ECCN crypto check

[John Vines <vi...@apache.org>]

I'm a developer for Apache Accumulo and while doing some research into
adding a bouncycastle crypto dependency I stumbled across
http://www.apache.org/dev/crypto.html which says I should check with you
folks. We currently have 2 different aspects of crypto in development to
check on.

1. We're working on adding SSL support, and we're planning on using
bouncycastle for some of the crypto implementation. Judging from TIKA, it
seems that this is enough to do some sort of policy work to make this
kosher since we would like to actually package bouncycastle in our
releases. And just in case, if we decide to make it an external dependency,
do we still need to take care of anything to satisfy policy?

2. We also have support for on disk encryption of user's data. It is a
pluggable interface that user's can create their own cryptomodule (probably
based on top of existing crypto stuff). We do include an implementation of
it which utilizes javax.crypto in order to do it's cryptography. Does this
require some policy work? What if we remove that javax.crypto
implementation?

Thanks
John

Re: ECCN crypto check

[John Vines <vi...@apache.org>]

So I've started on the process, 2 questions-
1. Step 2 - update the site. I updated the site in svn, but I think the
website is based off of a different code base, I think. Am I supposed to
upload the eccnmatrix.xml over the existing one or am I missing something?
2. Step 3 - notify USG. The PMC sent the email, but based on other people,
there is no response coming from these URLs? Should I wait for one or just
go ahead to step 4 (updating the readme)?

Thanks
John


On Wed, Oct 9, 2013 at 11:03 AM, John Vines <jv...@gmail.com> wrote:

> So it sounds like I should follow the old procedure even though it's not
> necessarily correct. Is this accurate?
>
>
> On Tue, Oct 1, 2013 at 4:27 PM, William A. Rowe Jr. <wr...@rowe-clan.net>wrote:
>
>> On Tue, 17 Sep 2013 16:20:20 +0200
>> Stefan Bodewig <st...@freenet.de> wrote:
>>
>> > On 2013-09-17, Kevan Miller wrote:
>> >
>> > > On Sep 16, 2013, at 9:05 PM, Stefan Bodewig
>> > > <st...@freenet.de> wrote:
>> >
>> > >> And then I was told to follow the old process the page calls
>> > >> outdated. Which I did.
>> >
>> > > OK. So, just to be clear.
>> >
>> > > There was communication with the SFLC regarding the Commons Compress
>> > > ECCN's requirement. The SFLC told Commons Compress guidance to use
>> > > the process described at http://www.apache.org/dev/crypto.html.
>> >
>> > > Correct?
>> >
>> > No, sorry.
>> >
>> > There was communication between me an the legal-discuss list and Bill
>> > Rowe told me to use the old process - nobody else responded.
>> >
>> > As was the case when I sent the notices for Ant or Ivy years ago I
>> > never received any response from the .gov addresses I sent the
>> > notification to.
>>
>> I believe there was one additional response to the thread in question,
>> which pointed out errata to the TSU exception which has supposedly made
>> things simpler and eliminated some reporting requirements under the TSU
>> exemption, but for the life of me I haven't been able to decipher what
>> the actual impact on the ASF really is.
>>
>> We really seem overdue for an executive summary from the SFLC explaining
>> precisely what was simplified by the new guidance, relative to our old
>> processes and procedures.  But that would be an action item on the VP
>> of legal affairs, since no one other should be placing either paid or
>> pro bono tasks on ASF counsel.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>
>
> --
> Cheers
> ~John
>

Re: ECCN crypto check

[John Vines <jv...@gmail.com>]

So it sounds like I should follow the old procedure even though it's not
necessarily correct. Is this accurate?


On Tue, Oct 1, 2013 at 4:27 PM, William A. Rowe Jr. <wr...@rowe-clan.net>wrote:

> On Tue, 17 Sep 2013 16:20:20 +0200
> Stefan Bodewig <st...@freenet.de> wrote:
>
> > On 2013-09-17, Kevan Miller wrote:
> >
> > > On Sep 16, 2013, at 9:05 PM, Stefan Bodewig
> > > <st...@freenet.de> wrote:
> >
> > >> And then I was told to follow the old process the page calls
> > >> outdated. Which I did.
> >
> > > OK. So, just to be clear.
> >
> > > There was communication with the SFLC regarding the Commons Compress
> > > ECCN's requirement. The SFLC told Commons Compress guidance to use
> > > the process described at http://www.apache.org/dev/crypto.html.
> >
> > > Correct?
> >
> > No, sorry.
> >
> > There was communication between me an the legal-discuss list and Bill
> > Rowe told me to use the old process - nobody else responded.
> >
> > As was the case when I sent the notices for Ant or Ivy years ago I
> > never received any response from the .gov addresses I sent the
> > notification to.
>
> I believe there was one additional response to the thread in question,
> which pointed out errata to the TSU exception which has supposedly made
> things simpler and eliminated some reporting requirements under the TSU
> exemption, but for the life of me I haven't been able to decipher what
> the actual impact on the ASF really is.
>
> We really seem overdue for an executive summary from the SFLC explaining
> precisely what was simplified by the new guidance, relative to our old
> processes and procedures.  But that would be an action item on the VP
> of legal affairs, since no one other should be placing either paid or
> pro bono tasks on ASF counsel.
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>


-- 
Cheers
~John

Re: ECCN crypto check

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Tue, 17 Sep 2013 16:20:20 +0200
Stefan Bodewig <st...@freenet.de> wrote:

