed to use or contain cryptography? Yes Specifically designed for medical? No Exempt by Note 4? No (Primary function is "Information security") Limited to DRM stuff? No
-> Category 5, Part 2 controlled
So then we go through
https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
Flow chart 2:
Is the item publicly available encryption source code? Yes.
-> ECCN 5D002 self-classify
For the classification listing on
https://www.apache.org/licenses/exports/ you basically just list that you are designed to be used with OpenSSL and JCE, with links to them.
But note:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
Do any of those apply to Commons Crypto?
On 19 May 2016 at 07:45, Chen, Haifeng <ha...@intel.com> wrote:
> Hi Stian,
> I saw you worked actively on same registration issue for Taverna. Do you have any suggestions on what steps we should take for Crypto registration?
> We are keenly to get a first release of Crypto.
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Friday, May 13, 2016 1:39 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> Hi folks,
> From LEGAL-250 discussion, it showed that Commons Crypto should be registered.
> Shall we also add Commons Crypto to ECCN Matrix in http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as what Apache Taverna did?
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: sebb [mailto:sebbaz@gmail.com]
> Sent: Monday, May 9, 2016 7:48 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
>> My take:
>>
>> (But we can also ask Legal separately as LEGAL-250 got a bit long
>> thread)
>
> +1
>
>>
>> The exception for open source means we just need to self-classify as
>> 5D002 and send a notification email according to
>> http://www.apache.org/dev/crypto.html
>>
>>
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
>> i ng-encryption-items has some updated guidance after the 2010
>> changes:
>>
>>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>>
>> By not making binary distributions with third-party JARs we would not
>> be INCLUDING the encryption functionality. However we would in some
>> cases USE the encryption functionality.
>>
>>
>> There IS an exemption from being classified at all in
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
>> i
>> ng-encryption-items#Three
>>
>>
>>
>>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>>
>>> (a) The primary function or set of functions is not any of the following:
>>> (1) "Information security";
>>> (2) A computer, including operating systems, parts and components therefor;
>>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>>> management or medical records management); or
>>> (4) Networking (includes operation, administration, management
>>> and provisioning);
>>> > (b) The cryptographic functionality is limited to supporting their
>>> > primary function or set of functions; and
>>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>>
>> meaning that say Commons Imaging would be exempt from any
>> registration
>> - even if it included support for reading encrypted images.
>>
>> (however some software using such a hypothetical Commons Imaging
>> w/crypto, and incidentally also doing sending/receiving/storing
>> information, WOULD need to classify)
>>
>>
>> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
>> "Sending, receiving or storing information", and would by having
>> strong bindings to Apache SSHd (itself listed) and JSCH which
>> encryption functionality VFS would be using.
>
> Commons NET would also need to register then.
>
>> The test dependency on Bouncy Castle is ironically not cause for
>> registration as VFS code is not designed to use BCProv, and do not
>> bundle the Bouncy Castle implementation.
>>
>>
>>
>> Commons Crypto would be doing "information security" and Iwould say
>> also need to be registered.
>>
>> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>>> available encryption source code - which the dev/crypto.html page
>>> says applies to the ASF.
>>>
>>> I think we need to wait for guidance from Legal.
>>>
>>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>>> Hi,
>>>>
>>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
>>>> um
>>>> 14:35 Uhr:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry for spotting this..
>>>>>
>>>>>
>>>>> Apache Commons Crypto is not listed on
>>>>> http://www.apache.org/licenses/exports/ - does it need to be?
>>>>> (One would assume so..)
>>>>>
>>>>> Also it was raised that Commons VFS depends on Bouncy
>>>>> Castle/Apache Mina/Jetty/SSHD/Hadoop/jsch and has encryption
>>>>> binding for AES128 - perhaps that also needs to be listed and registered?
>>>>>
>>>>
>>>> Thank you for pointing this out. I've reported this as
>>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved
>>>> in VFS, but I've seen that the discussion about that has already
>>>> started on the vote for VFS 2.0 rc1.
