Mark, Steve & Barbar, Attached is Joanne's email regarding the administrative issues of cyptography for secure Apache. OnOn. -----Original Message----- From: Salz, Rich [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 14, 1999 8:56 AM To: '[EMAIL PROTECTED]' Cc: DUBBERT,BARBARA (HP-Cupertino,ex1); HOOGHEEM,STEVE (HP-Cupertino,ex1); HONG,ONON (HP-Cupertino,ex1) Subject: RE: [PATCH] MPE/iX port of openssl-0.9.4 >Even non-crypto diffs aren't allowed from the US? Under the current regulations you are not allowed to provide technical assistance on a product that, were it under US regulations, would be export-controlled. Yes, this sucks. It is expected that the most-recently-announced changes to the US export regulations will open things up for open-source projects. Those changes, which were to be announced this week, have been delayed until Junaury 14; see for example http://www.nytimes.com/library/tech/99/12/cyber/capital/14capital.html According to that article "key companies" will be consulted on the next draft. HP might be a key company; you should contact your export lawyers (Fred something in Washington DC) and press him on this. :) /r$
Here is what I have found out on the administrative issues of the cryptographic library. 1. Fred Mailman suggests us to start paper work for export review of Secure Apache. What he needs from us is an external specification of the cryptographic library. OnOn, we do want to make sure that RSA delivers to us both software and documentation. Fred will send me a check list of what items need to be in the review spec. 2. We will apply for 128-bit key length to be exportable. Fred thinks it can be approved. The best case is that we are approved to deliver it to anyone. The worst case is that we are approved to deliver to anyone except foreign government entities. Even so, we can still apply for a special license to ship to foreign government entities. It's only a matter of one extra procedure. So we only need one version of cryptographic library (128-bit key length) at this time unless everything goes out of his expectation. Then we may need to ask a 56-bit version from RSA. 3. We can deliver secure Apache through the software depot. Any access authorization can be implemented on the software depot by checking the geographic origin of the domain name and customer's registration information. 4. There may be countries like China and France which restrict the import of cryptography. Fred is investigating. If necessary he will apply to the specific government for an import license for all the HP web servers. Joanne
