On 12/09/2013 07:35 AM, Trebilcock, Richard wrote: > On the CGI IT UK Limited project I am currently working on, we are > looking to export OpenSSL as part of the overall software deliverable. > As part of this process, we need to know whether OpenSSL is of United > States origin, and if so what the ECCN number is, and does an ENC > licence also apply? > > > > I would be most grateful if you could provide me with this information. > However, failing this, if you could direct me to where I might find the > information I require this would also be very helpful.
OpenSSL is not of U.S origin, as in it was developed and is maintained outside of the U.S. by non-U.S. persons. I'm the only U.S. citizen or resident with any direct involvement in OpenSSL and I'm not part of the OpenSSL team proper (no commit privileges). However, be careful as U.S. export controls are tricky. If I download crypto from outside the U.S. and then immediately forward it to a non-U.S. destination then I may have committed an export control violation. So where the crypto came from initially isn't relevant, it's whether it leaves the U.S. Yes, that doesn't make any sense. But that's why you need to be very careful. You really need to consult with competent legal counsel specializing in export law. That said you may find Appendix F of the OpenSSL FIPS module User Guide of use: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf Keep in mind that the FIPS module is *not* the same as OpenSSL and that I'm not qualified to give legal advice. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