>>>>
>>>> Benedikt
>>>>
>>>>
>>>>>
>>>>>
>>>>> We only have listed:
>>>>>
>>>>> Commons Compress
>>>>> Commons OpenPGP
>>>>>
>>>>>
>>>>> See guidance on
>>>>> http://www.apache.org/dev/crypto.html
>>>>>
>>>>>
>>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
>>>>> to see if merely using a listed source as a Maven <dependency>
>>>>> means you also are classified - or if you would need to also
>>>>> bundle the dependency's binary (which I think we don't do).
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Stian Soiland-Reyes
>>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>>> http://orcid.org/0000-0001-9842-9718
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>>
>>>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>
>>
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Thanks Stian for your help.
Based on the current understanding, we can conclude that Commons Crypto is Category 5, Part 2 controlled. And so the encryption registration is needed.
For the encryption registration, Commons Crypto goes to ECCN 5D002 self-classify category. (I tend to think that Commons Crypto module doesn't create any encryption algorithms, instead it is only use to provide usability functionalities)
As to the encryption classification list in https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification, not sure whether Commons Crypto belongs to the following items and thus need an encryption classification request.
◾"Cryptographic items". [740.17(b)(2)]
◾"Open Cryptographic Interface" items. [740.17(b)(2)]
◾Cryptographic libraries, modules, development kits and toolkits, including for operating systems and cryptographic service providers (CSPs). [740.17(b)(3)]
What folks this about this?
Regards,
Haifeng
-----Original Message-----
From: Stian Soiland-Reyes [mailto:stain@apache.org]
Sent: Thursday, May 19, 2016 4:10 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
Hi, for Taverna the question mainly came down to:
1) What encryption functionality have we designed to use? (e.g. we use BouncyCastle for encryption, but our use of Derby does not use
encryption)
2) What encryption items (e.g. JARs) will we include in distros (we will bundle BouncyCastle, Derby, etc)
With Commons Crypto you have to be careful also about the ECCN classification if it can be seen as a development toolkit for creating encryption algorithms.
See
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
From the linked "Flow chart 1" I find for Commons Crypto:
Designed to use or contain cryptography? Yes Specifically designed for medical? No Exempt by Note 4? No (Primary function is "Information security") Limited to DRM stuff? No
-> Category 5, Part 2 controlled
So then we go through
https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
Flow chart 2:
Is the item publicly available encryption source code? Yes.
-> ECCN 5D002 self-classify
For the classification listing on
https://www.apache.org/licenses/exports/ you basically just list that you are designed to be used with OpenSSL and JCE, with links to them.
But note:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
Do any of those apply to Commons Crypto?
On 19 May 2016 at 07:45, Chen, Haifeng <ha...@intel.com> wrote:
> Hi Stian,
> I saw you worked actively on same registration issue for Taverna. Do you have any suggestions on what steps we should take for Crypto registration?
> We are keenly to get a first release of Crypto.
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Friday, May 13, 2016 1:39 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> Hi folks,
> From LEGAL-250 discussion, it showed that Commons Crypto should be registered.
> Shall we also add Commons Crypto to ECCN Matrix in http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as what Apache Taverna did?
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: sebb [mailto:sebbaz@gmail.com]
> Sent: Monday, May 9, 2016 7:48 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
>> My take:
>>
>> (But we can also ask Legal separately as LEGAL-250 got a bit long
>> thread)
>
> +1
>
>>
>> The exception for open source means we just need to self-classify as
>> 5D002 and send a notification email according to
>> http://www.apache.org/dev/crypto.html
>>
>>
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
>> i ng-encryption-items has some updated guidance after the 2010
>> changes:
>>
>>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>>
>> By not making binary distributions with third-party JARs we would not
>> be INCLUDING the encryption functionality. However we would in some
>> cases USE the encryption functionality.
