Mark Reitblatt wrote:
(Sorry, forgot to reply-to-all)
On 5/19/07, Reiner Jung <[EMAIL PROTECTED]> wrote:
Hi,
the export regulations from the US government are very strict when
there is
any crypto code
developed in the US. Developed in the US is = developed from a developer
when he stay in
the US, when he work for a US company (also abroad), when he have a
green-card or when he is
US citizen and write the code as example in Europe.
They also don't apply once the code is released publicly. At that
point, both the code AND the object code are exempt. As pointed out in
the above sections.
This is not true from the point of view of the EAR or the US government.
This rule is true for countries
like from the European Union or Canada where public available code is at
the moment free from export
restrictions.
The EAR divide between restricted countries and highly restricted
countries
and when there is
any crypto code US origin, you fall under the export restrictions
from the
EAR. As example
you can use OpenSSL, developed mostly outside from the US, but a few
patches contributed from US
developers. The US developers need to send a TSU notification for every
patch.
Right. Which places a one time burden upon the US contributors, NOT on
the project as a whole.
It will affect the core OpenBSD system latest when someone want export
OpenBSD. A export is general
when you will deliever a OpenBSD based solution to a customer.
When you want export OpenSSL to a country which is restricted from US
export you need to go also
for Open Source Software trough all the bureaucracy to export the
OpenSSL
package.
If you exporting FROM the US, this might be the case. But that would
be so whether or not there were US contributions. As OpenBSD doesn't
export from the US, this is a non-starter.
Here we go: There is the rule of re-export which is the case when you
export the code
origin developed in the US from a other country.
You should have also a look at the Waasenar export controls as example
There are a lot of countries which are under the radar from the EAR, not
only the T5.
At the moment the OpenBSD core system is not controlled by the EAR so
long
you don't download it
from a US server.
And that doesn't change w/ US contributions. Once the code has been
made publicly available, it is exempt from licensing and export
restrictions. It is NO LONGER UNDER US CONTROL. Just as if it had
originated outside of the US. This is the entire point of section
740.13 e, which I point out above.
This is not true. Otherwise companies don't have such a trouble to go
for a de-minimis or to become the export permission to export software
(Open Source) which includes
US crypto. Read the export restriction very careful and you will see
that US crypto can
be only exported from the US WITHOUT any restrictions to Canada.
As a private person it is not a problem, but when a company want use
OpenBSD and there is US crypto
in, the thing will become very complicated and OpenBSD will be
automatically restricted.
No, it will not. I see nothing in the regulations/laws that makes this
so. Once the code is public, it is unrestricted, so long as it is not
knowingly exported FROM the US to a restricted country. This is a
restriction which exists regardless of US contributions. This would
not affect the status quo wrt exportability or US jurisdiction.
At the moment OpenBSD is the only modern Operation system which is in
the
core free from export restrictions.
And this would not change that.
There seem to be some strong misconceptions about US export
restrictions/jurisdictions. I am OFFERING to do extensive research and
create a document that will explain in detail what exactly is
involved/the possible repercussions (if any) therein. I am NOT asking
for the policy to be changed here and now. All I ask is that I receive
reassurances that policy change wrt US contributions be considered
should reasonable restrictions apply. Namely, that OpenBSD not be
tainted/brought under US export restrictions by accepting such
contributions, that any extra burden be placed solely upon US
contributors, and the status quo for those not contributing code from
inside the US remain.
You don't need to research. I work for a international company as a IT
Architect
and we study WITH lawyers the US export restrictions since more then one
year.
I can tell you that public available code is not free from US export
restrictions. When
you want, contact Red Hat or Novell and ask them how compliant their
operation system
is when we speak about US export controls for high crypto ;-)