httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: SHTTP for Apache
Date Sat, 30 Sep 1995 11:03:50 GMT
> Ben L:
> [shttp et al...]
> > Does anyone know what we have to do in terms of code to avoid being arrested?
> > I've heard that even exporting code with encryption hooks but no encryption
> > code is illegal (in the US).
> A while back now, NCSA were told to remove all their PGP/PEM functionality
> from NCSA 1.3/1.4, which amounted to the removal of some explicit hooks
> in the code.  Apache was based on 1.3 and so, to avoid the same legal
> problems we decided also to remove that functionality from Apache.
> At about the same time Rob Thau came up with the modular system from
> Shambhala which Apache adopted.  The system would, in theory, allow
> 3rd-party developers to design their own modules to interface with the
> Apache API.  Clearly there is scope for a non-Apache Group module to
> be written by someone and then made available to the general public,
> subject to the legal considerations pertaining in their own country.
> For example, a South African resident could design a PGP/PEM encryption
> module and make it available for non US citizens to use.  Similar works could
> be made available by US residents but then would be restricted to
> distribution to only other US residents - no exporting of that new
> functionality across borders would be allowed.
> It is important, IMHO, that Apache Group's work, meaning the code we
> distribute from hyperreal and to the mirror sites, should be free from
> any legally questionable functionality.  This will ensure that the
> main focus of the group's work can proceed unhampered.  If Apache is
> maintained as an 'open' system, with a well documented API then there
> is no reason for the server itself to contain any code that might
> harm the project, and also there is every likelihood that 3rd party
> developers will be able to add functionality to the server.
> So:
> 1)	there's nothing to stop other people from developing
> 	SHTTP/SSL/PGP/PEM whatever modules, and managing their
> 	distribution and maintainence independently of the Apache Group

OK, but since SSL works at the connection level, there would have to be
some hooks to allow us to take over accept, bind, read, write and the like.
This is undoubtedly related to the OS independence stuff.

> 2)	the server as distributed should not contain any code
> 	that would break a nation's law

Hmm, whilst this is a nice principle, it may get a bit difficult in practise.
We'll probably have to settle for most nations, not all.

> > I have come across various others interested in this. I offer to (attempt to)
> > coordinate the various groups.
> You will find some useful pointers to this in the mailing list's archives,
> available on, DNS permitting.

Pointers to what, exactly?

> > Ben Laurie                  Phone: +44 (181) 994 6435
> Ay.



Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant        Fax:   +44 (181) 994 6472
and Technical Director      Email:
A.L. Digital Ltd,
London, England.

View raw message