>>
>>
>> There IS an exemption from being classified at all in
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identify
>> i
>> ng-encryption-items#Three
>>
>>
>>
>>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>>
>>> (a) The primary function or set of functions is not any of the following:
>>> (1) "Information security";
>>> (2) A computer, including operating systems, parts and components therefor;
>>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>>> management or medical records management); or
>>> (4) Networking (includes operation, administration, management
>>> and provisioning);
>>> > (b) The cryptographic functionality is limited to supporting their
>>> > primary function or set of functions; and
>>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>>
>> meaning that say Commons Imaging would be exempt from any
>> registration
>> - even if it included support for reading encrypted images.
>>
>> (however some software using such a hypothetical Commons Imaging
>> w/crypto, and incidentally also doing sending/receiving/storing
>> information, WOULD need to classify)
>>
>>
>> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
>> "Sending, receiving or storing information", and would by having
>> strong bindings to Apache SSHd (itself listed) and JSCH which
>> encryption functionality VFS would be using.
>
> Commons NET would also need to register then.
>
>> The test dependency on Bouncy Castle is ironically not cause for
>> registration as VFS code is not designed to use BCProv, and do not
>> bundle the Bouncy Castle implementation.
>>
>>
>>
>> Commons Crypto would be doing "information security" and Iwould say
>> also need to be registered.
>>
>> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>>> available encryption source code - which the dev/crypto.html page
>>> says applies to the ASF.
>>>
>>> I think we need to wait for guidance from Legal.
>>>
>>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>>> Hi,
>>>>
>>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
>>>> um
>>>> 14:35 Uhr:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry for spotting this..
>>>>>
>>>>>
>>>>> Apache Commons Crypto is not listed on
>>>>> http://www.apache.org/licenses/exports/ - does it need to be?
>>>>> (One would assume so..)
>>>>>
>>>>> Also it was raised that Commons VFS depends on Bouncy
>>>>> Castle/Apache Mina/Jetty/SSHD/Hadoop/jsch and has encryption
>>>>> binding for AES128 - perhaps that also needs to be listed and registered?
>>>>>
>>>>
>>>> Thank you for pointing this out. I've reported this as
>>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved
>>>> in VFS, but I've seen that the discussion about that has already
>>>> started on the vote for VFS 2.0 rc1.
>>>>
>>>> Benedikt
>>>>
>>>>
>>>>>
>>>>>
>>>>> We only have listed:
>>>>>
>>>>> Commons Compress
>>>>> Commons OpenPGP
>>>>>
>>>>>
>>>>> See guidance on
>>>>> http://www.apache.org/dev/crypto.html
>>>>>
>>>>>
>>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
>>>>> to see if merely using a listed source as a Maven <dependency>
>>>>> means you also are classified - or if you would need to also
>>>>> bundle the dependency's binary (which I think we don't do).
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Stian Soiland-Reyes
>>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>>> http://orcid.org/0000-0001-9842-9718
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> -
>>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>>
>>>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>
>>
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
Hi, for Taverna the question mainly came down to:
1) What encryption functionality have we designed to use? (e.g. we use
BouncyCastle for encryption, but our use of Derby does not use
encryption)
2) What encryption items (e.g. JARs) will we include in distros (we
will bundle BouncyCastle, Derby, etc)
With Commons Crypto you have to be careful also about the ECCN
classification if it can be seen as a development toolkit for creating
encryption algorithms.
See
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
From the linked "Flow chart 1" I find for Commons Crypto:
Designed to use or contain cryptography? Yes
Specifically designed for medical? No
Exempt by Note 4? No (Primary function is "Information security")
Limited to DRM stuff? No
-> Category 5, Part 2 controlled
So then we go through
https://www.bis.doc.gov/index.php/policy-guidance/encryption/registration
Flow chart 2:
Is the item publicly available encryption source code? Yes.
-> ECCN 5D002 self-classify
For the classification listing on
https://www.apache.org/licenses/exports/ you basically just list that
you are designed to be used with OpenSSL and JCE, with links to them.
But note:
https://www.bis.doc.gov/index.php/policy-guidance/encryption/classification
Do any of those apply to Commons Crypto?
On 19 May 2016 at 07:45, Chen, Haifeng <ha...@intel.com> wrote:
> Hi Stian,
> I saw you worked actively on same registration issue for Taverna. Do you have any suggestions on what steps we should take for Crypto registration?
