Re: U.S. export laws on SSH/SSL?

From: Bill Unruh (unruh@physics.ubc.ca)
Date: 03/19/02


From: unruh@physics.ubc.ca (Bill Unruh)
Date: 19 Mar 2002 05:46:51 GMT

In <58Ok8.8958$e33.7805@nwrddc01.gnilink.net> "Nico Kadel-Garcia" <nkadel@bellatlantic.net> writes:

]"Edward Lee" <epl@linnix.com> wrote in message
]news:e48c1efe.0203161110.54df074@posting.google.com...
]> Is anyone familar with U.S. export laws on encryptions? If I place a
]> server oversea and manage it with SSH/SSL, am I breaking the laws?
]> How do I generate an exportable SSH/SSL? The docs descript a way to
]> pick the encryption scheme, but what are needed for exports. I know
]> that we are in a backward country, but we have to try to follow stupid
]> laws.

]I Am Not A Lawyer.

]History: encryption is considered a "munition", a "material of war", by
]various federal agencies. The specific regulations against crypto materials
]are not laws: they are regulations of the executive branch offices. The laws
]under which one might be sentenced or blocked at the border are more general
]and are administered by these executive branches, just as the FCC is
]authorized to bust people for making pirate radio stations. Congress didn't
]say "no crypto", Congress said "munitions". The regs against exporting
]encryption used to be administered by the Customs office, and were ruled to
]be unconstitutional restrictions on free speech. So the feds transferred the
]regulations to Commerce, where the battle is going on again.

]As it stands, if you wish to export an encryption product, you apply for
]permission to the department of Commerce. They tell you if your stuff is too
]good for the NSA to decode at will and will therefore be denied permission,
]and if you're a big enough company to just hire somebody overseas and have
]them do it for you, you can usually talk them into negotiating with you
]about permission to export it, or weakening it enough to suit their
]standards. For example, the latest RedHat distributions have OpenSSL and
]OpenSSH as part of their OS images and installation CD's.

]Also, in practice, they don't hunt people who ignore the rules unless their
]noses get rubbed in it. Actually writing a solid encryption tool and
]publishing it worldwide, as Phil Zimmerman did, is rubbing their noses in
]it. Putting up public web servers in the US and letting people overseas
]download it without swearing, honest and for true, that they are nice people
]who would never even *consider* sending it to Cuba or Afghanistan, really, I
]promise, also seems to be enough to satisfy them.

]The rules don't seem to prohibit the *use* of overseas encryption, but
]merely its export. They certainly don't prohibit its import. So if you have
]the server auto-download OpenSSH or HTTPS tools from an overseas server and
]install it, I think you can avoid the encryption export regulations
]altogether.

It is too bad that such farragos get posted. This is a mixture of half
remembered and wrong information.
"public domain" software ( eg open source software) may be exported
without a license. (eg openssh, openssl-- and if you do not believe it,
read the source code and look yourself for the "backdoors".)
Zimmermann was not prosecuted because the prosecutor felt he could not
find sufficient evidence that Zimmermann actually exported the software.
In fact it seems he did not. He posted it for internal US use, and
someon else then "exported" it. Putting open source crypto software on a
web servr is fine. (This is not legal advice. Go to a lawyer for that).