Hi Cliff, Thanks for your help. I have created an issue for this [1]. If you have time, can you look at the attachment [2]. The only question I have concerns the CryptoSrc element. JAMES used this element to point to a source release, but Apache MyFaces, to my knowledge, has only done source releases for releases which do not have bindings to the crypto APIs (1.1.1 and 1.0.9) .
Also, I am curious as to why only the source is tracked. There is no equivalent to CryptoBin ? Dennis Byrne [1] https://issues.apache.org/jira/browse/MYFACES-1400 [2] https://issues.apache.org/jira/secure/attachment/12340100/bis_MYFACES.rdf >-----Original Message----- >From: Cliff Schmidt [mailto:[EMAIL PROTECTED] >Sent: Saturday, September 2, 2006 02:47 PM >To: 'Dennis Byrne' >Cc: [email protected], [email protected] >Subject: Re: MyFaces ECCN 5D002 > >On 9/2/06, Dennis Byrne <[EMAIL PROTECTED]> wrote: >> Apache MyFaces has bindings to the javax.crypto API. Configuration >> parameters, supplied by an application developer, are passed through to the >> javax.crypto API, employing symmetric encryption algorithms with unlimited >> key lengths. >> >> The following from [1] leads me to believe that Apache Myfaces release >> artifacts fall under ECCN 5D002 (Export Control Classification Number). >> >> "the definition of ECCN 5D002, which can be summarized as: ... Software >> using a "symmetric algorithm" employing a key length in excess of 56-bits" >> >> However the crypto page [1] also states the following: >> >> "If my project ships a binary that provides bindings to OpenSSL, but does >> not include its source or binaries, what notifications must be made? >> The only required notification for an Apache project that is specially >> designed to use, but doesn't include, such crypto, is just the notification >> for the ASF product code." >> >> I think it is reasonable to say "the javax.crypto API" can replace "OpenSSL" >> here? Can anyone please clarify what "just the notification for the ASF >> product code" means? > >This just means that the ASF product is still considered to be crypto >since it is specially designed to use other crypto. The point of this >FAQ was to explain that you do not need make any notification about >the crypto that the product is designed to use if it is not actually >included in the product; but you still need to make a notification for >the ASF product, since it is also considered to be crypto according to >the 5D002 definition. > >> To be honest, the code in question was committed more than six months ago >> and there have been at least three releases. Keep in mind that we don't >> actually release the software that performs the strong encryption; >> application developers have to download this *themselves* from a group like >> Bouncy Castle [2]. Such algorithms are not even distributed with a standard >> JVM release. > >Well we haven't had a good understanding nor any docs on what is >required until recently; so it's understandable that we may have >projects today that are not in compliance. However, it's not very >difficult now to fix this. > >I can work with you and/or other MyFaces committers to get this done, >but for now, take a look at what James did (you can find their exports >RDF file listed in the registry >(http://www.apache.org/licenses/exports/export-registry.xml). I >haven't yet written docs on the exports RDF format that we came up >with, but you might be able to figure out most of it from just looking >at the James example. The one difference from your project is that >James actually includes the Bouncy Castle stuff in the product, which >is why they have it listed. You would only need to list the ASF >stuff. > >Cliff > >> >> Thanks to anyone who can help me in this matter, >> >> Dennis Byrne >> >> [1] http://www.apache.org/dev/crypto.html >> [2] http://www.bouncycastle.org/latest_releases.html >
