Re: [VANILLA-LIST:2837] New encryption laws?

To: vanilla-list@us.netrek.org
Subject: Re: [VANILLA-LIST:2837] New encryption laws?
From: "Carlos Y. Villalpando" <unbelver@us.netrek.org>
Date: Tue, 18 Jan 2000 14:14:31 -0800
In-Reply-To: <20000118152833.A22344@isis.visi.com>; from sheldon@visi.com on Tue, Jan 18, 2000 at 03:28:33PM -0600
References: <20000118134925.A46098@cecum.vec.wfubmc.edu> <20000118152833.A22344@isis.visi.com>
User-Agent: Mutt/1.1.2i

Quoting sheldon <sheldon@visi.com>:
> 
> If I'm reading this correctly, we send an email to the Men in Black telling
> them about netrek.org, and include the RSA stuff in our source code...

(ignore any .gov items in my headers, I cannot, in any way, speak for
(or understand) the US Govt.)

Yup. That's a fair assesment on exporting general crypto, but we're
still stuck, I think.  We issue licenses for RSA Labs by proxy to
netrek servers/client maintainers to use it for netrek only.  The
looser regulations require that the code have an "unrestricted"
license.  We don't.  And besides, the current licence as stated in
LICENCE.US in res-rsa.2.9.1 explicitly states: "no non-usa citizens."
Yes, that statement may be based on the old law, but its in there, and
we need to get RSA Labs to drop it.  Or we can wait until Sept. 2000
when the RSA patent expires.  USAians can't provide direct tech
support to non-USAians for the crypto.  Example, if James was having
trouble with res-rsa (US version) I couldn't legally help him.

Our Crypto Guy at JPL has bigger ties into what's going on.  He
summarized it this way:

I can package up a crypto system with an unrestricted license.  I can
then take that package and post it in a newsgroup, or put it on a
web-site with no access restrictions and _publicly_ announce it.  I
won't be breaking the law.  I will break the law, however, if I take
that package and directly mail it to someone who is a non-USAian,
place access restrictions on the web site, or only tell a few people
about my posting/web-site.  The important part is the unrestricted
nature of distribution.

Here's a quote from Jim Lewis (JLEWIS@bxa.doc.gov) of the BXA, via our
Crypto Guy:

>a) If you post encryption source code to a site on the net and anyone can
>access it, you do not need to have it reviewed by BXA or obtain a license.

>b) Simply posting this "publicly available" encryption source code does
>not count as an export and does not trigger all the terrorist sanctions
>and other requirements created by various Federal sanctions laws.
>
>(what this means is that if you post some code and Saddam Hussein
>downloads it, you are not liable.  If Saddam calls you up and asks you to
>e-mail him the code, and you send the e-mail without applying for and
>receiving a license, you are liable.

>c)  You do need to send BXA an E-mail with the internet location of the
>posted source code and you are prohibited from sending (as opposed to
>posting) the encryption source code to a terrorist country or an
>individual on one of our denial lists.

>d) if a foreign person makes a new product with the source code you've
>posted, there are no review or licensing requirements for that foreign
>product.  If they pay you a royalty or licensing fee for a product they've
>developed for commercial sale, however, you may have to report some
>information to BXA.


--Carlos V.

References:
- netrek.com, netrek.net
  - From: Dave Ahn <ahn@vec.wfubmc.edu>
- New encryption laws?
  - From: sheldon <sheldon@visi.com>

Prev by Date: New encryption laws?
Next by Date: Re: [VANILLA-LIST:2837] New encryption laws?
Prev by thread: New encryption laws?
Next by thread: Re: [VANILLA-LIST:2837] New encryption laws?
Index(es):
- Date
- Thread