> We are keenly to get a first release of Crypto.
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
> Sent: Friday, May 13, 2016 1:39 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: RE: US Export classification & ECCN registration for encryption in commons?
>
> Hi folks,
> From LEGAL-250 discussion, it showed that Commons Crypto should be registered.
> Shall we also add Commons Crypto to ECCN Matrix in http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as what Apache Taverna did?
>
> Regards,
> Haifeng
>
> -----Original Message-----
> From: sebb [mailto:sebbaz@gmail.com]
> Sent: Monday, May 9, 2016 7:48 PM
> To: Commons Developers List <de...@commons.apache.org>
> Subject: Re: US Export classification & ECCN registration for encryption in commons?
>
> On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
>> My take:
>>
>> (But we can also ask Legal separately as LEGAL-250 got a bit long
>> thread)
>
> +1
>
>>
>> The exception for open source means we just need to self-classify as
>> 5D002 and send a notification email according to
>> http://www.apache.org/dev/crypto.html
>>
>>
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
>> ng-encryption-items has some updated guidance after the 2010 changes:
>>
>>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>>
>> By not making binary distributions with third-party JARs we would not
>> be INCLUDING the encryption functionality. However we would in some
>> cases USE the encryption functionality.
>>
>>
>> There IS an exemption from being classified at all in
>> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
>> ng-encryption-items#Three
>>
>>
>>
>>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>>
>>> (a) The primary function or set of functions is not any of the following:
>>> (1) "Information security";
>>> (2) A computer, including operating systems, parts and components therefor;
>>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>>> management or medical records management); or
>>> (4) Networking (includes operation, administration, management
>>> and provisioning);
>>> > (b) The cryptographic functionality is limited to supporting their
>>> > primary function or set of functions; and
>>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>>
>> meaning that say Commons Imaging would be exempt from any registration
>> - even if it included support for reading encrypted images.
>>
>> (however some software using such a hypothetical Commons Imaging
>> w/crypto, and incidentally also doing sending/receiving/storing
>> information, WOULD need to classify)
>>
>>
>> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
>> "Sending, receiving or storing information", and would by having
>> strong bindings to Apache SSHd (itself listed) and JSCH which
>> encryption functionality VFS would be using.
>
> Commons NET would also need to register then.
>
>> The test dependency on Bouncy Castle is ironically not cause for
>> registration as VFS code is not designed to use BCProv, and do not
>> bundle the Bouncy Castle implementation.
>>
>>
>>
>> Commons Crypto would be doing "information security" and Iwould say
>> also need to be registered.
>>
>> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>>> available encryption source code - which the dev/crypto.html page
>>> says applies to the ASF.
>>>
>>> I think we need to wait for guidance from Legal.
>>>
>>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>>> Hi,
>>>>
>>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
>>>> um
>>>> 14:35 Uhr:
>>>>
>>>>> Hi,
>>>>>
>>>>> Sorry for spotting this..
>>>>>
>>>>>
>>>>> Apache Commons Crypto is not listed on
>>>>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>>>>> would assume so..)
>>>>>
>>>>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>>>>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>>>>> perhaps that also needs to be listed and registered?
>>>>>
>>>>
>>>> Thank you for pointing this out. I've reported this as
>>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in
>>>> VFS, but I've seen that the discussion about that has already
>>>> started on the vote for VFS 2.0 rc1.
>>>>
>>>> Benedikt
>>>>
>>>>
>>>>>
>>>>>
>>>>> We only have listed:
>>>>>
>>>>> Commons Compress
>>>>> Commons OpenPGP
>>>>>
>>>>>
>>>>> See guidance on
>>>>> http://www.apache.org/dev/crypto.html
>>>>>
>>>>>
>>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
>>>>> to see if merely using a listed source as a Maven <dependency>
>>>>> means you also are classified - or if you would need to also bundle
>>>>> the dependency's binary (which I think we don't do).
