Re: Documentation
I don't understand why US people can't be given access to the source tree. Well they *can* be given access to the source tree, but the idea, imo, is to make it easier to comply. That way a US person can't have a modified version of the tree and then accidentally hit commit and export something. With respect to your point (a), that, in my opinion, is incorrect. Contributing to the ASN1 engine is technical assistance in the development of an encryption item. With respect to 'proof' -- per my post regarding CYA -- I'm going to propose some language which all contributors must agree to which warrants that in contributing their contribution they are not violating the cryptographic export restrictions of any jurisdictions which apply to them. Is it because of a desire to "prove" that nobody from the US exported source code? Surely that's (a) too big a hammer (we can, e.g., con- tribute to the ASN1 engine); (b) probably not sufficient proof; and (c) starting down a slippery slope that OpenSSL really should avoid -- setting up mechanisms to help "enforce" every participating country's crypto export rules? I totally agree that "writing documentation" should be foisted off to us whenever possible, freeing up those capable of doing crypto code to do so. /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- [EMAIL PROTECTED] 510 291 2283 The BPM Group http://www.bpm.ai/~sameer/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Documentation
Once the library contains crypto code of American origin, it is covered by the American reexport regulations. That means that everyone who distributes it internationally will violate US law. This is true, but who outside the US gives a damn? Jon __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Documentation
Anonymous wrote: Ben Laurie [EMAIL PROTECTED] wrote: I'm totally against this. We have no responsibility to enforce the USG's stupid export laws, and I see no reason we should take that responsibility on. Once the library contains crypto code of American origin, it is covered by the American reexport regulations. That means that everyone who distributes it internationally will violate US law. a) There's no intention to put American crypto code into OpenSSL. b) US law doesn't apply to me (at least while I'm not in US territory) or OpenSSL, AFAIK, regardless of the code's origin. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Documentation
Sameer Parekh wrote: b) US law doesn't apply to me (at least while I'm not in US territory) or OpenSSL, AFAIK, regardless of the code's origin. US law may not apply to you, but it applies to many of the people who are using OpenSSL outside the United States. If its your intention that multinationals be prohibited from using OpenSSL, then I think we have a conflict, because its my intention to let anyone use OpenSSL. No, it is not my intention to restrict the use of OpenSSL. However, I still do not see why that means _I_ have to enforce US export laws. Hasn't the USG got enough budget to do that itself? Is it your intention to export code illegally and hence pollute OpenSSL? No? I thought not. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Documentation
We may be misunderstanding each other. Let me outline my position in pieces so we can see where we agree and where we disagree, more specifically. a) I would like the OpenSSL project to protect the codebase from being polluted with export-restricted code, US or otherwise. b) I would like the OpenSSL project to require that all contributors warrant that the code they are contributing does not violate export controls. c) Due to 'scienter' requirements, if the OpenSSL project knowingly accepted a contribution from a US person, even if that person warranted that the code was free of export restrictions, OpenSSL would be tainted, and multinationals would not be allowed to use the code. d) The OpenSSL project should not allow US persons to contribute to the OpenSSL source code. Could you tell me which of these statements you agree or disagree with? -- [EMAIL PROTECTED] 510 291 2283 The BPM Group http://www.bpm.ai/~sameer/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Documentation
Sameer Parekh wrote: d) The OpenSSL project should not allow US persons to contribute to the OpenSSL source code. This would be the easiest way to handle things but it might be regarded as over cautious. There are some non crypto areas of OpenSSL where US persons might be able to contribute without breaching US law. Examples would be certificate extension code, message digest algorithms or stuff related to authentication only (e.g. DSS). Or do you think even contributions of this sort could cause problems? Steve. -- Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. For info see homepage at http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED] NOTE NEW (13/12/98) PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]