On 04/28/2014 07:31 AM, Dr. Stephen Henson wrote: > ... >> > > Unknown. Can someone comment on this?
With respect to U.S. export controls (EAR), open source cryptographic code contributions appearing on the publicly visible OpenSSL web site appear to fall under the TSU exception to ECCN 5D002. The necessary notification for that code to the Commerce Department was by OSF done years ago and is renewed from time to time (even though such renewal is not explicitly required). U.S. contributors do need to be *very* careful about crypto code that is "exported" anywhere. Note that in EAR/ITAR parlance "export" essentially means "potentially seen by non-U.S. persons". So for instance posting such code to github would be an "export", as would E-mailing to anyone overseas. When in doubt consult your own attorney, as U.S. export controls are more than a little nonsensical. TBH it's such a mess that I quit working directly on crypto code myself after unwittingly attaining the dubious and expensive distinction of becoming a registered international arms dealer (mandatory registration with the State Department DDTC per ITAR). In short, while your odds of actually being prosecuted are probably low, it's damn hard to be a U.S. citizen and lawfully work on open source cryptography. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
