Questions to help me determine export classification of Boost libraries

older
[RPC] Compile-time reflection for...

Ben Fritz

19 Dec 2014 19 Dec '14

3:27 p.m.

Hello, list! One of the contractors I'm working with has delivered code to us that pulls in a few boost libraries. In order to release this code to our customer, I need to determine the Export Control Classification Number (ECCN) of the boost libraries. I see in the archives that someone has asked for the ECCN directly without success ( http://lists.boost.org/boost-users/2008/01/33241.php) so I'm currently trying to use a questionnaire put together by some of the export experts within my company to figure this out. If there is an ECCN already listed somewhere, please point me to it, otherwise I'll continue. I'm interested specifically in version 1.56.0 of the boost libraries. However, since I don't see any major additions or deletions in the 1.57.0 release notes, I assume the answers will apply to both versions. Apparently the export classification is primarily based on two things: 1. Does the library have anything specifically designed for military use? I'm assuming the answer to this is "no". Please correct me if I'm wrong. 2. Does the library include any strong encryption? This includes symmetric or asymmetric encryption with certain key lengths, cryptanalytic functions, intrusion detection, quantum cryptography, "reduce information-bearing signals" (not sure what that is), and other cryptographic technology. I looked through the list of libraries documented here: html/index.html http://www.boost.org/doc/libs/1_57_0/libs/algorithm/doc/html/index.html http://www.boost.org/doc/libs/?view=categorized

...

From the description of each library, I was mainly concerned with Boost.Algorithm, Boost.Asio, and Boost.Uuid.

...

From the documentation of Boost.Algorithm at http://www.boost.org/doc/libs/1_57_0/libs/algorithm/doc/ http://www.boost.org/doc/libs/1_57_0/libs/algorithm/doc/html/index.html, it looks like there is no encryption technology in the library. Can someone confirm?

Boost.Asio contains some SSL interfaces, which undoubtedly contains encryption technology. However, according to http://www.boost.org/doc/libs/1_57_0/doc/html/boost_asio/overview/ssl.html these interfaces require OpenSSL to be used. Does this mean that the Boost.Asio library itself does not contain encryption, it only provides an interface to another library which does the encryption? I.e., is it a true statement, that Boost.Asio contains no encryption technology in either its source code or in the compiled binary, and that in order to use encryption I would need to link in a separate library? Boost.Uuid contains some cryptographic hash features. However, I understand that a cryptographic hash cannot by itself provide any message encryption, so I do not believe this should qualify. Is there anything I'm missing here? Does Boost.Uuid contain other technology that might qualify? Please also let me know if I missed any encryption in other Boost libraries, as I only looked at the library descriptions, and am not familiar with any of the library functionality. -- Ben Fritz

Show replies by date

Robert Ramey

19 Dec 19 Dec

4:10 p.m.

New subject: Questions to help me determine export classification of Boost libraries

Ben Fritz wrote

...

Boost.Asio contains some SSL interfaces, which undoubtedly contains encryption technology. However, according to http://www.boost.org/doc/libs/1_57_0/doc/html/boost_asio/overview/ssl.html these interfaces require OpenSSL to be used. Does this mean that the Boost.Asio library itself does not contain encryption, it only provides an interface to another library which does the encryption? I.e., is it a true statement, that Boost.Asio contains no encryption technology in either its source code or in the compiled binary, and that in order to use encryption I would need to link in a separate library?

I wonder about this. The author of the ASIO is Christopher M. Kohlhoff who is Australian. I presume it was written there. So shipping ASIO would not "exporting" it and thus not subject to such laws. Am I missing something here. It gets even more interesting. ASIO has been proposed as an edition to the standard library. Would conforming C++ implementation then require an export license. Or what. Robert Ramey -- View this message in context: http://boost.2283326.n4.nabble.com/Questions-to-help-me-determine-export-cla... Sent from the Boost - Dev mailing list archive at Nabble.com.

Rene Rivera

4:26 p.m.

New subject: Questions to help me determine export classification of Boost libraries

On Fri, Dec 19, 2014 at 10:10 AM, Robert Ramey wrote:

...

Ben Fritz wrote

...
Boost.Asio contains some SSL interfaces, which undoubtedly contains encryption technology. However, according to

http://www.boost.org/doc/libs/1_57_0/doc/html/boost_asio/overview/ssl.html

...
these interfaces require OpenSSL to be used. Does this mean that the Boost.Asio library itself does not contain encryption, it only provides an interface to another library which does the encryption? I.e., is it a true statement, that Boost.Asio contains no encryption technology in either its source code or in the compiled binary, and that in order to use encryption I would need to link in a separate library?

I wonder about this. The author of the ASIO is Christopher M. Kohlhoff who is Australian. I presume it was written there. So shipping ASIO would not "exporting" it and thus not subject to such laws. Am I missing something here.

