Gervase Markham wrote:
Currently, n.p.m.crypto.checkins still exists in the new hierarchy, as
mozilla.dev.tech.crypto.checkins, because in the past I have been told
that it is required by US Export Regulations to have some sort of record
of crypto code development. However, the same information is available
from, and much more accessible in, Bonsai (http://bonsai.mozilla.org).
So, does anyone know the history behind the existence of the group, and
whether we still need it given that we have Bonsai?
I'm not the person who originally set this scheme up, but I can perhaps
provide some background information as to the reasons behind it. The
ultimate requirement appears to come from section 740.13(e)(3) of the US
Export Administration Regulations:
http://www.access.gpo.gov/bis/ear/txt/740.txt
(grep for "Notification requirement"), which outlines notification
requirements for "publicly available" software that is exported from the
US in source code form under license exception TSU ("Technology Software
Unrestricted") as specified by section 740.13(e).
For convenience here is the relevant section:
[740.13(e)](3) Notification requirement. You must notify BIS and
the ENC Encryption Request Coordinator via e-mail of the Internet
location (e.g., URL or Internet address) of the source code
or provide each of them a copy of the source code at or before
the time you take action to make the software publicly available
as that term is described in [section] 734.3(b)(3) of the EAR.
If you elect to meet this requirement by providing copies of the
source code to BIS and the ENC Encryption Request Coordinator,
you must provide additional copies to each of them each time the
cryptographic functionality of the software is updated or modified.
If you elect to provide the Internet location of the source code,
you must notify BIS and the ENC Encryption Request Coordinator each
time the Internet location is changed, but you are not required to
notify them of updates or modifications made to the encryption
software at the previously notified location. In all instances,
submit the notification or copy to [EMAIL PROTECTED] and to
[EMAIL PROTECTED]
This section appears to provide two ways to meet the notification
requirements:
a) Send BIS and NSA a copy of the source code being exported, and then
send them a new copy of the source code each and every time the code is
updated; or
b) Send BIS and NSA the URL (or other location information) where the
source code can be obtained, and let them check for updates themselves
(with further notification being required only if the URL itself changes).
At the first glance it would appear that we could satisfy the
requirement using method (b), namely providing information for where
the source code can be obtained, including a URL to Bonsai or some other
method to detect changes. However I'm not the person who originally
talked with BIS/NSA about Mozilla export issues, and there may be some
other issues unknown to me.
I therefore hesitate to recommend that we unilaterally change the way
that we handle crypto notification issues. My personal preference would
be to leave the existing mechanisms in place (i.e., using a newsgroup
and associated mailing list) unless there's some compelling reason not
to do so. (Note that if the newsgroup name or mailing list name changes
then IMO we do need to notify BIS/NSA of that.)
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
