www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Export Control Revisited AGAIN
Date Sun, 13 Mar 2005 07:24:33 GMT
Resending this note to legal-discuss, because I believe an official
position on the nature of satisfying TSU 740.13, Foundation-wide,
is necessary to track our obligations and compliance.

Can we please assemble an official page at http://www.apache.org/bxa.html,
which answers the question submitted below?

The ENC exception that applies to us:

License Exception
    TSU - §740.13(e)

Type of Products
    Encryption source code that would be considered "publicly available" 
    (e.g. "open source") and corresponding object code

Class of End-Users

Country Scope (1)
    Global, may not knowingly export to Country Group E:1(2)
        (2) Regarding the restriction to Country Group E:1 (Cuba, Iran, 
            Libya, North Korea, Syria, and Sudan ), this includes exports 
            and reexports (as defined in §734.2 of the EAR) of encryption 
            source code and technology to nationals of these countries.

Reporting Requirements

    Notification of the Internet location, or else a copy of the source 
    code, by time of initial export.

12/9/04 Changes to the U.S. Encryption Policy
    Permits “publicly available” encryption software that has been posted 
    to the Internet under the notification procedures of License Exception 
    TSU (§740.13(e) of the EAR) to be updated or modified without additional 
    notification, provided the Internet location of the software has not 

The procedure for filing is documented here;


It seems that if we assemble all our filed ECCN 5D002 filings on
a single www.apache.org/bxa.html web page, we will no longer need
to even provide updated notification upon subsequent releases of
a project once we satisfy initial reporting requirements for that

In order to start the process, a committers@apache request would
have to go out, asking all projects to report their previous 5D002 
filings on behalf of the foundation (do we have any collection 
of these already?)  The second phase, once all primary ECCN 5D002
repositories are identified, is to ask the committers@apache to
re-review any internal dependencies within their projects.

Any Feedback or Comment?

This will ensure the Foundation is complying with all bxa requirements, 
and give us an offical respond to questions such as this:

>Subject: Export Control - Apache - Jakarta Project
>Date: Thu, 17 Feb 2005 14:11:15 -0500
>From: "Pulver, Keith H." <keith.pulver@ngc.com>
>To: <security@apache.org>
>We at Northrop Grumman have been using the Apache-Jakarta Project products "Tomcat v4.1.27...and...JK2
v2.0.2" in one of our systems for the U.S. Government. 
>Now, in order to extend the use of this system, by exporting to foreign countries, we
need to know if your company has an Export Control Classification Number (ECCN) or other license
granted by the U.S. Government permitting the export of the product. 
>Your earliest response will be appreciated and allow us to continue using your product
in this system.
>Keith Pulver
>Export Control and Compliance
>(     Phone: (410) 765-9891
>7      FAX:  (410) 981-5142
>        ?     E-Mail:  keith.pulver@ngc.com

DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message