[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unofficial mozilla 0.8 deb

On Thu, Mar 08, 2001 at 01:25:03AM +0200, Sampo Niskanen wrote:
> On Wed, 7 Mar 2001, Gregor Hoffleit wrote:
> > AFAIR, the new legislation said that companies could apply at
> > the government for a permission to release specific versions of
> > strong-crypto software to a world-wide public. I guess Netscape
> > did this for their communicator and since the government gave the
> > permission, anybody is now allowed to export this specific pieces of
> > software, even though they contain strong crypto.
> >
> > [Then, it would be obvious that this reasoning doesn't necessarily
> > apply to Mozilla--someone had to ask for a permission first.]
> If this is true, how do they define a software product? One binary? A
> very similar product? The same name?

it's not true, at least not for open source programs.

as i understand the new (actually year old) US crypto rules, for open
source / public domain / free software programs, all you have to do
is notify the US government that you're exporting it and tell them

that's what kernel.org have done. i doubt if linus or transmeta or
anyone else involved would have take the risk if they didn't think it
was safe to do so.

there is a notice on www.kernel.org about crypto s/w:

    Cryptographics Software

    Due to U.S. Exports Regulations, all cryptographic software on this
    site is subject to the following legal notice:

    This site includes publicly available encryption source code which,
    together with object code resulting from the compiling of publicly
    available source code, may be exported from the United States under
    License Exception "TSU" pursuant to 15 C.F.R. Section 740.13(e).

    This legal notice applies to cryptographic software only. Please see
    the _Bureau of Export Administration_[1] for more information about
    current U.S. regulations.

[1] link to http://www.bxa.doc.gov/

you can read the new crypto rules for yourself at:


FYI, the relevant section (15 C.F.R. Section 740.13) of the new crypto
regulations says:

    (e) Unrestricted encryption source code.

    (1) Encryption source code controlled under 5D002, which would be
    considered publicly available under  734.3(b)(3) and which is not
    subject to an express agreement for the payment of a licensing
    fee or royalty for commercial production or sale of any product
    developed with the source code, is released from ``EI'' controls
    and may be exported or reexported without review under License
    Exception TSU, provided you have submitted written notification
    to BXA of the Internet location (e.g.,  URL or Internet address)
    or a copy of the source code by the time of export.  Submit the
    notification to BXA and send a copy to ENC Encryption Request
    Coordinator (see  740.17(g)(5) for mailing addresses). Intellectual
    property protection (e.g., copyright, patent or trademark) will not,
    by itself, be construed as an express agreement for the payment of
    a licensing fee or royalty for commercial production or sale of any
    product developed using the source code.

    (2) You may not knowingly export or reexport source code or products
    developed with this source code to Cuba, Iran, Iraq, Libya, North
    Korea, Sudan or Syria.

    (3) Posting of the source code on the Internet (e.g., FTP or
    World Wide Web site) where the source code may be downloaded by
    anyone would not establish ``knowledge'' of a prohibited export
    or reexport, including that described in paragraph (e)(2) of this
    section. In addition, such posting would not trigger ``red flags''
    necessitating the affirmative duty to inquire under the ``Know Your
    Customer'' guidance provided in Supplement No. 3 to part 732 of the

that's a pretty clear statement that it's OK to export open source
crypto just by notifying the US government in writing.

an update in October 2000 clarified the matter even further, points out
that the exemption also covers binaries compiled from open source, and
even provides an email address to send the written notifications to:

    4.  740.13 (Technology and Software Unrestricted (TSU)) clarifies
    the treatment of open source object code.  Object code compiled from
    source code eligible for License Exception TSU can also be exported
    under the provisions of License Exception TSU if the requirements
    of  740.13 are met and no fee or payment is required for object
    code (other than reasonable and customary fees for reproduction and
    distribution). Object code for which there is a fee or payment can
    be exported under the provisions of 740.17(b)(4)(i). The intent of
    this section is to release publicly available software available
    without charge (e.g. ``freeware'') from control. Also in  740.13,
    crypt@bxa.doc.gov address is added to prompt exporters to notify
    BXA electronically. Exporters should note the intent of the phrase
    ``released from EI controls'' in 740.13(e) means that 5D002 software
    eligible for TSU is released from the mandatory access controls
    procedures described in 734.2(b)(9)(ii).

IANAL, but that's clear as crystal to me. it even states that the intent
is "to release publicly available software from control".


craig sanders <cas@taz.net.au>

      GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0

Reply to: