Date: Thu, 13 Jan 2000 19:43:09 +0200 From: Mark Murray <mark@grondar.za> To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com> Cc: audit@freebsd.org Subject: Re: We need to do an audit of our "crypto", both current and planned. Message-ID: <200001131743.e0DHhAw70607@gratis.grondar.za> In-Reply-To: <95546.947784235@zippy.cdrom.com> ; from "Jordan K. Hubbard" <jkh@zippy.cdrom.com> "Thu, 13 Jan 2000 09:23:55 PST." References: <95546.947784235@zippy.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Encryption source code which is available to the public and which
> is subject to an express agreement for the payment of a licensing
> fee or royalty for commercial production or sale of any product
> developed using the source code (such as "community source" code)
> may be exported under a license exception to any end-user without a
> technical review. At the time of export, the exporter must submit
> to the Bureau of Export Administration a copy of the source code,
> or a written notification of its Internet address. All other source
> code can be exported after a technical review to any non-government
> end-user. U.S. exporters may have to provide general information on
> foreign products developed for commercial sale using commercial source
> code, but foreign products developed using U.S.-origin source code or
> toolkits do not require a technical review.
Once the code has been "declared", are we allowed to change it?
> E.g. I need to submit a written notification containing the URL
> pointing to just the crypto stuff we're going to do, including future
> items like OpenSSH, IPSec, etc. Once that's done, at least as I read
> this agreement (and have at least 3 times :), we and any mirror site
> in the U.S. containing the FreeBSD code should be in the clear.
I'm nervous ("paranoid") that "declared" code is somehow set in stone,
er, red tape, and needs to be "re-declared" after any change.
> I'm also sure that it's possible to read this agreement in such a way
> that, with sufficient paranoia, one could conclude that nothing had
> changed and it was all a plot by the space aliens to lend us a false
> sense of security, but I'd rather not hear those arguments from people
> right now, I just want to know what we should "declare" as part of
> this process. :)
I think it needs to be made abundantly clear that the code is in a
permanent state of development, and as such may be different on a day
that someone downloads it to the day that it was "declared".
It also needs to be abundantly clear that code is not only changed, but
added to and subtracted from.
IANAL, IAJP.
M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001131743.e0DHhAw70607>