On Mon, 2002-11-04 at 22:40, Jonathan Larmour wrote:
Alas it isn't as simple as that: there are different regulations depending
on the nature of the thing containing encryption and key length among
other things. In summary, you can be granted an export licence for freely
downloadable software fairly readily, but each submission requires a
submission to the US BXA. Any times the encryption code is modified a new
application is required. Who knows what happens with download mirror sites.
Note that things would become more difficult for commercial
redistributors/vendors of eCos (especially with the GPL involved) if stuff
like OpenSSL was properly integrated. It would no longer have the
exemptions associated with being "freely available", primarily the onerous
post-export reporting ones.
After a google, this is the best summary of the current status I could find:
http://www.fas.org/irp/news/2000/01/000113-crypto-bxa.htm
That's why (unfortunately) OpenSSL is best left distributed only in the
Free world.
The way I read it, code which was derived from open source is
exempt, period. Look at TSU -- §§740.13(e) on this page:
http://www.bxa.doc.gov/Encryption/lechart1.htm
straight from the BXA themselves.
Actually, we might be agreeing :-). That also says in the final
"Restrictions" column that it requires "Notification or copy by time of
export" which is what I meant - the "submission" I referred to above.