> On 5/19/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: > > > After reviewing OpenBSD's current policies on US contributions of > > > cryptography, and current US law, I'd like a clarification. Current US > > > law (c.f. the short guide > > > http://www.bis.doc.gov/encryption/lechart1.htm) allows the unlicensed > > > export/reexport of open source encryption source code. The only > > > restriction prevents knowledgeably exporting to one of the restricted > > > countries. BUT, there is this gem stuck in the section: > > > > > > "Note to paragraph (e). Posting encryption > > > source code and corresponding object code on the > > > Internet (e.g., FTP or World Wide Web site) > > > where it may be downloaded by anyone neither > > > establishes "knowledge" of a prohibited export or > > > reexport for purposes of this paragraph, nor > > > triggers any "red flags" necessitating the > > > affirmative duty to inquire under the "Know Your > > > Customer" guidance provided in Supplement No. > > > 3 to part 732 of the EAR." > > > > > > Is this not an acceptable restriction? Basically, this means that no > > > primary CVS servers used by US crypto devs can be located in one of > > > the restricted countries, nor can a US server "push" to such a > > > country. As long as access is completely open, and the source code is > > > "pulled", this section makes it quite clear that everything is peachy. > > > > > > The only gotcha here is the notification requirement each time the > > > encryption SW is updated. However, the requirement is just > > > notification, not permission, and is submitted by email. It is not > > > 100% clear, but a CVS commit email from the appropriate sections of > > > the source tree would appear to satisfy this requirement. This would > > > also only be required for contributions from US cryptographers. > > > > > > This was the result of a short look into the US laws, and obviously > > > this isn't something that will just change overnight. > > > > Can you quote a specific US law that says so? > > There is no need. US Law defers the specific details to regulatory > agencies. The ruling in Junger v. Daley conferred protected speech > status upon source code. That means no restrictions for open source > code in terms of exportation requirements. This policy is simply > reflecting a constitutional requirement. No US law is needed.
Yeah, right. Those of us looking from the outside do not have such simplistic views of the US, sorry. But our viewpoint is not purely about OpenBSD as open source. We make our code available for people to use in a commercial setting, so we must meet a higher standard. As the only completely operating system focused on staying outside the realm of US crypto export POLICY, we don't intend to change our approach.