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Stian Soiland-Reyes
>>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>>> http://orcid.org/0000-0001-9842-9718
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>>
>>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>
>>
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Hi Stian,
I saw you worked actively on same registration issue for Taverna. Do you have any suggestions on what steps we should take for Crypto registration?
We are keenly to get a first release of Crypto.
Regards,
Haifeng
-----Original Message-----
From: Chen, Haifeng [mailto:haifeng.chen@intel.com]
Sent: Friday, May 13, 2016 1:39 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: RE: US Export classification & ECCN registration for encryption in commons?
Hi folks,
From LEGAL-250 discussion, it showed that Commons Crypto should be registered.
Shall we also add Commons Crypto to ECCN Matrix in http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as what Apache Taverna did?
Regards,
Haifeng
-----Original Message-----
From: sebb [mailto:sebbaz@gmail.com]
Sent: Monday, May 9, 2016 7:48 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
> My take:
>
> (But we can also ask Legal separately as LEGAL-250 got a bit long
> thread)
+1
>
> The exception for open source means we just need to self-classify as
> 5D002 and send a notification email according to
> http://www.apache.org/dev/crypto.html
>
>
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
> ng-encryption-items has some updated guidance after the 2010 changes:
>
>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>
> By not making binary distributions with third-party JARs we would not
> be INCLUDING the encryption functionality. However we would in some
> cases USE the encryption functionality.
>
>
> There IS an exemption from being classified at all in
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
> ng-encryption-items#Three
>
>
>
>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>
>> (a) The primary function or set of functions is not any of the following:
>> (1) "Information security";
>> (2) A computer, including operating systems, parts and components therefor;
>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>> management or medical records management); or
>> (4) Networking (includes operation, administration, management
>> and provisioning);
>> > (b) The cryptographic functionality is limited to supporting their
>> > primary function or set of functions; and
>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>
> meaning that say Commons Imaging would be exempt from any registration
> - even if it included support for reading encrypted images.
>
> (however some software using such a hypothetical Commons Imaging
> w/crypto, and incidentally also doing sending/receiving/storing
> information, WOULD need to classify)
>
>
> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
> "Sending, receiving or storing information", and would by having
> strong bindings to Apache SSHd (itself listed) and JSCH which
> encryption functionality VFS would be using.
Commons NET would also need to register then.
> The test dependency on Bouncy Castle is ironically not cause for
> registration as VFS code is not designed to use BCProv, and do not
> bundle the Bouncy Castle implementation.
>
>
>
> Commons Crypto would be doing "information security" and Iwould say
> also need to be registered.
>
> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>> available encryption source code - which the dev/crypto.html page
>> says applies to the ASF.
>>
>> I think we need to wait for guidance from Legal.
>>
>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>> Hi,
>>>
>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
>>> um
>>> 14:35 Uhr:
>>>
>>>> Hi,
>>>>
>>>> Sorry for spotting this..
>>>>
>>>>
>>>> Apache Commons Crypto is not listed on
>>>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>>>> would assume so..)
>>>>
>>>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>>>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>>>> perhaps that also needs to be listed and registered?
>>>>
>>>
>>> Thank you for pointing this out. I've reported this as
>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in
>>> VFS, but I've seen that the discussion about that has already
>>> started on the vote for VFS 2.0 rc1.
>>>
>>> Benedikt
>>>
>>>
>>>>
>>>>
>>>> We only have listed:
>>>>
>>>> Commons Compress
>>>> Commons OpenPGP
>>>>
>>>>
>>>> See guidance on
>>>> http://www.apache.org/dev/crypto.html
>>>>
>>>>
>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
>>>> to see if merely using a listed source as a Maven <dependency>
>>>> means you also are classified - or if you would need to also bundle
>>>> the dependency's binary (which I think we don't do).
>>>>
>>>>
>>>>
>>>> --
>>>> Stian Soiland-Reyes
>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>> http://orcid.org/0000-0001-9842-9718
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
RE: US Export classification & ECCN registration for encryption in
commons?
Posted by "Chen, Haifeng" <ha...@intel.com>.
Hi folks,
From LEGAL-250 discussion, it showed that Commons Crypto should be registered.
