From owner-freebsd-security Thu Jan 13 13:19:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 4D46A14F56; Thu, 13 Jan 2000 13:19:49 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id NAA33623; Thu, 13 Jan 2000 13:19:38 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001132119.NAA33623@gndrsh.dnsmgr.net> Subject: Re: We need to do an audit of our "crypto", both current and planned. In-Reply-To: <95546.947784235@zippy.cdrom.com> from "Jordan K. Hubbard" at "Jan 13, 2000 09:23:55 am" To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Date: Thu, 13 Jan 2000 13:19:38 -0800 (PST) Cc: markm@FreeBSD.ORG, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [I have slightly reorder the quoted text here to make this response more coherent] Late in the orignal message jkh said: > I'm also sure that it's possible to read this agreement in such a way > that, with sufficient paranoia, one could conclude that nothing had > changed and it was all a plot by the space aliens to lend us a false > sense of security, but I'd rather not hear those arguments from people A question was raised later in this thread by Mark Murray. I'll apply my best anal retentive legal explination to the text of this clause to try and clarify things for everyone :-) I'm not being paranoid here, this _is_ what it says. > So that we can obey this clause of the new export agreement: > > Encryption source code which is available to the public and which is > subject to an express agreement for the payment of a licensing fee or > royalty for commercial production or sale of any product developed > using the source code (such as "community source" code) may be > exported under a license exception to any end-user without a technical > review. At the time of export, the exporter must submit to the Bureau ^^^^^^^^^^^^^^ This means when the bits get transfered. > of Export Administration a copy of the source code, or a written ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > notification of its Internet address. All other source code can be ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This means a copy of the actual information, or a pointer to it at the _time_ (ie, date and time) it was exported. Also notice the word ``written'', that implies a paper and ink copy, I don't know that the law recoginizes email as being ``written''. Blacks surely does not. > exported after a technical review to any non-government > end-user. U.S. exporters may have to provide general information on > foreign products developed for commercial sale using commercial source > code, but foreign products developed using U.S.-origin source code or > toolkits do not require a technical review. So, IMHO, yes, you have to submit an ``Internet address'' (Can't find a legal definition of that one, is it an IP number, URL, or what??? I think the intent was a URL.) for each different copy of what was exported. As someone else stated though we may understand the rapid changing nature of this, I can assure you that the law does not, nor do the people drafting this rule. > > E.g. I need to submit a written notification containing the URL > pointing to just the crypto stuff we're going to do, including future > items like OpenSSH, IPSec, etc. Once that's done, at least as I read > this agreement (and have at least 3 times :), we and any mirror site > in the U.S. containing the FreeBSD code should be in the clear. Look every single word up in a Blacks Legal, then you have ``read'' this text. :-). -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message