US Export control rating (ECCN) for passay-1.3.1.jar

[rdss12345]

Sorry to add this as an issue but I couldn't see where else to raise it.

Ref: passay-1.3.1.jar

We are conducting export control checks on software that uses this library and have identified it as potentially containing cryptography.

As the download links for this library are hosted by github can the developers please confirm whether the required notification under the EAR related to open source encryption source code has been made to US Government or advise the grounds why the developers deem such notification isn’t required?

The requirement comes from US EAR legislation and github T&Cs relating to submissions.

"You may not use GitHub in violation of export control or sanctions laws of the United States or any other applicable jurisdiction. You may not use GitHub if you are or are working on behalf of a Specially Designated National (SDN) or a person subject to similar blocking or denied party prohibitions administered by a U.S. government agency. GitHub may allow persons in certain sanctioned countries or territories to access certain GitHub services pursuant to U.S. government authorizations. For more information, please see our Export Controls policy."

https://help.github.com/en/github/site-policy/github-terms-of-service https://help.github.com/en/github/site-policy/github-and-trade-controls

For background information and some FAQ’s please see http://www.apache.org/dev/crypto.html https://www.ecfr.gov/cgi-bin/text-idx?SID=00a8f54989eaf101a84eff3db59ac6e9&mc=true&node=se15.2.742_115&rgn=div88

Many thanks, Rowland

[dfish3r]

Passay does not implement any cryptography. It has transitive dependencies on the Bouncy Castle library. See that project for their ECCN.

[rdss12345]

Dear Daniel. Thank you very much for getting back to me so quickly. Best wishes, Rowland

From: Daniel Fisher [mailto:notifications@github.com] Sent: Wednesday, December 04, 2019 9:35 PM To: vt-middleware/passay Cc: SPENCER-SMITH, Rowland (External); Author Subject: Re: [vt-middleware/passay] US Export control rating (ECCN) for passay-1.3.1.jar (#107)

Passay does not implement any cryptography. It has transitive dependencies on the Bouncy Castlehttps://www.bouncycastle.org/ library. See that project for their ECCNhttp://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/vt-middleware/passay/issues/107?email_source=notifications&email_token=AN6ORUHEPWXYTV5AHUM7XMTQXAPBJA5CNFSM4JVJ3YA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF6SJZA#issuecomment-561849572, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN6ORUABMSMC5MOA7ZXOF6LQXAPBJANCNFSM4JVJ3YAQ. This email and its attachments may contain confidential and/or privileged information. If you have received them in error you must not use, copy or disclose their content to any person. Please notify the sender immediately and then delete this email from your system. This e-mail has been scanned for viruses, but it is the responsibility of the recipient to conduct their own security measures. Airbus Operations Limited is not liable for any loss or damage arising from the receipt or use of this e-mail.

Airbus Operations Limited, a company registered in England and Wales, registration number, 3468788. Registered office: Pegasus House, Aerospace Avenue, Filton, Bristol, BS34 7PA, UK.