Shall we also add Commons Crypto to ECCN Matrix in http://www.apache.org/licenses/exports/ page (eccnmatrix.xml) the same as what Apache Taverna did?
Regards,
Haifeng
-----Original Message-----
From: sebb [mailto:sebbaz@gmail.com]
Sent: Monday, May 9, 2016 7:48 PM
To: Commons Developers List <de...@commons.apache.org>
Subject: Re: US Export classification & ECCN registration for encryption in commons?
On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
> My take:
>
> (But we can also ask Legal separately as LEGAL-250 got a bit long
> thread)
+1
>
> The exception for open source means we just need to self-classify as
> 5D002 and send a notification email according to
> http://www.apache.org/dev/crypto.html
>
>
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
> ng-encryption-items has some updated guidance after the 2010 changes:
>
>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>
> By not making binary distributions with third-party JARs we would not
> be INCLUDING the encryption functionality. However we would in some
> cases USE the encryption functionality.
>
>
> There IS an exemption from being classified at all in
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifyi
> ng-encryption-items#Three
>
>
>
>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>
>> (a) The primary function or set of functions is not any of the following:
>> (1) "Information security";
>> (2) A computer, including operating systems, parts and components therefor;
>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>> management or medical records management); or
>> (4) Networking (includes operation, administration, management
>> and provisioning);
>> > (b) The cryptographic functionality is limited to supporting their
>> > primary function or set of functions; and
>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>
> meaning that say Commons Imaging would be exempt from any registration
> - even if it included support for reading encrypted images.
>
> (however some software using such a hypothetical Commons Imaging
> w/crypto, and incidentally also doing sending/receiving/storing
> information, WOULD need to classify)
>
>
> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
> "Sending, receiving or storing information", and would by having
> strong bindings to Apache SSHd (itself listed) and JSCH which
> encryption functionality VFS would be using.
Commons NET would also need to register then.
> The test dependency on Bouncy Castle is ironically not cause for
> registration as VFS code is not designed to use BCProv, and do not
> bundle the Bouncy Castle implementation.
>
>
>
> Commons Crypto would be doing "information security" and Iwould say
> also need to be registered.
>
> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>> available encryption source code - which the dev/crypto.html page
>> says applies to the ASF.
>>
>> I think we need to wait for guidance from Legal.
>>
>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>> Hi,
>>>
>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016
>>> um
>>> 14:35 Uhr:
>>>
>>>> Hi,
>>>>
>>>> Sorry for spotting this..
>>>>
>>>>
>>>> Apache Commons Crypto is not listed on
>>>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>>>> would assume so..)
>>>>
>>>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>>>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>>>> perhaps that also needs to be listed and registered?
>>>>
>>>
>>> Thank you for pointing this out. I've reported this as
>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in
>>> VFS, but I've seen that the discussion about that has already
>>> started on the vote for VFS 2.0 rc1.
>>>
>>> Benedikt
>>>
>>>
>>>>
>>>>
>>>> We only have listed:
>>>>
>>>> Commons Compress
>>>> Commons OpenPGP
>>>>
>>>>
>>>> See guidance on
>>>> http://www.apache.org/dev/crypto.html
>>>>
>>>>
>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250
>>>> to see if merely using a listed source as a Maven <dependency>
>>>> means you also are classified - or if you would need to also bundle
>>>> the dependency's binary (which I think we don't do).
>>>>
>>>>
>>>>
>>>> --
>>>> Stian Soiland-Reyes
>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>> http://orcid.org/0000-0001-9842-9718
>>>>
>>>> -------------------------------------------------------------------
>>>> -- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by sebb <se...@gmail.com>.
On 9 May 2016 at 11:52, Stian Soiland-Reyes <st...@apache.org> wrote:
> My take:
>
> (But we can also ask Legal separately as LEGAL-250 got a bit long thread)
+1
>
> The exception for open source means we just need to self-classify as
> 5D002 and send a notification email according to
> http://www.apache.org/dev/crypto.html
>
>
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
> has some updated guidance after the 2010 changes:
>
>> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
>
> By not making binary distributions with third-party JARs we would not
> be INCLUDING the encryption functionality. However we would in some
> cases USE the encryption functionality.