Yes.. Read this short statement from OSF < http://www.opensslfoundation.com/export/README.blurb>. And remember that the Software Conservancy (the framework corporation for Boost is in the US). It gets even more interesting. ASIO has been proposed as an edition to

...

the standard library. Would conforming C++ implementation then require an export license. Or what.

Depends.. On whom writes it, who sells it, who uses it. -- -- Rene Rivera -- Grafik - Don't Assume Anything -- Robot Dreams - http://robot-dreams.net -- rrivera/acm.org (msn) - grafikrobot/aim,yahoo,skype,efnet,gmail

Ben Fritz

9:19 p.m.

New subject: Questions to help me determine export classification of Boost libraries

On Fri, Dec 19, 2014 at 10:26 AM, Rene Rivera wrote:

...

On Fri, Dec 19, 2014 at 10:10 AM, Robert Ramey wrote:

...
The author of the ASIO is Christopher M. Kohlhoff who is Australian. I presume it was written there. So shipping ASIO

would

...

...
not "exporting" it and thus not subject to such laws. Am I missing something here.

Yes.. Read this short statement from OSF < http://www.opensslfoundation.com/export/README.blurb>. And remember that the Software Conservancy (the framework corporation for Boost is in the US).

Right. If I compile/link any crypto functionality into software I release, then I'm "exporting" it. That's about the extent of my knowledge of this. So, my question is: does Boost.ASIO actually contain encryption? Or does it rely on OpenSSL for all its encryption? If it does depend on OpenSSL, how can I determine whether any OpenSSL functionality has made it into the final *.a or *.lib or *.dylib file? And, can someone confirm Boost.ASIO is the only library I need to worry about? My app does not actually use ASIO, so I do have the option of leaving Boost.ASIO out of the package I intend to submit internally to my company as a dependency, but I am trying to include as much of Boost as possible so that down the road another team can use Boost without going through all this trouble again.

Rene Rivera

9:30 p.m.

New subject: Questions to help me determine export classification of Boost libraries

On Fri, Dec 19, 2014 at 3:19 PM, Ben Fritz < benjamin.fritz@rockwellcollins.com> wrote:

...

On Fri, Dec 19, 2014 at 10:26 AM, Rene Rivera wrote:

...
On Fri, Dec 19, 2014 at 10:10 AM, Robert Ramey wrote:

...
The author of the ASIO is Christopher M. Kohlhoff who is Australian. I presume it was written there. So shipping ASIO

would

...
...
not "exporting" it and thus not subject to such laws. Am I missing something here.

Yes.. Read this short statement from OSF < http://www.opensslfoundation.com/export/README.blurb>. And remember that the Software Conservancy (the framework corporation for Boost is in the US).

Right. If I compile/link any crypto functionality into software I release, then I'm "exporting" it. That's about the extent of my knowledge of this.

As the last paragraph of that blurb suggests.. You should extend your knowledge with the help of a suitably experienced lawyer. So, my question is: does Boost.ASIO actually contain encryption? Or does it

...

rely on OpenSSL for all its encryption? If it does depend on OpenSSL, how can I determine whether any OpenSSL functionality has made it into the final *.a or *.lib or *.dylib file?

And, can someone confirm Boost.ASIO is the only library I need to worry about?

Being seriously blunt here.. I would recommend that no one ostensibly representing Boost "confirm" anything. As it would put them, Boost, and the SFC in potential legal liability. Sorry if this is the legal world we live in. -- -- Rene Rivera -- Grafik - Don't Assume Anything -- Robot Dreams - http://robot-dreams.net -- rrivera/acm.org (msn) - grafikrobot/aim,yahoo,skype,efnet,gmail

Ben Fritz

10:14 p.m.

New subject: Questions to help me determine export classification of Boost libraries

On Fri, Dec 19, 2014 at 3:30 PM, Rene Rivera wrote:

...

...
Right. If I compile/link any crypto functionality into software I

...

...
then I'm "exporting" it. That's about the extent of my knowledge of

release, this.

...

...
As the last paragraph of that blurb suggests.. You should extend your knowledge with the help of a suitably experienced lawyer.

...

So, my question is: does Boost.ASIO actually contain encryption? Or does it

...
rely on OpenSSL for all its encryption? If it does depend on OpenSSL, how can I determine whether any OpenSSL functionality has made it into the final *.a or *.lib or *.dylib file?

And, can someone confirm Boost.ASIO is the only library I need to worry about?

Being seriously blunt here.. I would recommend that no one ostensibly representing Boost "confirm" anything. As it would put them, Boost, and

Yes, that is why some experts within the company I work for have created a questionnaire to help determine the final classification. I am currently trying to fill out that questionnaire, but since I have no technical knowledge of the Boost libraries' codebases, I am posting on this list to get the knowledge I need about the libraries themselves. Knowing *what* knowledge I need has already been solved by somebody else. the

...

