Encryption code in Apache projects

[Berin Lautenbach <be...@ozemail.com.au>]

Peoples,

In the XML-Security project we have done some work on implementing the
XML Digital Signature standards and want to start looking at the XML
Encryption standards.

We want to make sure we are not getting Apache in legal trouble by 
implementing a library that implements an encryption wrapper. We
actually think we are fine, given the "recent" changes in legislation on 
this front, added to which we don't actually implement any encryption 
code directly, we call on encryption providers (anything JCE compliant 
for Java or OpenSSL/Windows Crypto API for C++) to do the work. Really 
we are just providing a formatting wrapper for encryption code that is 
implemented elsewhere.

Any thoughts gratefully received.

Cheers,
	Berin

Re: Encryption code in Apache projects

[Ben Laurie <be...@algroup.co.uk>]

Berin Lautenbach wrote:

> Ben Laurie wrote:
> 
>> The second issue is the question of what is exempt. We know for a fact
>> that free _source_ code is, regardless of whether it implements or uses
>> crypto, so long as the BXA has been notified, and the Dreaded Seven are
>> excluded (a written notice excluding them is sufficient). We also know
>> that _binary_, even if derived from free source, is _not_ exempt. What
>> we do not know (or at least, I don't) is whether binary that just uses
>> crypto, as opposed to implementing it, is exempt. If you know this is
>> the case, please point to the relevant paragraph(s) in the regulations.
> 
> 
> http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html
> 
> would seem to indicate that freely available object code, if derived
> from freely available source, is OK.  *However* I would very clearly
> state that I have not seen anything in regulations that would confirm this.

Grrr. What is so hard about reading the damn docs? It references
734.3(b)(3) in paragraph 1, which I've already quoted.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Re: Encryption code in Apache projects

[Berin Lautenbach <be...@ozemail.com.au>]

Ben Laurie wrote:
> The second issue is the question of what is exempt. We know for a fact
> that free _source_ code is, regardless of whether it implements or uses
> crypto, so long as the BXA has been notified, and the Dreaded Seven are
> excluded (a written notice excluding them is sufficient). We also know
> that _binary_, even if derived from free source, is _not_ exempt. What
> we do not know (or at least, I don't) is whether binary that just uses
> crypto, as opposed to implementing it, is exempt. If you know this is
> the case, please point to the relevant paragraph(s) in the regulations.

http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html

would seem to indicate that freely available object code, if derived 
from freely available source, is OK.  *However* I would very clearly 
state that I have not seen anything in regulations that would confirm this.

So....

My own feeling is that we take the safe path on this.  The above site 
indicates exactly what must be in the e-mail to BIS.

So I would say we send the e-mail, and we only make source code 
available, unless someone can point to something in the regulations that 
says binary is OK.

Thoughts?  Who would send this e-mail (am happy to draft)?  How do we 
validate this from a legal perspective?

Cheers,
	Berin

Re: Encryption code in Apache projects

[Ben Laurie <be...@algroup.co.uk>]

Berin Loritsch wrote:

> Berin Lautenbach wrote:
> 
>> Peoples,
>>
>> In the XML-Security project we have done some work on implementing the
>> XML Digital Signature standards and want to start looking at the XML
>> Encryption standards.
>>
>> We want to make sure we are not getting Apache in legal trouble by
>> implementing a library that implements an encryption wrapper. We
>> actually think we are fine, given the "recent" changes in legislation
>> on this front, added to which we don't actually implement any
>> encryption code directly, we call on encryption providers (anything
>> JCE compliant for Java or OpenSSL/Windows Crypto API for C++) to do
>> the work. Really we are just providing a formatting wrapper for
>> encryption code that is implemented elsewhere.
>>
>> Any thoughts gratefully received.
>>
>> Cheers,
>>     Berin
> 
> 
> (I still have to get used to seeing that...)
> 
> As long as the responsibility of selecting the proper algorithm is
> delegated and implemented, then there is nothing we have to do
> beyond informing the users to download the library they need and
> remind them to respect export laws.
> 
> Of course, IANAL--though I play one on TV ;P

There are two issues here. The first is that the ASF is incorporated in
the US and its servers are located there. It must, therefore, obey the
US export laws. What you say above seems to suggest you think that is
not a requirement. It is.

The second issue is the question of what is exempt. We know for a fact
that free _source_ code is, regardless of whether it implements or uses
crypto, so long as the BXA has been notified, and the Dreaded Seven are
excluded (a written notice excluding them is sufficient). We also know
that _binary_, even if derived from free source, is _not_ exempt. What
we do not know (or at least, I don't) is whether binary that just uses
crypto, as opposed to implementing it, is exempt. If you know this is
the case, please point to the relevant paragraph(s) in the regulations.

If you don't, then don't say it.

BTW, I don't believe the user need respect export laws at all, since
they are not exporting, they are importing. It is the provider of the
software that has to worry about the export laws.

Sorry if this sounds a bit harsh, but remember, its the board that are
ultimately responsible for what the ASF does. Its _my_ ass that's in a
sling if your advice is crap, and, sadly, I believe it is.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff