Subject: Re: Draft encryption regulations try to exempt open source
From: Ben_Tilly@trepp.com
Date: Tue, 21 Dec 1999 13:28:46 -0500


>Apparently someone in the government has decided that open source
>encryption software should be exportable.  There are probably
>still some rough edges in their draft regs.  Some are probably due
>to misunderstanding the open source development process; others are
>probably deliberate attempts to limit the export privilege, by someone
>in the internal negotiation process.

Hmm...

>Anyway, I would appreciate if people on this list would read these
>regs, and see how they would apply to *your* free software business.
>I'm interested in your comments, and the government probably would be
>too.  I've spoken with Jim Lewis <jlewis@bxa.doc.gov>, who gets the
>emailed comments, and he seems serious about wanting to address the
>concerns of open source companies and organizations.
>
>The December 17 draft has been posted at:
>
>    http://www.cdt.org/crypto/admin/991217draftregs.shtml

I tried reading them.

I am not a lawyer.

I failed.

Here is the specific scenario, if someone could figure out how the rules
apply to this, then I can give informed comments.

Perl is widely distributed, both in code and pre-compiled.  It has
well-accepted mechanisms (CPAN for code, a selection of that code
pre-compiled for Windows by ActiveState).  Today you have to jump through a
series of hoops and bother if you wish to get cryptography support working
with Perl.  Specifically the process of getting SSL support for Perl on
Windows is far more complex than it needs to be.  And they have to be very
careful with how they distribute it because CPAN operates both in and out
of the US.

So tell me.  With the new rules will the Perl folks be able to add SSL
support to the core LWP library (allowing people in Perl to grab web pages
off of https websites)?  If yes, what specifically will they have to do to
get from here to there?  (The code *has* been written by non-US folks.  SSL
is a commerce standard.)  What other restrictions need to be jumped for
encryption-related modules for Perl to wind up on CPAN, and include in
other internet packaging systems (eg in the Debian distribution)?

Give me clear answers to that, and then I will tell you what I think of the
new rules.

Thanks,
Ben

PS My original gut reaction to the original announcement was that the
government was going to try to create an approval process that somehow only
backdoored software would pass.  Given past actions (once burned, twice
shy) I will continue to react that way until I see clear evidence
otherwise.