> The problem: > * The US law "ITAR" restricts export of crypto software. ITAR no longer exists - it has been replaced by something else - I can't remember the name. The U.S. was embarrassed by the fact that computer software was classified as a munition (obviously not the case). > * It is unclear to all developers so far if this law applies to "crypto > programs" only or to programs with "crypto hooks" (i.e. support/interface > to crypto programs) too. I'm no lawyer - but common sense tells me that it doesn't apply. The regulations only apply to the actual "machine-readable" code that performs the actual encryption. > * Example 1: NCSA or Mosaic (the developer didn't know) took PGP hooks > our of their httpd. NCSA is a U.S. government agency - I think that complicates things for them. > * Example 2: mutt's author don't want to export these hooks out of the > US--but someone else did accidentially. > > Packages affected: > * most (if not all) email programs (elm, mutt, pinepgp, mh, etc.) > * other programs with email capabilities (emacs, etc.) > * other programs with crypto hooks (perl with PGP i/f?, etc.) So what? The U.S. government is treading on very thin ice over this crypto stuff. They would not dare take someone to court over a program that just had "hooks", but no real crypto code -- because it would provide an awesome opportunity to get the law overturned as being unjust and too large in scope. > I see the following options: > > 1. We find a US-lawyer that can assure us that exporting the hooks only > is not a problem. We could leave the packages on the master site (and move > mutt from non-us to master) then. > ==> Everything would be easy for us and also for the users, but we risk > of having to fight for our decision (i.e. if a court doesn't believe us). > I'm not sure if this is appropriate. Mostly, lawyers will just end up telling you what you already knew. If you want to know what will stand up in court - nobody will be able to give you a definitive answer, especially when there have not been any precedents. In short - I don't think we should over-react. In fact, we should actually under-react, if at all possible. The crypto laws the administration in the U.S. are trying to put forward are too broad and are basicly stupid, and I am confident that they won't last. In the meantime, the odds of actually having charges brought against you are miniscule -- providing you don't actively provoke charges. And if they do bring charges, there's an extremely powerful industry willing to back you up. I think the best policy is what we are doing now -- have the crypto packages stored overseas. Importing crypto is not illegal. Using crypto is not illegal. I think we should encourage crypto-hooks. On the other hand, we do have to watch out for patent problems. That's stickier because you are dealing with private companies and civil litigation. I think software patents suck, but they aren't going to go away anytime soon. Cheers, - Jim
Attachment:
pgpLBYGzTY8Fx.pgp
Description: PGP signature