Vanilla Clients Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Exporting RES-RSA is now legal.
Good news.
Several weeks ago, I finally received confirmation from the Bureau of
Export Control (BXA) that we may export our RES-RSA crypto source code
by posting it to the Internet (WWW, FTP, SourceForge, etc). This means
that we can now include the RSA code with all clients and servers if
we choose to do so. There are a few guidelines we must follow, but it
does not significantly impact our ability to develop and distribute the
code. I also received specific permission from SourceForge to host
our crypto code there, so we are completely in the clear.
For the unaware, the BXA implemented the proposed changes by the Clinton
Administration to relax the export controls. The changes went into
effect on January 14, 2000. Visit the BXA web site at www.bxa.doc.gov
for details.
The most important provision of these changes is the exception clause
which essentially allows open source crypto packages to be exported
without restriction under certain circumstances. Because RSA is a
patented algorithm, it was not clear that we met the conditions for
exemption. So, I contacted BXA to receive clarification. I received
a reply stating that we are in the clear. Below are copies of the
relevant correspondences.
The bottom line is this:
* We can export RES-RSA.
* We must notify BXA at Crypt@BXA.DOC.GOV of the location of the code,
but the code does not need to be reviewed.
* Hosting our source code at SF is considered equivalent to "posting"
to the Internet.
* Non-US developers can contribute crypto code without impacting
exportability.
* We may not export via direct email to some terrorist countries.
Dave
>From ahn@vec.wfubmc.edu Mon Feb 21 15:39:41 2000
>Date: Mon, 21 Feb 2000 15:39:41 -0500
>From: Dave Ahn <ahn@vec.wfubmc.edu>
>To: JLEWIS@bxa.doc.gov
>Subject: export controls and source code clarification
>Message-ID: <20000221153941.A111913@cecum.vec.wfubmc.edu>
>Mime-Version: 1.0
>Content-Type: multipart/signed; micalg=pgp-md5;
> protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
>X-Mailer: Mutt 1.0i
>Organization: Wake Forest University Baptist Medical Center
>Status: RO
>Content-Length: 2714
>Lines: 68
>
>
>--+HP7ph2BbKc20aGI
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: quoted-printable
>
>Hi Jim,
>
>I apologize for contacting you directly, but I have been waiting for over
>a month for a reply from BXA. I hope that you can help me.
>
>I am a contributor to an implementation of RSA, called RES-RSA, that is
>used for authentication purposes for an Internet game called Netrek.
>RES-RSA source code is distributed as open source within the US without
>any restrictions beyond RSA Lab's RSAREF license. We received special
>permission from RSA to distribute our RSA implementation in both source
>and binary form within the US. They referred us to BXA for exporting
>the software.
>
>Since RSA is not patented outside the US, I wish to export my source code
>without any restrictions by posting it to the Internet through anonymous
>FTP servers. Am I allowed to do this under the recent changes in laws?
>If so, how do I notify BXA of the location? Is a PGP signed email
>sufficient?
>
>Also, I wish to open up development on my source code to US and non-US
>developers on the Internet. I wish to facilitate this by moving my
>source code to a free service called SourceForge (http://sourceforge.net/).
>All development changes (including work-in-progress) would be downloadable
>by anyone in the world from that site. I do, however, have limited control
>in who can contribute crypto source code. If SourceForge hosts my RSA
>source code, does that constitute as posting to the Internet, and therefore,
>exempting the source code from export controls?
>
>I will gladly provide a full copy of the source code if you wish to see
>it. It is currently not downloadable without asserting U.S. citizenship,
>etc.
>
>Thank you for your help and attention.
>
>Sincerely,
>Dave Ahn
>
>PS. With your permission, I wish to share your response with co-developers.
