This issue has been done to death. Basically, there's a notification requirement in the BXA rules. Nobody that can do it wants to, and nobody that wants to do it can.
On Fri, 9 Mar 2001, Craig Sanders wrote: >On Thu, Mar 08, 2001 at 01:25:03AM +0200, Sampo Niskanen wrote: >> >> On Wed, 7 Mar 2001, Gregor Hoffleit wrote: >> > AFAIR, the new legislation said that companies could apply at >> > the government for a permission to release specific versions of >> > strong-crypto software to a world-wide public. I guess Netscape >> > did this for their communicator and since the government gave the >> > permission, anybody is now allowed to export this specific pieces of >> > software, even though they contain strong crypto. >> > >> > [Then, it would be obvious that this reasoning doesn't necessarily >> > apply to Mozilla--someone had to ask for a permission first.] >> >> If this is true, how do they define a software product? One binary? A >> very similar product? The same name? > >it's not true, at least not for open source programs. > >as i understand the new (actually year old) US crypto rules, for open >source / public domain / free software programs, all you have to do >is notify the US government that you're exporting it and tell them >where/how. > >that's what kernel.org have done. i doubt if linus or transmeta or >anyone else involved would have take the risk if they didn't think it >was safe to do so. > >there is a notice on www.kernel.org about crypto s/w: > > Cryptographics Software > > Due to U.S. Exports Regulations, all cryptographic software on this > site is subject to the following legal notice: > > This site includes publicly available encryption source code which, > together with object code resulting from the compiling of publicly > available source code, may be exported from the United States under > License Exception "TSU" pursuant to 15 C.F.R. Section 740.13(e). > > This legal notice applies to cryptographic software only. Please see > the _Bureau of Export Administration_[1] for more information about > current U.S. regulations. > >[1] link to http://www.bxa.doc.gov/ > > >you can read the new crypto rules for yourself at: > >http://www.bxa.doc.gov/Encryption/pdfs/Crypto.pdf >and >http://www.bxa.doc.gov/Encryption/pdfs/EncryptionRuleOct2K.pdf > > >FYI, the relevant section (15 C.F.R. Section 740.13) of the new crypto >regulations says: > > (e) Unrestricted encryption source code. > > (1) Encryption source code controlled under 5D002, which would be > considered publicly available under § 734.3(b)(3) and which is not > subject to an express agreement for the payment of a licensing > fee or royalty for commercial production or sale of any product > developed with the source code, is released from ``EI'' controls > and may be exported or reexported without review under License > Exception TSU, provided you have submitted written notification > to BXA of the Internet location (e.g., URL or Internet address) > or a copy of the source code by the time of export. Submit the > notification to BXA and send a copy to ENC Encryption Request > Coordinator (see § 740.17(g)(5) for mailing addresses). Intellectual > property protection (e.g., copyright, patent or trademark) will not, > by itself, be construed as an express agreement for the payment of > a licensing fee or royalty for commercial production or sale of any > product developed using the source code. > > (2) You may not knowingly export or reexport source code or products > developed with this source code to Cuba, Iran, Iraq, Libya, North > Korea, Sudan or Syria. > > (3) Posting of the source code on the Internet (e.g., FTP or > World Wide Web site) where the source code may be downloaded by > anyone would not establish ``knowledge'' of a prohibited export > or reexport, including that described in paragraph (e)(2) of this > section. In addition, such posting would not trigger ``red flags'' > necessitating the affirmative duty to inquire under the ``Know Your > Customer'' guidance provided in Supplement No. 3 to part 732 of the > EAR. > >that's a pretty clear statement that it's OK to export open source >crypto just by notifying the US government in writing. > >an update in October 2000 clarified the matter even further, points out >that the exemption also covers binaries compiled from open source, and >even provides an email address to send the written notifications to: > > 4. § 740.13 (Technology and Software Unrestricted (TSU)) clarifies > the treatment of open source object code. Object code compiled from > source code eligible for License Exception TSU can also be exported > under the provisions of License Exception TSU if the requirements > of § 740.13 are met and no fee or payment is required for object > code (other than reasonable and customary fees for reproduction and > distribution). Object code for which there is a fee or payment can > be exported under the provisions of 740.17(b)(4)(i). The intent of > this section is to release publicly available software available > without charge (e.g. ``freeware'') from control. Also in § 740.13, > [EMAIL PROTECTED] address is added to prompt exporters to notify > BXA electronically. Exporters should note the intent of the phrase > ``released from EI controls'' in 740.13(e) means that 5D002 software > eligible for TSU is released from the mandatory access controls > procedures described in 734.2(b)(9)(ii). > > >IANAL, but that's clear as crystal to me. it even states that the intent >is "to release publicly available software from control". > > >craig > >-- >craig sanders <[EMAIL PROTECTED]> > > GnuPG Key: 1024D/CD5626F0 >Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57 52C3 EC32 6810 CD56 26F0 > > > -- The Internet must be a medium for it is neither Rare nor Well done! <a href="mailto:[EMAIL PROTECTED]">John Galt </a>
