> That's true. But consider the steps RSA went through in order
> to get a BXA statement that BSAFE SSL-C was not covered by US export
> restrictions. They had to prove to the US government that all bits in
> their product were of non-US origin. All questionable bits either had
> to be justified or rewritten. The less questionable material there is
> in OpenSSL, the more easily it can be used by more parties.
> I'm not a lawyer, I can't claim to know what should and
> shouldn't be contributed with accuracy that is defensible in court.. I
> can only speak from experience talking with export counsel. I think
> that we should at least wait until a lawyer gives the group guidelines
> before it adds any contributions from US persons.
There is a huge difference between RSA and the rest of the world.
RSA is a company founded in the United States which originated
technology in the United States which wanted to export its United
States developed product. RSA had to prove non-U.S. origin to the
United States government because it wanted to sell a product outside
the U.S. that was functionally identical to the U.S. domestic
product. If RSA simply wanted to buy a non-U.S. company that made
encryption products it would not have had to go through all of that
trouble.
You can't compare SSLeay (an open source Internet developed product
meant for free distribution based outside the U.S.) to a proprietary
commercial United States based product. Unless of course it is your
intention as "Emperor" of C2Net to take OpenSSL and all of the work
that volunteers from around the put into it, and use it as the basis
for a commercial crypto product that you wish to market on its own
from within the United States.
I know that when I decide it is time for me to ship a product that
uses OpenSSL for crypto that I will be able to ship it within the
United States without a question and that when it comes time to export
my product it will not be any more difficult to export the product
with OpenSSL as the crypto engine vs. a crypto engine I developed in
house. Where it would become a problem is if I wanted to setup a
distribution agreement that would allow a third party to modify my
export version to gain access to strong crypto by use of the OpenSSL
libraries. That would never be allowed no matter who developed
OpenSSL.
But since you are not located within the United States this should be
of no concern to you. Nor should you or anyone else try to protect me
from the United States government. That is not your place. The laws
in the United States are very murky and open to interpretation because
of their origin in the cold war. I will make my own judements as to
what violates the law. The court case you referred to in a previous
message is most likely the case regarding the ability to teach crypto
algorithm development at a University to classes that include
non-U.S. citizens. That is a far cry from my posting of diff's to
OpenSSL which include no crypto code and which teach absolutely
nothing that is not available in a C library man page.
You can be sure that while I would love to submit code that supports
an additional 3DES mode (CBCM - "Triple DES Cipher Block Chaining with
Output Feedback Masking") developed by IBM and described at
ftp://service2.boulder.ibm.com/software/icserver/doc/desps.ps
I won't do it.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
