poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Burch <nick.bu...@alfresco.com>
Subject RE: Legal concerns/questions with exporting/importing Apache Poi 3.5
Date Sun, 14 Mar 2010 18:04:00 GMT
On Tue, 2 Mar 2010, Robert Hafner wrote:
> Reposting the following questions since I have not seen a follow up 
> response yet.

As you probably guessed from the deafening silence, you appear to know 
more about US crypto rules than all of us put together... I think as a 
general rule we all only know what's listed at 
http://www.apache.org/dev/crypto.html !

SVN informs me that the export notice for POI went in on 2009-08-06. This 
was in response to the contribution from Maxim in bug #47652 - 
https://issues.apache.org/bugzilla/show_bug.cgi?id=47652

I think the notice would also be needed for the digital signature support 
(see <http://mail-archives.apache.org/mod_mbox/poi-dev/200910.mbox/%3ca644352c0910131330l6709d896hb0933b2759d16a9d@mail.gmail.com%3e>)
if it were to be re-commited.


> * Does this encrypt the password (or other file protection data) only or 
> does it also encrypt the contents of the workbook?

The two main commits around this are:
http://svn.apache.org/viewvc?view=revision&revision=801890
http://svn.apache.org/viewvc?view=revision&revision=804381

I think all of the contents are encrypted, as the main work is on 
inserting a decryption layer between the record creation and the 
underlying stream

> * What is the strength (or key length) of the algorithm as implemented . 
> . . usually between 40 and 128 bits?

I think from looking at the code it's 40 bytes, BICBW

> * Has this use been reviewed by BIS?  If so, is there a CCATS#

I'm not sure who BIS are, or what a CCATS number is when it's at home... 
So it's unlikely but certainly not impossible! We followed all the rules 
laid down in http://www.apache.org/dev/crypto.html but didn't do anything 
more.

If there's some magic form we should fill in and send off to the US 
government to make the lives of our users easier, and someone can tell use 
what to put in said form, we'll happily do so! However I think at the 
moment our knowledge of US crypto policy is pretty much "follow these 
incantations and everything is ok, neglect to follow them and the ASF gets 
into trouble, so just follow them" and that's it...

Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message