To: openssl-dev@openssl.org, jean-marc.desperrier@certplus.com Subject: Re: [Eben Moglen ] Re: US crypto export restrictionsand GNU (fwd) From: Richard Levitte - VMS Whacker In-Reply-To: Your message of "Thu, 16 Mar 2000 19:14:49 +0100" <38D12499.99A3BA88@certplus.com> References: <38D12499.99A3BA88@certplus.com> X-Mailer: Mew version 1.93 on Emacs 19.34 X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 19.34.1, Mew version 1.93 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000316194028N.levitte@pizza.stacken.kth.se> Date: Thu, 16 Mar 2000 19:40:28 +0100 Sender: Richard Levitte X-Dispatcher: imput version 980905(IM100) Lines: 81 jean-marc.desperrier> Indeed. jean-marc.desperrier> If some code in open source project has been jean-marc.desperrier> developed in the USA, then we must keep a trace jean-marc.desperrier> of where it is to be able to remove it later in jean-marc.desperrier> case the regulation in the US become more jean-marc.desperrier> restrictive. jean-marc.desperrier> jean-marc.desperrier> So it does not propagate in the meaning that the jean-marc.desperrier> european code never becomes unexportable, but in jean-marc.desperrier> order to take advantage of that, we need to be jean-marc.desperrier> able to "clean" it and remove all the american jean-marc.desperrier> code in it at the moment we need to. I asked Eben to clarify exactly that. This was his response: Return-Path: Return-Path: moglen@columbia.edu Received: from old.law.columbia.edu (mail@emoglen.law.columbia.edu [128.59.176.134]) by brev.stacken.kth.se (8.9.3/8.9.3) with SMTP id TAA02117 for ; Thu, 16 Mar 2000 19:13:13 +0100 (MET) Received: from eben by old.law.columbia.edu with local id 12Velj-0003Vc-00; Thu, 16 Mar 2000 13:13:11 -0500 MIME-Version: 1.0 In-Reply-To: Richard Levitte - VMS Whacker's message of Thu, 16 Mar 2000 09:39:43 +0100 <20000316093943B.levitte@pizza.stacken.kth.se> References: <20000316093943B.levitte@pizza.stacken.kth.se> Message-Id: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [Eben Moglen ] Re: US crypto export restrictionsand GNU (fwd) From: Eben Moglen To: Richard Levitte - VMS Whacker Date: Thu, 16 Mar 2000 13:13:11 -0500 On Thu, 16 March 2000, Richard Levitte - VMS Whacker wrote: Hello Eben, I'm one of the OpenSSL deevelopers, and I'm personally very grateful that you came out and set the record straight for us all, as I'm sure basically everyone you've reached is. Thank you. Now, there's a lieelt thing I want to make sure I got right. My english is not always that good, so I just want to tell you how I interpreted what you wrote below, and all I want to know is if my interpretation was correct or not: moglen> [...]. In the worst case analysis, components exported moglen> now might subsequently become non-exportable in the event that moglen> regulations in the US become more restrictive. No one would be moglen> subject to prosecution or interference as a result of export occurring moglen> before the change in regulations (that's a matter of constitutional moglen> law in the US), but all subsequent development of those components moglen> would then have to occur somewhere other than here. No code not moglen> originally developed in the US would be subject to this tightened moglen> regulatory environment, unless such code were "in" the US, in which moglen> case the particular copy that was "in" the US wouldn't be able to moglen> leave again--a restriction which makes no difference. I interpret it as this: if we insert a piece of US-originated code into OpenSSL today, or receive something from the US today that we plan to insert into OpenSSL the day after tomorrow, and the regulations are changed to something restrictive tomorrow, we're safe and don't have to remove that code from OpenSSL. Correct or not? I'm under the interpretation that it is correct, but I've had discussions with people that are paranoid around this scenario. Correct. What's exported will stay exported. Further development of such code might have to occur outside the US, but no code will have to be removed. Best regards. -- Eben Moglen voice: 212-854-8382 Professor of Law & Legal History fax: 212-854-7946 moglen@ Columbia Law School, 435 West 116th Street, NYC 10027 columbia.edu General Counsel, Free Software Foundation http://emoglen.law.columbia.edu