[EMAIL PROTECTED] wrote:
>
> >As I keep saying, this is not my concern, it is the potential
> >restriction on _future_ use of OpenSSL by U.S. citizens that concerns
> >me.
>
> Could you please explain this? Are you saying that new rules might say
> "and if it had any US source it's doulby-illegal?" I just don't
> understand at all how currently-legal actions might affect future rules.
This stuff makes my head hurt, I have to admit. The concern is that
incorporating exported code makes the whole of OpenSSL subject to EAR
(which it currently isn't). Currently this means nothing interesting,
but it isn't clear what it may mean in the future.
You may be right that it means nothing from the POV of the US, because
of constitutional protection against such things, but that's not what my
advice says. Also, not everyone has constitutional protection against
these things. For example, imagine that the UK government agreed with
the US government to ban the export of EAR controlled s/w - where would
we be then? Screwed, is where.
> >Please support that claim (saying that the consitution prevents past
> >acts from being made illegal does not support it).
>
> Mr. Altman quoted the section. Or were you looking for something more?
If you snip the claim, I can't answer the question. I've forgotten what
that was a response to. Anyway, IANAL, I'm am merely trying to follow
advice from someone who is. Don't expect me to defend that advice in
detail.
> >We _have_ listened to Cindy Cohn. She supports my views. I am in the
> >process of getting even more comprehensive advice from her for the ASF.
> >Regrettably, it still looks like we have a problem.
>
> I find it hard to believe that Ms. Cohn really concurs with what you
> wrote above. I must not be understanding it at all. Could you
> please explain a bit more? Thanks.
Here is the relevant section of the letter Cindy wrote us:
"The main question you have asked me is whether OpenSSL would be
“tainted” --that is subject to regulation by the United States – if you
allow submissions from U.S. contributors. Although nothing is
certain--the
United States Government could change their regulations or their
interpretations of them in almost any way, and although the situation is
more complicated than this, the short answer to that question is:
a. The absolute safest path would be to continue refuse to
include US code, but
b. It is quite unlikely that OpenSSL would be "tainted"
for
purposes of future regulation if the code from U.S. programmers that is
included is exported under the TSU exception. That is, if the US
programmers make their contributions publicly available at the time of
export and send a copy of the URL where the code resides to the
government
at the time of "export" (i.e. at the time of publication of the web page
and shipping of it to the OpenSSL project). Again, this requires that
the
developer (and OpenSSL) will not reserve the right to be paid licensing
fees or royalties if the code is compiled and sold by others and
compliance with the other provisions of the TSU license. Also, the
developer could not "knowingly" send the program to anyone in the
restricted T-7 countries and the denied persons list."
As you can see, she thinks it is "quite unlikely" that there would be a
problem, but "the absolute safest path would be to continue refuse to
include US code". Call me paranoid, but when dealing with spooks, "quite
unlikely" isn't good enough for me.
> >Like I say, I'd be happy to hear what Intel have to say, I'm just not
> >entirely clear what the value of that opinion would be if it radically
> >disagrees with other advice, but let's hear it before we go off
> >half-cocked.
>
> Good. Keep in mind that Intel is doing this within the context of a
> worldwide opensource release of their CDSA crypto toolkit. They
> definitely checked things out, have a great license (esp in regards to
> the crypto export issue :), and some hardcore export resources.
> They'll be in touch, or speaking up here, soon.
I'm as keen as you to resolve this problem! Believe me.
I would have _no_ problem with the CDSA toolkit being subject to EAR,
since it already is! So, even if Intel arrive at the same conclusions,
this should in no way prevent the worldwide release, and would not
prevent me, at least, from working on it. My only concern is that
OpenSSL has remained free from export control so far, and I want to keep
it that way.
Note that I do not speak for the other members of the OpenSSL team in
this matter, though my feeling is that they are broadly in agreement.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