>
>
> There IS an exemption from being classified at all in
> https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three
>
>
>
>> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>>
>> (a) The primary function or set of functions is not any of the following:
>> (1) "Information security";
>> (2) A computer, including operating systems, parts and components therefor;
>> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
>> management or medical records management); or
>> (4) Networking (includes operation, administration, management and provisioning);
>> > (b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
>> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
>> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
>
> meaning that say Commons Imaging would be exempt from any registration
> - even if it included support for reading encrypted images.
>
> (however some software using such a hypothetical Commons Imaging
> w/crypto, and incidentally also doing sending/receiving/storing
> information, WOULD need to classify)
>
>
> but Commons-VFS - with support for SFTP, WebDav etc., is arguably
> "Sending, receiving or storing information", and would by having
> strong bindings to Apache SSHd (itself listed) and JSCH which
> encryption functionality VFS would be using.
Commons NET would also need to register then.
> The test dependency on Bouncy Castle is ironically not cause for
> registration as VFS code is not designed to use BCProv, and do not
> bundle the Bouncy Castle implementation.
>
>
>
> Commons Crypto would be doing "information security" and Iwould say
> also need to be registered.
>
> On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
>> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
>> available encryption source code - which the dev/crypto.html page says
>> applies to the ASF.
>>
>> I think we need to wait for guidance from Legal.
>>
>> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>>> Hi,
>>>
>>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016 um
>>> 14:35 Uhr:
>>>
>>>> Hi,
>>>>
>>>> Sorry for spotting this..
>>>>
>>>>
>>>> Apache Commons Crypto is not listed on
>>>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>>>> would assume so..)
>>>>
>>>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>>>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>>>> perhaps that also needs to be listed and registered?
>>>>
>>>
>>> Thank you for pointing this out. I've reported this as
>>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in VFS,
>>> but I've seen that the discussion about that has already started on the
>>> vote for VFS 2.0 rc1.
>>>
>>> Benedikt
>>>
>>>
>>>>
>>>>
>>>> We only have listed:
>>>>
>>>> Commons Compress
>>>> Commons OpenPGP
>>>>
>>>>
>>>> See guidance on
>>>> http://www.apache.org/dev/crypto.html
>>>>
>>>>
>>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
>>>> see if merely using a listed source as a Maven <dependency> means you
>>>> also are classified - or if you would need to also bundle the
>>>> dependency's binary (which I think we don't do).
>>>>
>>>>
>>>>
>>>> --
>>>> Stian Soiland-Reyes
>>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>>> http://orcid.org/0000-0001-9842-9718
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Stian Soiland-Reyes <st...@apache.org>.
My take:
(But we can also ask Legal separately as LEGAL-250 got a bit long thread)
The exception for open source means we just need to self-classify as
5D002 and send a notification email according to
http://www.apache.org/dev/crypto.html
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items
has some updated guidance after the 2010 changes:
> Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.
By not making binary distributions with third-party JARs we would not
be INCLUDING the encryption functionality. However we would in some
cases USE the encryption functionality.
There IS an exemption from being classified at all in
https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three
> Note 4: Category 5, Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
>
> (a) The primary function or set of functions is not any of the following:
> (1) "Information security";
> (2) A computer, including operating systems, parts and components therefor;
> (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights
> management or medical records management); or
> (4) Networking (includes operation, administration, management and provisioning);
> > (b) The cryptographic functionality is limited to supporting their primary function or set of functions; and
> (c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s
> country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
meaning that say Commons Imaging would be exempt from any registration
- even if it included support for reading encrypted images.
(however some software using such a hypothetical Commons Imaging
w/crypto, and incidentally also doing sending/receiving/storing
information, WOULD need to classify)
but Commons-VFS - with support for SFTP, WebDav etc., is arguably
"Sending, receiving or storing information", and would by having
strong bindings to Apache SSHd (itself listed) and JSCH which
encryption functionality VFS would be using.