> On 2013-09-17, Kevan Miller wrote:
> 
> > On Sep 16, 2013, at 9:05 PM, Stefan Bodewig
> > <st...@freenet.de> wrote:
> 
> >> And then I was told to follow the old process the page calls
> >> outdated. Which I did.
> 
> > OK. So, just to be clear.
> 
> > There was communication with the SFLC regarding the Commons Compress
> > ECCN's requirement. The SFLC told Commons Compress guidance to use
> > the process described at http://www.apache.org/dev/crypto.html.
> 
> > Correct?
> 
> No, sorry.
> 
> There was communication between me an the legal-discuss list and Bill
> Rowe told me to use the old process - nobody else responded.
> 
> As was the case when I sent the notices for Ant or Ivy years ago I
> never received any response from the .gov addresses I sent the
> notification to.

I believe there was one additional response to the thread in question,
which pointed out errata to the TSU exception which has supposedly made
things simpler and eliminated some reporting requirements under the TSU
exemption, but for the life of me I haven't been able to decipher what
the actual impact on the ASF really is.

We really seem overdue for an executive summary from the SFLC explaining
precisely what was simplified by the new guidance, relative to our old
processes and procedures.  But that would be an action item on the VP
of legal affairs, since no one other should be placing either paid or
pro bono tasks on ASF counsel.









---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: ECCN crypto check

[Stefan Bodewig <st...@freenet.de>]

On 2013-09-17, Kevan Miller wrote:

> On Sep 16, 2013, at 9:05 PM, Stefan Bodewig <st...@freenet.de> wrote:

>> And then I was told to follow the old process the page calls outdated.
>> Which I did.

> OK. So, just to be clear.

> There was communication with the SFLC regarding the Commons Compress
> ECCN's requirement. The SFLC told Commons Compress guidance to use the
> process described at http://www.apache.org/dev/crypto.html.

> Correct?

No, sorry.

There was communication between me an the legal-discuss list and Bill
Rowe told me to use the old process - nobody else responded.

As was the case when I sent the notices for Ant or Ivy years ago I never
received any response from the .gov addresses I sent the notification
to.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: ECCN crypto check

[Kevan Miller <ke...@gmail.com>]

On Sep 16, 2013, at 9:05 PM, Stefan Bodewig <st...@freenet.de> wrote:

> On 2013-09-16, John Vines wrote:
> 
>>> I followed the process outlined in
>>> <http://www.apache.org/dev/crypto.html>, edited the page and sent an
>>> email.
> 
>> That URL basically points back to ask here though.
> 
> Right, I even did that, too :-)
> 
> And then I was told to follow the old process the page calls outdated.
> Which I did.

OK. So, just to be clear.

There was communication with the SFLC regarding the Commons Compress ECCN's requirement. The SFLC told Commons Compress guidance to use the process described at http://www.apache.org/dev/crypto.html. 

Correct?

--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: ECCN crypto check

[Stefan Bodewig <st...@freenet.de>]

On 2013-09-16, John Vines wrote:

>> I followed the process outlined in
>> <http://www.apache.org/dev/crypto.html>, edited the page and sent an
>> email.

> That URL basically points back to ask here though.

Right, I even did that, too :-)

And then I was told to follow the old process the page calls outdated.
Which I did.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: ECCN crypto check

[John Vines <vi...@apache.org>]

That URL basically points back to ask here though.


On Mon, Sep 16, 2013 at 12:08 AM, Stefan Bodewig
<st...@freenet.de>wrote:

> On 2013-09-16, Kevan Miller wrote:
>
> > The last request we had on this subject was forwarded to the SFLC.
>
> That was likely me asking about Commons Compress.
>
> > Same process here? I don't know where the previous case (Commons?) ended
> up.
>
> I followed the process outlined in
> <http://www.apache.org/dev/crypto.html>, edited the page and sent an
> email.
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: ECCN crypto check

[Stefan Bodewig <st...@freenet.de>]

On 2013-09-16, Kevan Miller wrote:

> The last request we had on this subject was forwarded to the SFLC.

That was likely me asking about Commons Compress.

> Same process here? I don't know where the previous case (Commons?) ended up.

I followed the process outlined in
<http://www.apache.org/dev/crypto.html>, edited the page and sent an
email.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: ECCN crypto check

[Kevan Miller <ke...@gmail.com>]

The last request we had on this subject was forwarded to the SFLC.

Same process here? I don't know where the previous case (Commons?) ended up.

--kevan

On Sep 13, 2013, at 9:02 AM, John Vines <vi...@apache.org> wrote:

> I'm a developer for Apache Accumulo and while doing some research into adding a bouncycastle crypto dependency I stumbled across http://www.apache.org/dev/crypto.html which says I should check with you folks. We currently have 2 different aspects of crypto in development to check on.
> 
> 1. We're working on adding SSL support, and we're planning on using bouncycastle for some of the crypto implementation. Judging from TIKA, it seems that this is enough to do some sort of policy work to make this kosher since we would like to actually package bouncycastle in our releases. And just in case, if we decide to make it an external dependency, do we still need to take care of anything to satisfy policy?
> 
> 2. We also have support for on disk encryption of user's data. It is a pluggable interface that user's can create their own cryptomodule (probably based on top of existing crypto stuff). We do include an implementation of it which utilizes javax.crypto in order to do it's cryptography. Does this require some policy work? What if we remove that javax.crypto implementation?
> 
> Thanks
> John


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org