[lsb-discuss] LSB conf call notes for 2008-05-14

Theodore Tso tytso at mit.edu
Thu May 15 09:18:53 PDT 2008 

On Thu, May 15, 2008 at 04:52:53PM +0200, Carlos Manuel Duclos Vergara wrote:
> 
> We are not under US export regulation because:
> 1. There are no US citizens working on any of the OpenSSL Wrapper
> 2. OpenSSL is not under US export regulations
> 
> And besides, we avoid making any cryptographic calculations inside Qt, since
> we also sell Qt to the US market. That's why we offer a wrapper for OpenSSL, 
> we only arrange some bits here and there but all the work is done by OpenSSL.
> We had to go through a certification process to be classified as not under 
> US export regulations, and if we add the NSS wrapper will be classified as
> under US export regulations. The same thing will happen to any other product
> that uses NSS, that does not happen with OpenSSL. So, we are strongly opposed
> to defaulting to NSS as a cryptographic library for LSB.

Carlos,

	I am *very* well acquainted with US Crypto export laws, given
that I was technical lead for the MIT Kerberos project for over 8
years, and during the time when the US Crypto Iron Curtain was
inflicting incredible harm on the US Software industry, both for open
and closed source software.

First of all, US export regulation does *not* distinguish whether the
technology was created by US citizens or not.  It only cares about the
certain technologies crossing the US border (or over 120 miles into
space --- rockets carrying space probes with radioactive substances
for power generation fall under the export regulations, and have to
get the appropriate export licenses).  So for example, during the time
when the US Export regulations were tightly enforced, people could
bring cryptographic boards *into* the US from Israel, where a number
of US-based companies conveniently had their research labs doing
crypto, but they couldn't be brought back *out* of the US, even though
it had originally come from Israel.  So there were people who would
bring these boards into the US for some conference, who would then
have to destroy them or give them away since technically wouldn't be
able to bring them back home.  Crazy, but I never said the US laws
made any *sense*.

Secondly, it's not all true that that OpenSSL is not under US export
regulations.  ***Any*** technology that performs cryptography (OpenSSL
code, Kerberos code, the TPM chip in an IBM Thinkpad laptop, the CSS
implementation in a DVD player, etc.) falls under US export
regulations.  However, there are various automatic licenses, or
"license exceptions" which mean that you don't have to do something
special.  So for example, even though every single Thinkpad laptop for
the last seven or eight years has a hardware crypto engine built into
it, I don't have to apply for an export license before I go overseas,
because Lenovo dealt with the necessary paperwork.  The same is true
for the DVD player than many parents bring as a portable baby-sitter.
Even during the worst of the US Crypto Iron Curtain days, 40-bit
crypto had an automatic export license, so no paperwork was ever
required.  But technically the DVD player and the Thinkpad is covered
by US export regulations. 

In any case, there is no difference between OpenSSL and NSS.  They are
both cryptograph implementations with "publically available source
code".  Please see the US Government's Department of Commerce, Bureau
of Industry and Security web page here:

   http://www.bis.doc.gov/encryption/default.htm

and their specialized web page discussing publically available sources
here:

   http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html

.... and then I would gently suggest that you get some new lawyers.
The ones which gave you your advice are giving information which is
hopelessly wrong, incorrect, and not even outdated.  Even in the bad
old days, back before 2000, when the US really had some amazingly
backwards crypto regulations that Bill Clinton and Al Gore were as
stubborn about repealing as George W. Bush was about getting out of
Iraq, it was never the case that it made one whit of difference
regarding the citizenship of the people who developed the source code.

There were projects such as OpenSSL that only accepted contributions
from US Citizens back before 2000, and only had FTP sites outside of
the US, but that was because people were afraid that US developers
would get sued for exporting the source code.  But all of that changed
starting in 2000, when automatic export licenses were granted for mass
market software and for software with publically available source
code.  All you had to do was to e-mail the source code (at least
initally, and then when certain bureaucrat's mailboxes exploded, they
started accepting URL's) before you announced the code being
available.

In any case, tell your lawyers to do some research; they can even do
it on the Internet if they don't want to subscribe to Lexis/Nexis.
Google and Wikipedia will very quickly turn up the official US
government web sites, which are quite clear.

Best regards,

					- Ted

More information about the lsb-discuss mailing list