>--=20
>Dave Ahn <ahn@vec.wfubmc.edu> | "When you were born, you cried and =
>the
> | world rejoiced. Try to live your l=
>ife
>Virtual Endoscopy Center | so that when you die, you will rejo=
>ice
>Wake Forest Univ. School of Medicine | and the world will cry." -1/2 jj^2
>
>--+HP7ph2BbKc20aGI
>Content-Type: application/pgp-signature
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQEVAwUBOLGiiV//fC5IIXuNAQEiAwf9HLHYF5hvFpR2nokhNqSveuL1Uw7PdWKI
>A/tgr7/TjOz8Fiyn1U7GVNofLuhe/sLsVl50ZLBJcNw+jsXX7mTQWy+hCMMBPY84
>TOpXVtn9JkLcwPAaXhsDEKrB8kHn+LKOGDP37jFPrxF0bMtUbHQRXCA3Phkv6kPX
>c9iE6fl9wHdj9bQyIKvefCllDNbTj7yfOwd1x9gQboWkIs70heR9W+TMWMdeuQbf
>ez/4XNVJlJW41zA4sI6TnJ+8/hdiDod7HaaivlLUu9SqeHUdU+giTZPSw9VlYjzk
>F3ZlRIziCR/aPBAg8s4Dl2/7/nOnbRW0E3NcIwq2M6Cm6YT716XhZA==
>=eVO3
>-----END PGP SIGNATURE-----
>
>--+HP7ph2BbKc20aGI--
>From JLEWIS@bxa.doc.gov Tue Feb 22 17:32:11 2000
>Received: from jade.bxa.doc.gov (firewall-user@JADE.BXA.DOC.GOV [170.110.31.61])
> by sigmoid.vec.wfubmc.edu (8.9.3/8.9.3) with ESMTP id RAA73581
> for <ahn@vec.wfubmc.edu>; Tue, 22 Feb 2000 17:32:11 -0500 (EST)
>Received: by jade.bxa.doc.gov; id RAA07743; Tue, 22 Feb 2000 17:23:18 -0500 (EST)
>Received: from bxa5.bxa.doc.gov(170.110.136.8) by jade.bxa.doc.gov via smap (V4.2)
> id xma019235; Tue, 22 Feb 00 10:44:05 -0500
>Received: from BXA_MAIL-Message_Server by bxa5.bxa.doc.gov
> with Novell_GroupWise; Tue, 22 Feb 2000 10:41:32 -0500
>Message-Id: <s8b267dc.020@bxa5.bxa.doc.gov>
>X-Mailer: Novell GroupWise 5.5.2
>Date: Tue, 22 Feb 2000 08:42:50 -0500
>From: "JIM LEWIS" <JLEWIS@bxa.doc.gov>
>To: <ahn@vec.wfubmc.edu>
>Subject: Re: export controls and source code clarification
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Disposition: inline
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by sigmoid.vec.wfubmc.edu id RAA73581
>Status: RO
>X-Status: A
>Content-Length: 3763
>Lines: 60
>
>Sorry it's taken so long - who did you send your first request to in BXA?
>
>Anyhow:
>
>You can post your source code to the Internet without any restrictions using anonymous FTP servers. An e-mail notification (to Crypt@BXA.DOC.GOV)
>giving the address of where the code is posted is sufficient. There is no requirement for prior review by the government.
>
>If you have a license for further use of the source code and it requires the payment of royalties or fees for further commercial development, you have to report to us on what is being made when you receive the royalty (this is explained in section 740.17 of our regulation; I'm not going into a lot of detail here as it doesn't sound like this is what you will be doing). Copyright or other IPR protections don't count as a "royalty or licensing agreement" which triggers the reporting requirement. There are no requirements for the foreign developer to report anything.
>
>If you use a free service like SourceForge to post your code, it doesn't really change anything. You would notify us when you did this of the address; there is no reporting requirement unless you have a royalty or licensing fee; foreign developers don't have to come back for review or reporting.
>
>There is a prohibition on direct and knowing transfers to countries that the U.S. has under sanction (Iran, Cuba, Iraq, Libya, Syria, Sudan, North Korea). What this means is that you can't send code directly to these places (via an e-mail or some other mode of transfer) without a license from the U.S. This doesn't affect posting on internet for anonymous downloads.
>
>Let me know if you have further questions. Jim
>
>
>>>> Dave Ahn <ahn@vec.wfubmc.edu> 02/21/00 03:39PM >>>
>Hi Jim,
>
>I apologize for contacting you directly, but I have been waiting for over
>a month for a reply from BXA. I hope that you can help me.
>
>I am a contributor to an implementation of RSA, called RES-RSA, that is
>used for authentication purposes for an Internet game called Netrek.
>RES-RSA source code is distributed as open source within the US without
>any restrictions beyond RSA Lab's RSAREF license. We received special
>permission from RSA to distribute our RSA implementation in both source
>and binary form within the US. They referred us to BXA for exporting
>the software.
>
>Since RSA is not patented outside the US, I wish to export my source code
>without any restrictions by posting it to the Internet through anonymous
>FTP servers. Am I allowed to do this under the recent changes in laws?
>If so, how do I notify BXA of the location? Is a PGP signed email
>sufficient?
>
>Also, I wish to open up development on my source code to US and non-US
>developers on the Internet. I wish to facilitate this by moving my
>source code to a free service called SourceForge (http://sourceforge.net/).
>All development changes (including work-in-progress) would be downloadable
>by anyone in the world from that site. I do, however, have limited control
>in who can contribute crypto source code. If SourceForge hosts my RSA
>source code, does that constitute as posting to the Internet, and therefore,
>exempting the source code from export controls?
>
>I will gladly provide a full copy of the source code if you wish to see
>it. It is currently not downloadable without asserting U.S. citizenship,
>etc.
>
>Thank you for your help and attention.
>
>Sincerely,
>Dave Ahn
>
>PS. With your permission, I wish to share your response with co-developers.
>--
>Dave Ahn <ahn@vec.wfubmc.edu> | "When you were born, you cried and the
> | world rejoiced. Try to live your life
>Virtual Endoscopy Center | so that when you die, you will rejoice
>Wake Forest Univ. School of Medicine | and the world will cry." -1/2 jj^2
--
Dave Ahn <ahn@vec.wfubmc.edu> | "When you were born, you cried and the
| world rejoiced. Try to live your life
Virtual Endoscopy Center | so that when you die, you will rejoice
Wake Forest Univ. School of Medicine | and the world will cry." -1/2 jj^2