At 00:50 -0400 16/07/02, Cliff Woolley wrote: >On Tue, 16 Jul 2002, Brendan Lloyd wrote: > >> And last but not least: can anyone clarify what the state of Apache >> 2.0 is with regards to OpenSSL/mod_ssl? I've read in some places that >> Apache 2.0 supports/includes these, but then when I went to download >> the Windows binary distribution it had the suffix "no_ssl"? > >Source distributions of Apache 2.0 include mod_ssl. Binary distributions >are a different story, but only because of ambiguities surrounding the >(IMHO silly) export restrictions of the US government. We know we're >allowed to export *source* for strong encryption software... but whether >we're able to legally distribute *binaries* of strong encryption software >is unclear. So we don't. > >Of course, that's more of a burden on our Windows users than on our Unix >users, since the former tend to rely on binaries and the latter tend to >roll their own since they tend to have the compilation tools on hand. > >The solution, as has been pointed out, is that somebody outside the US >contributed binaries for mod_ssl for Apache 2.0 on Win32 and uploaded them >to www.modssl.org/contrib, which is physically located in Germany, as >opposed to www.apache.org, which is physically located in the western US. > >Sigh.
Those interested in details on this legal stuff can see this site: http://www.bxa.doc.gov/Encryption/ What is nice with this policy update is that source code is now considered "unrestricted" (like Cliff said): ----- Also for the first time, all encryption source code that would be considered publicly available under Section 734.3(b)(3) of the EAR (such as source code posted to the Internet) and the corresponding object code may be exported and reexported under License Exception TSU -- Technology and Software Unrestricted (specifically, Section 740.13(e) of the EAR), once notification (or a copy of the source code) is provided to BIS and the ENC Encryption Request Coordinator. See Note. Even if a license fee or royalty is charged for commercial production or sale of products developed using the source code, such source code is eligible for license exception TSU and no post-export reporting is required. ----- The complete content of the Export Administration Regulation (EAR) is available at: http://w3.access.gpo.gov/bis/ear/ear_data.html Disclamer: reading the content of the EAR may cause an headache. 8) It looks like binaries made from publically available source code are still considered "unrestricted". They explicitly say "[publically available source code] and the corresponding object code may be exported and reexported under License Exception TSU". But the License Exception TSU states: ----- (2) Provisions and Destinations. (i) Provisions. Operation software may be exported or reexported provided that both of the following conditions are met: (A) The operation software is the minimum necessary to operate equipment authorized for export or reexport; and (B) The operation software is in object code. ----- mod_ssl is not the "minimum necessary to operate equipment" since it's an add-on module; Apache can work without mod_ssl. And part B totally confused me, it says that ONLY object code can be exported... I guess Apache's official policy is "let's not take chance." That sucks... Couldn't they hire a legal advisor that could sort this out? Or easier, can't we just give a call to the BXA and ask them "Do object code made from publically available source-code still falls under the License Exception TSU?", that would clear up the question... We could ask them for a signed letter, and if we get problems in the future, we could just show the letter and say that we did our homework. Ok, putting everything on modssl.org/contrib is MUCH MUCH easier. GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]