The test dependency on Bouncy Castle is ironically not cause for
registration as VFS code is not designed to use BCProv, and do not
bundle the Bouncy Castle implementation.
Commons Crypto would be doing "information security" and Iwould say
also need to be registered.
On 5 May 2016 at 10:45, sebb <se...@gmail.com> wrote:
> Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
> available encryption source code - which the dev/crypto.html page says
> applies to the ASF.
>
> I think we need to wait for guidance from Legal.
>
> On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
>> Hi,
>>
>> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016 um
>> 14:35 Uhr:
>>
>>> Hi,
>>>
>>> Sorry for spotting this..
>>>
>>>
>>> Apache Commons Crypto is not listed on
>>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>>> would assume so..)
>>>
>>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>>> perhaps that also needs to be listed and registered?
>>>
>>
>> Thank you for pointing this out. I've reported this as
>> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in VFS,
>> but I've seen that the discussion about that has already started on the
>> vote for VFS 2.0 rc1.
>>
>> Benedikt
>>
>>
>>>
>>>
>>> We only have listed:
>>>
>>> Commons Compress
>>> Commons OpenPGP
>>>
>>>
>>> See guidance on
>>> http://www.apache.org/dev/crypto.html
>>>
>>>
>>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
>>> see if merely using a listed source as a Maven <dependency> means you
>>> also are classified - or if you would need to also bundle the
>>> dependency's binary (which I think we don't do).
>>>
>>>
>>>
>>> --
>>> Stian Soiland-Reyes
>>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>>> http://orcid.org/0000-0001-9842-9718
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>>> For additional commands, e-mail: dev-help@commons.apache.org
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by sebb <se...@gmail.com>.
Also note that there is a TSU Exception, EAR 740.13(e) - Publicly
available encryption source code - which the dev/crypto.html page says
applies to the ASF.
I think we need to wait for guidance from Legal.
On 5 May 2016 at 10:04, Benedikt Ritter <br...@apache.org> wrote:
> Hi,
>
> Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016 um
> 14:35 Uhr:
>
>> Hi,
>>
>> Sorry for spotting this..
>>
>>
>> Apache Commons Crypto is not listed on
>> http://www.apache.org/licenses/exports/ - does it need to be? (One
>> would assume so..)
>>
>> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
>> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
>> perhaps that also needs to be listed and registered?
>>
>
> Thank you for pointing this out. I've reported this as
> https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in VFS,
> but I've seen that the discussion about that has already started on the
> vote for VFS 2.0 rc1.
>
> Benedikt
>
>
>>
>>
>> We only have listed:
>>
>> Commons Compress
>> Commons OpenPGP
>>
>>
>> See guidance on
>> http://www.apache.org/dev/crypto.html
>>
>>
>> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
>> see if merely using a listed source as a Maven <dependency> means you
>> also are classified - or if you would need to also bundle the
>> dependency's binary (which I think we don't do).
>>
>>
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: US Export classification & ECCN registration for encryption in commons?
Posted by Benedikt Ritter <br...@apache.org>.
Hi,
Stian Soiland-Reyes <st...@apache.org> schrieb am Mi., 4. Mai 2016 um
14:35 Uhr:
> Hi,
>
> Sorry for spotting this..
>
>
> Apache Commons Crypto is not listed on
> http://www.apache.org/licenses/exports/ - does it need to be? (One
> would assume so..)
>
> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
> perhaps that also needs to be listed and registered?
>
Thank you for pointing this out. I've reported this as
https://issues.apache.org/jira/browse/CRYPTO-54. I'm not involved in VFS,
but I've seen that the discussion about that has already started on the
vote for VFS 2.0 rc1.
Benedikt
>
>
> We only have listed:
>
> Commons Compress
> Commons OpenPGP
>
>
> See guidance on
> http://www.apache.org/dev/crypto.html
>
>
> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
> see if merely using a listed source as a Maven <dependency> means you
> also are classified - or if you would need to also bundle the
> dependency's binary (which I think we don't do).
>
>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>