You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Berin Lautenbach <be...@ozemail.com.au> on 2003/06/25 12:26:39 UTC
Encryption code in Apache projects
Peoples,
In the XML-Security project we have done some work on implementing the
XML Digital Signature standards and want to start looking at the XML
Encryption standards.
We want to make sure we are not getting Apache in legal trouble by
implementing a library that implements an encryption wrapper. We
actually think we are fine, given the "recent" changes in legislation on
this front, added to which we don't actually implement any encryption
code directly, we call on encryption providers (anything JCE compliant
for Java or OpenSSL/Windows Crypto API for C++) to do the work. Really
we are just providing a formatting wrapper for encryption code that is
implemented elsewhere.
Any thoughts gratefully received.
Cheers,
Berin
Re: Encryption code in Apache projects
Posted by Ben Laurie <be...@algroup.co.uk>.
Berin Lautenbach wrote:
> Ben Laurie wrote:
>
>> The second issue is the question of what is exempt. We know for a fact
>> that free _source_ code is, regardless of whether it implements or uses
>> crypto, so long as the BXA has been notified, and the Dreaded Seven are
>> excluded (a written notice excluding them is sufficient). We also know
>> that _binary_, even if derived from free source, is _not_ exempt. What
>> we do not know (or at least, I don't) is whether binary that just uses
>> crypto, as opposed to implementing it, is exempt. If you know this is
>> the case, please point to the relevant paragraph(s) in the regulations.
>
>
> http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html
>
> would seem to indicate that freely available object code, if derived
> from freely available source, is OK. *However* I would very clearly
> state that I have not seen anything in regulations that would confirm this.
Grrr. What is so hard about reading the damn docs? It references
734.3(b)(3) in paragraph 1, which I've already quoted.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Re: Encryption code in Apache projects
Posted by Berin Lautenbach <be...@ozemail.com.au>.
Ben Laurie wrote:
> The second issue is the question of what is exempt. We know for a fact
> that free _source_ code is, regardless of whether it implements or uses
> crypto, so long as the BXA has been notified, and the Dreaded Seven are
> excluded (a written notice excluding them is sufficient). We also know
> that _binary_, even if derived from free source, is _not_ exempt. What
> we do not know (or at least, I don't) is whether binary that just uses
> crypto, as opposed to implementing it, is exempt. If you know this is
> the case, please point to the relevant paragraph(s) in the regulations.
http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html
would seem to indicate that freely available object code, if derived
from freely available source, is OK. *However* I would very clearly
state that I have not seen anything in regulations that would confirm this.
So....
My own feeling is that we take the safe path on this. The above site
indicates exactly what must be in the e-mail to BIS.
So I would say we send the e-mail, and we only make source code
available, unless someone can point to something in the regulations that
says binary is OK.
Thoughts? Who would send this e-mail (am happy to draft)? How do we
validate this from a legal perspective?
Cheers,
Berin
Re: Encryption code in Apache projects
Posted by Ben Laurie <be...@algroup.co.uk>.
Berin Loritsch wrote:
> Berin Lautenbach wrote:
>
>> Peoples,
>>
>> In the XML-Security project we have done some work on implementing the
>> XML Digital Signature standards and want to start looking at the XML
>> Encryption standards.
>>
>> We want to make sure we are not getting Apache in legal trouble by
>> implementing a library that implements an encryption wrapper. We
>> actually think we are fine, given the "recent" changes in legislation
>> on this front, added to which we don't actually implement any
>> encryption code directly, we call on encryption providers (anything
>> JCE compliant for Java or OpenSSL/Windows Crypto API for C++) to do
>> the work. Really we are just providing a formatting wrapper for
>> encryption code that is implemented elsewhere.
>>
>> Any thoughts gratefully received.
>>
>> Cheers,
>> Berin
>
>
> (I still have to get used to seeing that...)
>
> As long as the responsibility of selecting the proper algorithm is
> delegated and implemented, then there is nothing we have to do
> beyond informing the users to download the library they need and
> remind them to respect export laws.
>
> Of course, IANAL--though I play one on TV ;P
There are two issues here. The first is that the ASF is incorporated in
the US and its servers are located there. It must, therefore, obey the
US export laws. What you say above seems to suggest you think that is
not a requirement. It is.
The second issue is the question of what is exempt. We know for a fact
that free _source_ code is, regardless of whether it implements or uses
crypto, so long as the BXA has been notified, and the Dreaded Seven are
excluded (a written notice excluding them is sufficient). We also know
that _binary_, even if derived from free source, is _not_ exempt. What
we do not know (or at least, I don't) is whether binary that just uses
crypto, as opposed to implementing it, is exempt. If you know this is
the case, please point to the relevant paragraph(s) in the regulations.
If you don't, then don't say it.
BTW, I don't believe the user need respect export laws at all, since
they are not exporting, they are importing. It is the provider of the
software that has to worry about the export laws.
Sorry if this sounds a bit harsh, but remember, its the board that are
ultimately responsible for what the ASF does. Its _my_ ass that's in a
sling if your advice is crap, and, sadly, I believe it is.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff