httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: restructuring mod_ssl as an overlay
Date Thu, 08 Jun 2006 22:43:49 GMT
> Roy wrote...
> The sane solution would be to convince the US government to remove
> encryption from the export control list, since that regulation has
> been totally ineffective.  That is not likely to happen during this
> administration, though, and I don't think the ASF is allowed to
> lobby for it directly.

Not going to happen in our lifetimes.

Since World War II, when modern cryptography/encryption/decryption
turned out to be the deciding factor in the conflict itself, it's all been
classified as 'muntions' right along with firearms and explosives and,
as such, is ( now ) under the jurisdiction of the ATF ( Bureau of 
Alchohol, Tobacco and Firearms. )

It isn't just a State Department policy thing.

Any change in the policy would involve tons of government agencies,
not just one.

> Roy also wrote...
> If anyone can think of another option, I'd like to hear it before
> proposing a vote.

Here's another option before doing anything drastic...

...get a professional opinion.

Roy... you have done fantastic research but I am seeing a lot of
'assumptions' in all the postings. ( Yours and others ). This isn't 
really something to get into with any 'assumptions'. You should be 
SURE that any changes are going to gey you ( ASF ) where you 
want to be.

Hypotheticals are fun but they don't get the horses into the barn.

Here is just one example from the postings... but an important one...

> The mere presence of mod_ssl source code appears to be sufficient to
> make the product as a whole covered by 5D002 export controls


Does it, or doesn't it?

mod_ssl is just a module. It doesn't do squat unless the OTHER
( Non ASF ) product is included in the compile. It's just a bunch
of hooks into someone else's product. Are you SURE mod_ssl
alone puts ASF into a 'danger zone' at all?

Another example would be the early posting where the (little) crypto
that IS included in Apache was shrugged off as 'insignificant'.
( MD5, SHA, Hashes, whatever ).

Well... maybe that's a reverse case where ASF is assuming that
isn't a problem but might, in fact, cause someone who doesn't
really, really understand these things ( like some Justice Department
lawyer ) some consternation.

Best bet is for ASF to actually get a RULING on the technology from
the State Department or whoever it is that would prosecute down the
road if their 'assumptions' don' t match your 'assumptions'.

Get it from the horse's mouth.

Get it in writing.

You could pay tons of lawyers to look into this and they could all
still turn out to be wrong. The only people who know what will satisfy
them are the people who would prosecute a violation.

ATF? They have jurisdiction for prosecution. Maybe they are the
ones who can supply the rulings.

You asked for additional options before going to vote.

That's my 'additional option'.

Wait... and find out the exact nature of the problem and then
be SURE the changes provide the proper solution ( if there even
is a problem in the first place ).


View raw message