If people are that paranoid, please post a snail mail address to
which U.S. citizens may send patches that have been handwritten on
pieces of paper. I say handwritten because it would be extrememly
difficult for anyone to ever jump to the conclusion that my
handwriting is a machine readable form of data transmission.
It would also be nice to be able to actually read the legal opinion on
taintedness that you have received because I don't understand how
future changes in U.S. Export regulations could possibly effect
the use of OpenSSL anywhere in the world. The export regulations
affect the act of exportation. It does not and can not affect the use
of a product or technology once that product or technology has been
exported without restriction on use. Nor can a change in export laws
allow the U.S.Government to affect a recall on products or technology
that have already been exported.
The only affect that a change in U.S. export law can possibly have is
to restrict what a U.S. company might be able to export in the
future. The only reason that U.S. export laws have been used
successfully in the past to block the retransmission of export
regulated technologies once they are out of the U.S. and in the hands
of the reeciver is due to the former licensing requirements for each
technology transfer. By requiring the exporter to extract a contract
from the purchaser including usage and transfer restrictions in
exachange for the issuance of a license it was possible for the
licensed company to sue the customer for violations of the contract.
Since under the current regulations source code may be posted to a
web site and exported without restriction or even knowlege of who
might be using the code, it would be impossible to enforce any
restrictions even if they were put in place in the future as there is
no contract between the exporter and the user. (Remember the act of
exporting under current regulations is the posting to a web site, not
the downloading. Posting to a mailing list is equivalent to posting
to a web site if the mailing list is archived on a web site.)
Also, if you want to get something is writing from BXA itself you
can request a written opinion from them as to whether or not the
concerns of the OpenSSL developers are valid. If you have a written
letter from BXA stating that OpenSSL cannot be affected in the future
due to source code exported under the current regulations everyone's
asses should be covered.
> True. The item of unclarity seems to be around "taintedness". It has
> apparently been shown that the BXA (Bureau of Export Administration)
> has been somewhat inconsistent in it's application of the current
> export regulations, but the heaviest point is that we can't seem to
> get any guarantee against effects of future changes of those same
> regulations. A conclusion has been that it's "quite unlikely" that
> OpenSSL would be tainted. Unfortunately, some of us feel that "quite
> unlikely" is not unlikely enough, if I understand correctly.
>
> The meaning of "tainted" in this case means that a change in US export
> regulations may make the US-originated changes in OpenSSL illegal in
> some sense, and may therefore force us to remove them (which will most
> certainly be a pain in the ass to do).
>
> My personal opinion is that the danger is not great enough to avoid US
> code. However, I like playing with OpenSSL too damn much to bypass
> all the other members on this issue. It would cause a split in the
> team, and I can hardly see that being a good thing. If you wish, you
> might want to call this a very long explanation for the word "loyalty"
> :-).
>
> For the reasons above, I have released OCSP patches (given to me by
> CertCo, a US company) for OpenSSL as a separate package, release
> separately from another site. I'm willing to take the risks involved,
> if there are any, except to "taint" OpenSSL itself.
>
> Ben could probably give a better comment, as I think he understands
> english legalese a bit better than I do...
>
> --
> Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
> Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
> Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
