From owner-freebsd-security Thu Jan 13 9:25:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id A70401512E; Thu, 13 Jan 2000 09:25:37 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id JAA95568; Thu, 13 Jan 2000 09:23:55 -0800 (PST) (envelope-from jkh@zippy.cdrom.com) To: markm@freebsd.org Cc: security@freebsd.org Subject: We need to do an audit of our "crypto", both current and planned. Date: Thu, 13 Jan 2000 09:23:55 -0800 Message-ID: <95546.947784235@zippy.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So that we can obey this clause of the new export agreement: Encryption source code which is available to the public and which is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code (such as "community source" code) may be exported under a license exception to any end-user without a technical review. At the time of export, the exporter must submit to the Bureau of Export Administration a copy of the source code, or a written notification of its Internet address. All other source code can be exported after a technical review to any non-government end-user. U.S. exporters may have to provide general information on foreign products developed for commercial sale using commercial source code, but foreign products developed using U.S.-origin source code or toolkits do not require a technical review. E.g. I need to submit a written notification containing the URL pointing to just the crypto stuff we're going to do, including future items like OpenSSH, IPSec, etc. Once that's done, at least as I read this agreement (and have at least 3 times :), we and any mirror site in the U.S. containing the FreeBSD code should be in the clear. I'm also sure that it's possible to read this agreement in such a way that, with sufficient paranoia, one could conclude that nothing had changed and it was all a plot by the space aliens to lend us a false sense of security, but I'd rather not hear those arguments from people right now, I just want to know what we should "declare" as part of this process. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message