SFC in potential legal liability. Sorry if this is the legal world we live

I understand the concern. Before I came to the list I was given guidance that since the "vendor" of the libraries has not provided the ECCN that our company will need to come up with the ECCN on our own based on technical knowledge about the library. Unfortunately, I am not a developer of boost, only a user (and only indirectly at that) and therefore do not have that knowledge myself. I do not think it is unreasonable to answer the question, "does this library contain encryption software?" I understand my original question may be overly broad as asked. Let me try to be more specific. 1. Does Boost.ASIO contain any encryption software itself, or does it rely on OpenSSL for all of its encryption? 2. Does Boost.UUID contain any code to actually encrypt message content, or only the code to calculate a hash/digest? I had hoped, since I am not familiar with the code, that someone could say "yeah, none of the other libraries contain encryption technology". But I can see why that would be hard for any one person to answer. Would I be better off asking about every library individually? -- Ben Fritz

Andrey Semashev

10:32 p.m.

On Friday 19 December 2014 16:14:43 Ben Fritz wrote:

...

I understand the concern. Before I came to the list I was given guidance that since the "vendor" of the libraries has not provided the ECCN that our company will need to come up with the ECCN on our own based on technical knowledge about the library. Unfortunately, I am not a developer of boost, only a user (and only indirectly at that) and therefore do not have that knowledge myself.

I do not think it is unreasonable to answer the question, "does this library contain encryption software?"

Well, as simple as that question may sound at first, it may not be an easy one to answer. You're asking if some part of Boost contains what is qualified as "encryption software" by US law, while many of us are not US residents and I would guess none of us is a lawyer either. Add to that the fact that there are pieces of Boost that are effectively unmaintained, and noone can really vouch for that code. BTW, my impression is that Boost.ASIO is currently one of such mostly unmaintained parts. If you want a definitive answer that your company will take legal responsibility for, your best bet would be to perform an internal code review with lawyer consultancy. IMHO, of course.

Karen Shaeffer

20 Dec 20 Dec

12:28 a.m.

New subject: Questions to help me determine export classification of Boost libraries

On Fri, Dec 19, 2014 at 04:14:43PM -0600, Ben Fritz wrote:

...

On Fri, Dec 19, 2014 at 3:30 PM, Rene Rivera wrote:

...
...
Right. If I compile/link any crypto functionality into software I

...
...
then I'm "exporting" it. That's about the extent of my knowledge of

release, this.

...
...
As the last paragraph of that blurb suggests.. You should extend your knowledge with the help of a suitably experienced lawyer.

Yes, that is why some experts within the company I work for have created a questionnaire to help determine the final classification. I am currently trying to fill out that questionnaire, but since I have no technical knowledge of the Boost libraries' codebases, I am posting on this list to get the knowledge I need about the libraries themselves. Knowing *what* knowledge I need has already been solved by somebody else.

Hi Ben, I have knowledge of the process to acquire a software export license. And whoever signs the paperwork must know with 100% certainty that all information provided is 100% correct, else the company and individual can be prosecuted. There is no provision for someone to say, "I thought it was OK." My advice is to only include the boost libraries that are necessary for the release to limit your liability. And then you need to find a lawyer and consultant who can help you understand what you need to do to certify that software for US export. Asking questions here is not going to satisfy your requirements. Anyone here can say whatever they believe, but it will not carry any weight on those export license forms that your company must complete, sign, and submit to the government in order to legally export the software. Karen -- Karen Shaeffer Be aware: If you see an obstacle in your path, Neuralscape Services that obstacle is your path. Zen proverb

Rob Stewart

11:13 a.m.

On December 19, 2014 5:14:43 PM EST, Ben Fritz wrote:

...

I do not think it is unreasonable to answer the question, "does this library contain encryption software?"

I understand my original question may be overly broad as asked. Let me try to be more specific.

1. Does Boost.ASIO contain any encryption software itself, or does it rely on OpenSSL for all of its encryption? 2. Does Boost.UUID contain any code to actually encrypt message content, or only the code to calculate a hash/digest?

I had hoped, since I am not familiar with the code, that someone could say "yeah, none of the other libraries contain encryption technology". But I can see why that would be hard for any one person to answer. Would I be better off asking about every library individually?

You will need to ask about each library individually to get the attention you need in each case. The [library] notation in the subject line mentioned at http://www.boost.org/community/policy.html often is used to filter mail from this list. However, as others have pointed out, there's a problem with understanding what is and isn't encryption, as applicable to the export laws, so any answer you get could be wrong. Thus Karen's advice to hire a consultant to work with a lawyer in order to find any problematic code in Boost seems the only viable option. ___ Rob (Sent from my portable computation engine)

3613

Age (days ago)

3614

Last active (days ago)

List overview

Download

8 comments

6 participants

participants (6)

Andrey Semashev
Ben Fritz
Karen Shaeffer
Rene Rivera
Rob Stewart
Robert Ramey