httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <c...@stdlib.net>
Subject Re: restructuring mod_ssl as an overlay
Date Wed, 07 Jun 2006 22:02:36 GMT
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
> Here's the page that I've put together right now:
> http://apache.org/dev/crypto.html.  Unfortunately, it  needs a little
> more detail.

Thank you very much, that's already answered a few of my questions and
given me some good pointers.

> The US export laws do not require us to offer a non-crypto version of
> products we place on the web that do include export-controlled crypto.
> The only thing we cannot do is knowingly export to a handful of
> particular countries; however, placing an item on the web does not
> qualify as knowingly exporting to any particular country.

That would be excellent.

> However, if there are httpd users in countries that have *import*
> restrictions that would like to use the non-ssl version of httpd, that
> might be a reason to do what is being suggested here.  But there is no
> U.S. regulation that I am aware of that requires us to distribute a
> non-SSL version....but maybe I'm not understanding the concern.

>From the sound of things, we could put up ssl-capable downloads right
now with no liability for the ASF or anyone other than users in
countries with such restrictions, which is useful to know.

> >So, I'm wondering how effective a liability shield it is for a US-based
> >corporation to export such content via non-US-based distributors. It
> >seems odd that this would work legally, but that SPI/Debian did it for
> >so long sparks my interest; maybe there is a path through.
> 
> I have no idea what the Debian story is, but that is not an option for
> a number of reasons.  Here's the biggest reason, the same U.S.
> government entity that controls our exports also controls reexport
> from any other country of goods that were previously exported from the
> U.S.

I've been reading http://www.debian.org/legal/cryptoinmain and it looks
like they shifted the liability to their developers personally, who
exported-by-proxy. 

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Mime
View raw message