Subject: Re: [boost] Questions to help me determine export classification of Boost libraries
From: Ben Fritz (benjamin.fritz_at_[hidden])
Date: 2014-12-19 17:14:43
On Fri, Dec 19, 2014 at 3:30 PM, Rene Rivera <grafikrobot_at_[hidden]> wrote:
> > Right. If I compile/link any crypto functionality into software I
> > then I'm "exporting" it. That's about the extent of my knowledge of
> As the last paragraph of that blurb suggests.. You should extend your
> knowledge with the help of a suitably experienced lawyer.
Yes, that is why some experts within the company I work for have created a
questionnaire to help determine the final classification. I am currently
trying to fill out that questionnaire, but since I have no technical
knowledge of the Boost libraries' codebases, I am posting on this list to
get the knowledge I need about the libraries themselves. Knowing *what*
knowledge I need has already been solved by somebody else.
> So, my question is: does Boost.ASIO actually contain encryption? Or does
> > rely on OpenSSL for all its encryption? If it does depend on OpenSSL,
> > can I determine whether any OpenSSL functionality has made it into the
> > final *.a or *.lib or *.dylib file?
> > And, can someone confirm Boost.ASIO is the only library I need to worry
> > about?
> Being seriously blunt here.. I would recommend that no one ostensibly
> representing Boost "confirm" anything. As it would put them, Boost, and
> SFC in potential legal liability. Sorry if this is the legal world we live
I understand the concern. Before I came to the list I was given guidance
that since the "vendor" of the libraries has not provided the ECCN that our
company will need to come up with the ECCN on our own based on technical
knowledge about the library. Unfortunately, I am not a developer of boost,
only a user (and only indirectly at that) and therefore do not have that
I do not think it is unreasonable to answer the question, "does this
library contain encryption software?"
I understand my original question may be overly broad as asked. Let me try
to be more specific.
1. Does Boost.ASIO contain any encryption software itself, or does it rely
on OpenSSL for all of its encryption?
2. Does Boost.UUID contain any code to actually encrypt message content, or
only the code to calculate a hash/digest?
I had hoped, since I am not familiar with the code, that someone could say
"yeah, none of the other libraries contain encryption technology". But I
can see why that would be hard for any one person to answer. Would I be
better off asking about every library individually?
-- Ben Fritz