Date: Thu, 13 Jan 2000 13:19:38 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: jkh@zippy.cdrom.com (Jordan K. Hubbard) Cc: markm@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: We need to do an audit of our "crypto", both current and planned. Message-ID: <200001132119.NAA33623@gndrsh.dnsmgr.net> In-Reply-To: <95546.947784235@zippy.cdrom.com> from "Jordan K. Hubbard" at "Jan 13, 2000 09:23:55 am"
next in thread | previous in thread | raw e-mail | index | archive | help
[I have slightly reorder the quoted text here to make this response
more coherent]
Late in the orignal message jkh said:
> I'm also sure that it's possible to read this agreement in such a way
> that, with sufficient paranoia, one could conclude that nothing had
> changed and it was all a plot by the space aliens to lend us a false
> sense of security, but I'd rather not hear those arguments from people
A question was raised later in this thread by Mark Murray. I'll apply
my best anal retentive legal explination to the text of this clause
to try and clarify things for everyone :-) I'm not being paranoid here,
this _is_ what it says.
> So that we can obey this clause of the new export agreement:
>
> Encryption source code which is available to the public and which is
> subject to an express agreement for the payment of a licensing fee or
> royalty for commercial production or sale of any product developed
> using the source code (such as "community source" code) may be
> exported under a license exception to any end-user without a technical
> review. At the time of export, the exporter must submit to the Bureau
^^^^^^^^^^^^^^
This means when the bits get transfered.
> of Export Administration a copy of the source code, or a written
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> notification of its Internet address. All other source code can be
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This means a copy of the actual information, or a pointer to it at
the _time_ (ie, date and time) it was exported. Also notice the
word ``written'', that implies a paper and ink copy, I don't know
that the law recoginizes email as being ``written''. Blacks surely
does not.
> exported after a technical review to any non-government
> end-user. U.S. exporters may have to provide general information on
> foreign products developed for commercial sale using commercial source
> code, but foreign products developed using U.S.-origin source code or
> toolkits do not require a technical review.
So, IMHO, yes, you have to submit an ``Internet address'' (Can't find
a legal definition of that one, is it an IP number, URL, or what??? I
think the intent was a URL.) for each different copy of what was exported.
As someone else stated though we may understand the rapid changing
nature of this, I can assure you that the law does not, nor do the
people drafting this rule.
>
> E.g. I need to submit a written notification containing the URL
> pointing to just the crypto stuff we're going to do, including future
> items like OpenSSH, IPSec, etc. Once that's done, at least as I read
> this agreement (and have at least 3 times :), we and any mirror site
> in the U.S. containing the FreeBSD code should be in the clear.
Look every single word up in a Blacks Legal, then you have ``read''
this text. :-).
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001132119.NAA33623>