[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: your mail

On Wed, 21 May 2003, Mike M wrote:

> > I believe my country (Iran) is in the list of countries which US
> > restricts exporting such software to. But, encryption software is
> > bundled with every GNU/Linux distro, and all the Iranians (including
> > me) can download these software and use them. I wonder, according to US
> > law (which I am unfamiliar with), are users of such software in these
> > countires, violating any US rules? What about the distributor?
> If country A prohibits sending software S to country B, then if person P1 in 
> A physically sends S to person P2 in B, then P1 would be violating the rule 
> in A.


> If P1 runs an ftp site containing S in A and P2 in B downloads S from A's ftp 
> site, does P1 violate the rule in A?  Is P1 responsible for preventing P2 
> from downloading S?

This is unclear, and the FUD surrounding it is one of the reasons why
projects like OpenBSD, FreeSWAN, etc. are not US based.

Phil Zimmerman went through hell when we released PGP, even though
everyone agreed he didn't actually export it himself. ITAR, the old
regulations around this, is gone, but while the current regulations
(AER) are "better", they're still not enough to make everyone who
develops free implementations of cryptographic software comfortable
enough to do so in the US. The rules changed, but a lot of the
motivations behind them haven't. I know I (as a US citizen) wouldn't,
and don't, develop free crypto apps, even though I'd like to try. It's a

Regarding your question: I believe it is true that one must attempt to
limit distribution of software to the Evil Countries List if doing so
from the US. (Iran, Iraq, Libia, N. Korea, I think Sudan, some others.
Iraq, of course, will probably be coming off that list now that it is a
wholly owned subsidiary. I am not a lawyer. Don't take this as any sort 
of advice. Etc.)

> This discussion relates to another thread on this list about eliminating 
> telnet in favor of ssh.  ssh is clearly encrytion software and is under 
> distribution control of some countries.  telnet should remain available to 
> allow remote terminal access in a distro that is internationally unrestricted.

This is a problem. I've seen software that asks you where you are, and
attempts to do the Most Secure Legal Thing based on the answer (I can't 
recall what, now; I think it was the FreeBSD setup app, maybe others.). 
This may be the best approach, although that does hurt interoperability
a little. Not sure that's a bad thing in all cases.

A good place to start on this stuff, if you want to make your own
decisions about it, is unfortunately a specialty lawyer. A good online
resource is http://www.eff.org/Crypto/ITAR_export/ .


Jamie Lawrence                                        jal@jal.org
God Bless America, where laws are passed to protect people 
from the legal system. 
   - Anonymous Coward, Slashdot

Reply to: