After reviewing OpenBSD's current policies on US contributions of cryptography, and current US law, I'd like a clarification. Current US law (c.f. the short guide http://www.bis.doc.gov/encryption/lechart1.htm) allows the unlicensed export/reexport of open source encryption source code. The only restriction prevents knowledgeably exporting to one of the restricted countries. BUT, there is this gem stuck in the section:
"Note to paragraph (e). Posting encryption source code and corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone neither establishes "knowledge" of a prohibited export or reexport for purposes of this paragraph, nor triggers any "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to part 732 of the EAR." Is this not an acceptable restriction? Basically, this means that no primary CVS servers used by US crypto devs can be located in one of the restricted countries, nor can a US server "push" to such a country. As long as access is completely open, and the source code is "pulled", this section makes it quite clear that everything is peachy. The only gotcha here is the notification requirement each time the encryption SW is updated. However, the requirement is just notification, not permission, and is submitted by email. It is not 100% clear, but a CVS commit email from the appropriate sections of the source tree would appear to satisfy this requirement. This would also only be required for contributions from US cryptographers. This was the result of a short look into the US laws, and obviously this isn't something that will just change overnight. But, I think it would be useful to start up a conversation about changing OpenBSD policies to allow US contributions. I'd be willing to conduct further, comprehensive, and more conclusive research if I were to receive reassurances that the restrictions above (or similar) are acceptable. Sources: http://www.access.gpo.gov/bis/ear/txt/740.txt Section 740.13 (e) P.S. Sorry if this isn't the right list. It's the most appropriate as far as I can tell. -- Mark Reitblatt
