On Mon, Apr 28, 2014 at 8:33 AM, Steve Marquess < marqu...@opensslfoundation.com> wrote:
> On 04/28/2014 07:31 AM, Dr. Stephen Henson wrote: > > ... > >> > > > > Unknown. Can someone comment on this? > > With respect to U.S. export controls (EAR), open source cryptographic > code contributions appearing on the publicly visible OpenSSL web site > appear to fall under the TSU exception to ECCN 5D002. The necessary > notification for that code to the Commerce Department was by OSF done > years ago and is renewed from time to time (even though such renewal is > not explicitly required). > > U.S. contributors do need to be *very* careful about crypto code that is > "exported" anywhere. Note that in EAR/ITAR parlance "export" essentially > means "potentially seen by non-U.S. persons". So for instance posting > such code to github would be an "export", as would E-mailing to anyone > overseas. > > When in doubt consult your own attorney, as U.S. export controls are > more than a little nonsensical. TBH it's such a mess that I quit working > directly on crypto code myself after unwittingly attaining the dubious > and expensive distinction of becoming a registered international arms > dealer (mandatory registration with the State Department DDTC per ITAR). > In short, while your odds of actually being prosecuted are probably low, > it's damn hard to be a U.S. citizen and lawfully work on open source > cryptography. > > -Steve M. > Steve M., what do you think about this vague text, probably destined for the first section of http://wiki.openssl.org/index.php/Contributions? 1. Legal considerations regarding development, import, and export of crypto Various jurisdictions around the world regulate implementations of cryptography. For example, U.S. contributors posting implementations to public fora such as GitHub or OpenSSL mailing lists could conceivably be treated as exporters of cryptography. The OpenSSL developers and staff cannot define the legal requirements of contributors to the OpenSSL crypto implementation, or even define which areas of contribution would be considered as cryptography by regulatory agencies. Individual contributors are responsible for researching potential limitations on or requirements of their contributions based on the type of contribution and the laws and regulations which are applicable to them. --/-- This is an alternative to the fairly strong statements in the README which imply that some legal evaluation is performed by committers to determine if a contribution can be accepted. (apparently no evaluation; it is on the contributor to evaluate for themselves) > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
