I agree that the openpgpjs project is probably developed mostly in Europe,
etc., and that U.S. export control laws don't apply there. But those laws
do apply in the U.S. and require a simple one-time notification to be sent.
If the project contributors intentionally decide that contributors who are
U.S. persons should be excluded from participating in the project, that's
okay, but it should be an explicit decision.
If U.S. contributors are welcome, then sending the notification is a small
price to pay. If not, then why not warn U.S. contributors to be aware of
their vulnerable position if they choose to contribute?
------------------------------------------------------
Hi,
IANAL, but I'm pretty sure there is no requirement for requesting any
permit for exporting OpenPGP.js. Debian is registered as some kind of
non-profit organization in the US. What exactly makes OpenPGP.js American?
American export laws only apply to Americans. Either way:
Zimmermann was freed from similar charges: "After a report from RSA Data
Security, Inc., who were in a licensing dispute with regard to use of the
RSA algorithm in PGP, the United States Customs Service started a criminal
investigation of Zimmermann, for allegedly violating the Arms Export
Control Act.[3] The United States Government had long regarded
cryptographic software as a munition, and thus subject to arms trafficking
export controls. At that time, the boundary between what cryptography was
permitted ("low-strength") and impermissible ("high-strength") for export
from the United States was placed such that PGP well on the
too-strong-to-export side of the boundary. The boundary for legal export
has since been raised and now allows PGP to be exported. The investigation
lasted three years, but was finally dropped without filing charges." -
http://en.wikipedia.org/wiki/Phil_Zimmermann#Criminal_investigation
6. In ยง742.15, the licensing policy section for exports and reexports of
encryption items is changed as follows:
a. Review and classification are required by BXA before certain encryption
items can be released from "EI" and "NS" controls under ECCNs 5A992, 5D992
and 5E992. These items include: 64-bit mass market encryption commodities
and software; certain encryption items up to and including 56-bits; and
asymmetric key exchange algorithms not exceeding 512 bits or an elliptic
curve at 112 bits. *Encryption items under these ECCNs do not require a
license or license exception and may be exported and reexported as "NLR"
(No License Required).*
"Legal challenges by Peter Junger and other civil libertarians and privacy
advocates, the widespread availability of encryption software outside the
U.S., and the perception by many companies that adverse publicity about
weak encryption was limiting their sales and the growth of e-commerce, led
to a series of relaxations in US export controls, culminating in 1996 in
President Bill Clinton signing the Executive order 13026[7] transferring
the commercial encryption from the Munition List to the Commerce Control
List. Furthermore, the order stated that, "the software shall not be
considered or treated as 'technology'" in the sense of Export
Administration Regulations. This order permitted the United States
Department of Commerce to implement rules that greatly simplified the
export of commercial and open source software containing cryptography,
which they did in 2000." -
http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States#PC_era
On 10/29/2013 08:18 AM, [email protected] wrote:
Contributors based in the United States are required by US law to notify
the Bureau of Export Administration when making open-source encryption code
available publicly. This may also applly for projects hosted in the US.
See this Debian notification for an example:
http://www.debian.org/legal/notificationforarchive.en.html
*Has this been done for openpgpjs yet?* If not, should this task be added
to the list?
(More information available from EPIC here:
http://epic.org/crypto/export_controls/regs_1_00.html )
_______________________________________________
http://openpgpjs.org
Subscribe/unsubscribe: http://list.openpgpjs.org
