> After reviewing OpenBSD's current policies on US contributions of > cryptography, and current US law, I'd like a clarification. Current US > law (c.f. the short guide > http://www.bis.doc.gov/encryption/lechart1.htm) allows the unlicensed > export/reexport of open source encryption source code. The only > restriction prevents knowledgeably exporting to one of the restricted > countries. BUT, there is this gem stuck in the section: > > "Note to paragraph (e). Posting encryption > source code and corresponding object code on the > Internet (e.g., FTP or World Wide Web site) > where it may be downloaded by anyone neither > establishes "knowledge" of a prohibited export or > reexport for purposes of this paragraph, nor > triggers any "red flags" necessitating the > affirmative duty to inquire under the "Know Your > Customer" guidance provided in Supplement No. > 3 to part 732 of the EAR." > > Is this not an acceptable restriction? Basically, this means that no > primary CVS servers used by US crypto devs can be located in one of > the restricted countries, nor can a US server "push" to such a > country. As long as access is completely open, and the source code is > "pulled", this section makes it quite clear that everything is peachy. > > The only gotcha here is the notification requirement each time the > encryption SW is updated. However, the requirement is just > notification, not permission, and is submitted by email. It is not > 100% clear, but a CVS commit email from the appropriate sections of > the source tree would appear to satisfy this requirement. This would > also only be required for contributions from US cryptographers. > > This was the result of a short look into the US laws, and obviously > this isn't something that will just change overnight.
Can you quote a specific US law that says so? > But, I think it > would be useful to start up a conversation about changing OpenBSD > policies to allow US contributions. I'd be willing to conduct further, > comprehensive, and more conclusive research if I were to receive > reassurances that the restrictions above (or similar) are acceptable. > > Sources: > http://www.access.gpo.gov/bis/ear/txt/740.txt > Section 740.13 (e) > > P.S. > Sorry if this isn't the right list. It's the most appropriate as far > as I can tell. Please note something very worrying about the above. It is not law. It is simply policy. They could change it at any minute. As they have done numerous times in the past. You may wish to tie yourself to policy, but we don't. Especially since it is not particularily future-proof. So I see absolutely no need to change OpenBSD's policies.
