httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From efr...@ncsa.uiuc.edu (Elizabeth Frank)
Subject Re: export restrictions & mirroring Apache at NCSA
Date Thu, 18 May 1995 21:43:33 GMT
 > > > Me (Beth Frank)
 > >   Rob Hartill
 >     Brian Behlendorf

On May 18, 12:18pm, Brian Behlendorf wrote:
} Subject: Re: export restrictions & mirroring Apache at NCSA
 > 
 > On Thu, 18 May 1995, Rob Hartill wrote:
 > > > Bad News: The NSA (for the state department) has declared release
 > > 
 > > > any code you have developed based on those releases must either
 > > > have the PGP/PEM hooks removed, be licensed through the state
 > > > department for export on a per user basis, or made available 
 > > > only in the USA and Canadian.
 > > 
 > > Pfffft. Sounds like they've gone overboard on that. The hooks
 > > don't do any encryption/decryption so what's there problem ?

As far as the state department is concerned the hooks are suffcient
to make the software fall under the restrictions.

 > > Someone here suggested the hooks be converted into a gerneral purpose
 > > "filter hooks"... that'd take care of those morons at the NSA.
 > 
 > The NSA doesn't even like the ASCII characters "PGP" leaving this 
 > country.  Fuck them!  Arg, this makes me so furious.  One side of me says 
 > fuck that, there's no crypto in this program, we're not taking it out, 
 > and you can bloody seize the machine it's stored on (hyperreal) from my 
 > bare hands and it won't matter, this code is everywhere you don't want it 
 > to be (to paraphrase Amex).  

Is it really worth the agrevation?

 > I'll mention this to Brock Meeks and see what he says... 
 > 
 > I have heard something about this before, but I forget the context.  It 
 > was also a situation where source code was being passed around that 
 > implemented absolutely no crypto, but had the potential for plugging in 
 > crypto, and that was deemed a bad thing.  What next, banning the 
 > distribution of Elm?

By their (NSA's) rules, general interfaces (like CCI) not intended for sole
use with encryption doesn't fall under restrictions.  The hooks in the NCSA
httpd are intended soley for use with restricted encryption code and are
therefore covered.  Encryption used only within the headers for authentication,
distributed in binary only form falls under Commerce department rules and
can be exported with (I think) a one time review.  (I think if we get ours
OK'ed and you say you build yours off of ours, you may not have to go through
this review, BUT I'm not sure about this and someone from Apache should
talk to the NSA BEFORE you include any of our new 1.5 code.)  Bulk encryption
can be approved for general distribution if it is weak (40 bit keys).

 > The other side is that hardly anyone (that I know of) uses the PGP_AUTH 
 > stuff anymore.  MarketNet was the only commercial service advertising 
 > it.  We have talked about security and I think agreed that the long term 
 > view was to try and develop an SHTTP implementation that didn't contain 
 > any crypto but linked with Terisa's shttp.a, and that someone would 
 > develop an alternate shttp.a based on PGP.  

Well SHTTP (unless implemented with 40 bit encryption) will be under
export restriction as well.

 > At any rate, I think a nice graphic on our home page would be cool:
 > "APACHE - THE WEB SERVER THE NSA DOESN'T WANT YOU TO HAVE"  :)
 > 
 > 	Brian
 > 
 > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
 > brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/
 > 
}-- End of excerpt from Brian Behlendorf

The person to contact for how this effects Apache is John Sonderman (703)875-5650.
He handles export compliance for cryptography for the state dept.  We (NCSA)
have to make a reasonable effort to contact and inform our research partners
of the restrictions or we are considered liable.  My previous message was our
notification to you that there was a problem and that we request you cease
distribution of our software in a way that break US law.  If at some point in
the future the NSA asks me for information about who is known to have distributed
the problem software and if I have notified them, I will have to provide them
with that information and the Apache group is on the list.  At this time, the
NSA has not requested any such information from me. 

BTW, MIT has already gone throught this hassle for a bunch of their software.
We are using their code to set up the US/Canada restricted server.

	Sincerely,
		Elizabeth Frank
		NCSA httpd Development Team
		efrank@ncsa.uiuc.edu

PS. Please note that the above is not an endorsement of US export laws.
It is a statement of our official policy.  The NCSA does not endorse breaking
any US laws.


Mime
View raw message