On 5/19/07, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> After reviewing OpenBSD's current policies on US contributions of
> cryptography, and current US law, I'd like a clarification. Current US
> law (c.f. the short guide
> http://www.bis.doc.gov/encryption/lechart1.htm) allows the unlicensed
> export/reexport of open source encryption source code. The only
> restriction prevents knowledgeably exporting to one of the restricted
> countries. BUT, there is this gem stuck in the section:
>
> "Note to paragraph (e). Posting encryption
> source code and corresponding object code on the
> Internet (e.g., FTP or World Wide Web site)
> where it may be downloaded by anyone neither
> establishes "knowledge" of a prohibited export or
> reexport for purposes of this paragraph, nor
> triggers any "red flags" necessitating the
> affirmative duty to inquire under the "Know Your
> Customer" guidance provided in Supplement No.
> 3 to part 732 of the EAR."
>
> Is this not an acceptable restriction? Basically, this means that no
> primary CVS servers used by US crypto devs can be located in one of
> the restricted countries, nor can a US server "push" to such a
> country. As long as access is completely open, and the source code is
> "pulled", this section makes it quite clear that everything is peachy.
>
> The only gotcha here is the notification requirement each time the
> encryption SW is updated. However, the requirement is just
> notification, not permission, and is submitted by email. It is not
> 100% clear, but a CVS commit email from the appropriate sections of
> the source tree would appear to satisfy this requirement. This would
> also only be required for contributions from US cryptographers.
>
> This was the result of a short look into the US laws, and obviously
> this isn't something that will just change overnight.
Can you quote a specific US law that says so?
There is no need. US Law defers the specific details to regulatory
agencies. The ruling in Junger v. Daley conferred protected speech
status upon source code. That means no restrictions for open source
code in terms of exportation requirements. This policy is simply
reflecting a constitutional requirement. No US law is needed.
> But, I think it
> would be useful to start up a conversation about changing OpenBSD
> policies to allow US contributions. I'd be willing to conduct further,
> comprehensive, and more conclusive research if I were to receive
> reassurances that the restrictions above (or similar) are acceptable.
>
> Sources:
> http://www.access.gpo.gov/bis/ear/txt/740.txt
> Section 740.13 (e)
>
> P.S.
> Sorry if this isn't the right list. It's the most appropriate as far
> as I can tell.
Please note something very worrying about the above.
It is not law.
It is simply policy. They could change it at any minute. As they
have done numerous times in the past.
Policy established after a federal court ruling. No policy change
restricting the export of open source code could be made, as that
would constitute an unconstitutional restriction of free speech.
You may wish to tie yourself to policy, but we don't. Especially since
it is not particularily future-proof.
You see policy here, but that policy is restricted by court rulings.
Which say that open source code is free speech. I'd say a 6th circuit
court of appeals ruling that's stood for almost a decade is pretty
damn future-proof. Much more so than federal law.
So I see absolutely no need to change OpenBSD's policies.
Please reconsider in light of my above points.
--
Mark Reitblatt
