Re: [ECOS] Protecting RedBoot in the field

[Jonathan Larmour <jifl at eCosCentric dot com>]

Gary Thomas wrote:
> On Mon, 2002-11-04 at 22:40, Jonathan Larmour wrote:
>
> > Alas it isn't as simple as that: there are different regulations depending 
> > on the nature of the thing containing encryption and key length among 
> > other things. In summary, you can be granted an export licence for freely 
> > downloadable software fairly readily, but each submission requires a 
> > submission to the US BXA. Any times the encryption code is modified a new 
> > application is required. Who knows what happens with download mirror sites.
> >
> > Note that things would become more difficult for commercial 
> > redistributors/vendors of eCos (especially with the GPL involved) if stuff 
> > like OpenSSL was properly integrated. It would no longer have the 
> > exemptions associated with being "freely available", primarily the onerous 
> > post-export reporting ones.
> >
> > After a google, this is the best summary of the current status I could find:
> > http://www.fas.org/irp/news/2000/01/000113-crypto-bxa.htm
> >
> > That's why (unfortunately) OpenSSL is best left distributed only in the 
> > Free world.
>
> The way I read it, code which was derived from open source is
> exempt, period.  Look at TSU -- §§740.13(e) on this page:
>   http://www.bxa.doc.gov/Encryption/lechart1.htm
> straight from the BXA themselves.
Actually, we might be agreeing :-). That also says in the final 
"Restrictions" column that it requires "Notification or copy by time of 
export" which is what I meant - the "submission" I referred to above.

As for incorporating OpenSSL into eCos, yes we could use this for the free 
eCos. The problem arises when a US company wants to distribute its own 
eCos.... say you wanted to distribute your eCos (including openSSL) 
privately to me.... then the encryption in that isn't in the same place 
nor applied for by the same entity as the submission that we would make 
for sources.redhat.com. And as it isn't publically available (despite 
being derived from a publically available source, but if that was all that 
was required no-one would need this ever for OpenSSL), it doesn't come 
under the exemption:

http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html

Or at http://w3.access.gpo.gov/bis/ear/txt/740.txt section 740.13(e)(3) is 
particularly relevant:

"Encryption software controlled
under ECCN 5D002 that would not be considered
publicly available, but which incorporates or is
specially designed to use encryption software that
would be considered publicly available, is not
eligible for export or reexport under this paragraph (e)".

where paragraph (e) is the exemption for publically available code.

In fact one company selling to the other privately doesn't even get the 
"mass market" exemption according to the rigid definitions in section 740.

Jifl
--
eCosCentric       http://www.eCosCentric.com/       <info@eCosCentric.com>
--[ "You can complain because roses have thorns, or you ]--
--[  can rejoice because thorns have roses." -Lincoln   ]-- Opinions==mine


--
Before posting, please read the FAQ: http://sources.redhat.com/fom/ecos
and search the list archive: http://sources.redhat.com/ml/ecos-discuss