On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote: > Here's the page that I've put together right now: > http://apache.org/dev/crypto.html. Unfortunately, it needs a little > more detail.
Thank you very much, that's already answered a few of my questions and given me some good pointers. > The US export laws do not require us to offer a non-crypto version of > products we place on the web that do include export-controlled crypto. > The only thing we cannot do is knowingly export to a handful of > particular countries; however, placing an item on the web does not > qualify as knowingly exporting to any particular country. That would be excellent. > However, if there are httpd users in countries that have *import* > restrictions that would like to use the non-ssl version of httpd, that > might be a reason to do what is being suggested here. But there is no > U.S. regulation that I am aware of that requires us to distribute a > non-SSL version....but maybe I'm not understanding the concern. >From the sound of things, we could put up ssl-capable downloads right now with no liability for the ASF or anyone other than users in countries with such restrictions, which is useful to know. > >So, I'm wondering how effective a liability shield it is for a US-based > >corporation to export such content via non-US-based distributors. It > >seems odd that this would work legally, but that SPI/Debian did it for > >so long sparks my interest; maybe there is a path through. > > I have no idea what the Debian story is, but that is not an option for > a number of reasons. Here's the biggest reason, the same U.S. > government entity that controls our exports also controls reexport > from any other country of goods that were previously exported from the > U.S. I've been reading http://www.debian.org/legal/cryptoinmain and it looks like they shifted the liability to their developers personally, who exported-by-proxy. -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
