Date: Tue, 26 Aug 1997 12:29:28 -0700
Message-Id: <199708261929.MAA01129@games.eng.sun.com>
From: Li Gong <gong@games.eng.sun.com>
To: "J. Kelly Johnson" <kellyj@ricochet.net>
Subject: Re: Bundling parts of JCE for export.
In-Reply-To: J. Kelly Johnson's mail of Mon, 25 August, 1997
J. Kelly Johnson writes:
> Does this imply that one could "bundle" some JCE classes in an
> exported java application which uses those classes (only using short
> keys -
> and possibly with modified JCE classes to prevent longer keys)
> w/o violating the rules as long as the application does not "expose" the
> JCE APIs to the end user? Or is it the nature of java applications
> that the APIs associated with all classes contained therein are
> considered "exposed", and only compiled traditional language
> programs (like Netscape) using compiled encryption libraries (SSL) can
> do
> this? If so, this seems to relegate Java applications to an inferior
> position as compared with traditional compiled applications.
Whether something you ship that bundles JCE can be exported is
entirely up to NSA and how satisfied they are that the product cannot
be easily converted to use strong crypto. No amount of guideline from
us would really determine this for you, so I would suggest that you
talk to an IBM export specialist to discuss your particular bundling.
If by bundling you mean "simply shipping JCE together in the same
package", then it is unlikely that your product is exportable. This
has nothing (or not much) to do with whether Java is compiled or not.
It has a lot to do of how tightly integrated the crypto lib is.
Li