Indeed many contributions from individuals from the US have already been committed.
On Tue, Nov 5, 2013 at 5:23 PM, [email protected] <[email protected]> wrote: > I agree that the openpgpjs project is probably developed mostly in Europe, > etc., and that U.S. export control laws don't apply there. But those laws > do apply in the U.S. and require a simple one-time notification to be sent. > > If the project contributors intentionally decide that contributors who are > U.S. persons should be excluded from participating in the project, that's > okay, but it should be an explicit decision. > > If U.S. contributors are welcome, then sending the notification is a small > price to pay. If not, then why not warn U.S. contributors to be aware of > their vulnerable position if they choose to contribute? > > > ------------------------------------------------------ > > Hi, > > IANAL, but I'm pretty sure there is no requirement for requesting any permit > for exporting OpenPGP.js. Debian is registered as some kind of non-profit > organization in the US. What exactly makes OpenPGP.js American? American > export laws only apply to Americans. Either way: > > Zimmermann was freed from similar charges: "After a report from RSA Data > Security, Inc., who were in a licensing dispute with regard to use of the > RSA algorithm in PGP, the United States Customs Service started a criminal > investigation of Zimmermann, for allegedly violating the Arms Export Control > Act.[3] The United States Government had long regarded cryptographic > software as a munition, and thus subject to arms trafficking export > controls. At that time, the boundary between what cryptography was permitted > ("low-strength") and impermissible ("high-strength") for export from the > United States was placed such that PGP well on the too-strong-to-export side > of the boundary. The boundary for legal export has since been raised and now > allows PGP to be exported. The investigation lasted three years, but was > finally dropped without filing charges." > -http://en.wikipedia.org/wiki/Phil_Zimmermann#Criminal_investigation > > 6. In ยง742.15, the licensing policy section for exports and reexports of > encryption items is changed as follows: > > a. Review and classification are required by BXA before certain encryption > items can be released from "EI" and "NS" controls under ECCNs 5A992, 5D992 > and 5E992. These items include: 64-bit mass market encryption commodities > and software; certain encryption items up to and including 56-bits; and > asymmetric key exchange algorithms not exceeding 512 bits or an elliptic > curve at 112 bits. Encryption items under these ECCNs do not require a > license or license exception and may be exported and reexported as "NLR" (No > License Required). > > "Legal challenges by Peter Junger and other civil libertarians and privacy > advocates, the widespread availability of encryption software outside the > U.S., and the perception by many companies that adverse publicity about weak > encryption was limiting their sales and the growth of e-commerce, led to a > series of relaxations in US export controls, culminating in 1996 in > President Bill Clinton signing the Executive order 13026[7] transferring the > commercial encryption from the Munition List to the Commerce Control List. > Furthermore, the order stated that, "the software shall not be considered or > treated as 'technology'" in the sense of Export Administration Regulations. > This order permitted the United States Department of Commerce to implement > rules that greatly simplified the export of commercial and open source > software containing cryptography, which they did in 2000." > -http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States#PC_era > > On 10/29/2013 08:18 AM, [email protected] wrote: > > Contributors based in the United States are required by US law to notify the > Bureau of Export Administration when making open-source encryption code > available publicly. This may also applly for projects hosted in the US. > > See this Debian notification for an example: > http://www.debian.org/legal/notificationforarchive.en.html > > Has this been done for openpgpjs yet? If not, should this task be added to > the list? > > (More information available from EPIC here: > http://epic.org/crypto/export_controls/regs_1_00.html ) > > > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
