On Jun 7, 2006, at 3:02 PM, Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
Here's the page that I've put together right now:
http://apache.org/dev/crypto.html. Unfortunately, it needs a little
more detail.
Thank you very much, that's already answered a few of my questions and
given me some good pointers.
The US export laws do not require us to offer a non-crypto version of
products we place on the web that do include export-controlled
crypto.
The only thing we cannot do is knowingly export to a handful of
particular countries; however, placing an item on the web does not
qualify as knowingly exporting to any particular country.
That would be excellent.
We also cannot go to one of those countries and agitate for people
to download a copy of httpd and run their own web server, though
I imagine Brian, Dirk, and Sally are the only ones likely to travel
that far. More to the point, I'd prefer not to have all the warnings
scrawled across the top of our downloads page.
However, if there are httpd users in countries that have *import*
restrictions that would like to use the non-ssl version of httpd,
that
might be a reason to do what is being suggested here. But there
is no
U.S. regulation that I am aware of that requires us to distribute a
non-SSL version....but maybe I'm not understanding the concern.
From the sound of things, we could put up ssl-capable downloads right
now with no liability for the ASF or anyone other than users in
countries with such restrictions, which is useful to know.
If and only if we FIRST notify BIS and SECOND place text similar to
what Adobe has on the download page, and that assumes we either
do not include openssl or we distribute the source code for that
as well.
So, I'm wondering how effective a liability shield it is for a US-
based
corporation to export such content via non-US-based distributors. It
seems odd that this would work legally, but that SPI/Debian did
it for
so long sparks my interest; maybe there is a path through.
I have no idea what the Debian story is, but that is not an option
for
a number of reasons. Here's the biggest reason, the same U.S.
government entity that controls our exports also controls reexport
from any other country of goods that were previously exported from
the
U.S.
I've been reading http://www.debian.org/legal/cryptoinmain and it
looks
like they shifted the liability to their developers personally, who
exported-by-proxy.
Yep. However, Debian has no real problem because they do have a URL
to associate with the source code of whatever they distribute. The
problem for us is because we don't distribute OpenSSL as it would be
built for mod_ssl *and* we wouldn't be controlled at all if it were
not for that single module. That is why our dilemma is actually
worse than Mozilla (which requires SSL and binds it statically).
....Roy
