You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by Dennis Byrne <de...@dbyrne.net> on 2006/08/10 18:52:38 UTC
Re: state-saving encryption: Did we fail to follow the proper
procedures?
Hi Mike,
I'll take a look into this. Fortunately MyFaces does not actually use an algorithm like AES ( very strong ) per se, it simply passes any parameter, which might be "AES", to the javax.crypto.* API.
Thanks for bringing all of this to our attention.
Dennis Byrne
>-----Original Message-----
>From: Mike Kienenberger [mailto:mkienenb@gmail.com]
>Sent: Thursday, August 10, 2006 12:03 PM
>To: 'MyFaces Dev mailing list'
>Subject: state-saving encryption: Did we fail to follow the proper procedures?
>
>This page just came to my attention.
>
>http://www.apache.org/dev/crypto.html
>
>My understanding is that any software that calls encryption APIs is
>affected by this, so this affects MyFaces due to our client-side state
>saving encryption code.
>
>Is anyone who is currently subscribed to the legal-discuss mailing
>lists willing to follow up on this and determine if MyFaces needs to
>do something?
>
>My reading is that MyFaces clearly is affected and needs to follow these steps:
>
> 1. Check the Export Control Classification Number (ECCN).
> -- Looks like MyFaces is ECCN 5D002
> 2. Update the Exports Page with Source Links.
> -- http://www.apache.org/legal/export.html is a broken link --
>something else to report to legal-discuss.
> 3. Notify the U.S. Government of the new code.
> -- needs to be done
> 4. Inform users with a crypto notice in the distribution's README
>and download pages.
> -- needs to be done
>
Re: state-saving encryption: Did we fail to follow the proper procedures?
Posted by Mike Kienenberger <mk...@gmail.com>.
On 8/10/06, Dennis Byrne <de...@dbyrne.net> wrote:
> I'll take a look into this. Fortunately MyFaces does not actually use an algorithm like AES ( very strong ) per se, it simply passes any parameter, which might be "AES", to the javax.crypto.* API.
I read the the following section to mean that if you provide the
ability to use such encryption, you fall into this category. I'm
pretty sure that the javax.crypto API would be on the list.
- Software specially designed [..] for the [..] use of any of the
other software of this list [..]