*BSD News Article 19884


Return to BSD News archive

Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!haven.umd.edu!umd5.umd.edu!roissy.umd.edu!mark
From: mark@roissy.umd.edu (Mark Sienkiewicz)
Newsgroups: comp.os.386bsd.questions
Subject: Re: FreeBSD outside of US??
Date: 23 Aug 1993 16:40:35 GMT
Organization: University of Maryland
Lines: 85
Message-ID: <25aru3$cdv@umd5.umd.edu>
References: <WS.93Aug22212223@kurt.tools.de> <258qov$i3e@landin.ecs.soton.ac.uk> <1993Aug23.083546.5676@gmd.de>
NNTP-Posting-Host: roissy.umd.edu

In article <1993Aug23.083546.5676@gmd.de> veit@mururoa.gmd.de (Holger Veit) writes:
>So this brings up another interesting idea. Say we had a free site outside
>the US, reasonably fast accessible from the US internet area,
>give the FreeBSD people an account to log in there, and let them compose
>the release of FreeBSD with "some crypt version" from Denmark. There should
>be no legal restrictions on distributing this product, because the BSD code
>itself is not restricted, and no line of crypt would have left the states.
>What then about *importing* code into the US? Since numerous US ftp sites
>carry gnu-crypt, and this should have come into the land through some network,
>*I* would consider hosting of FreeBSD on an non-US site a solution to this
>problem. Perhaps someone could explain the real legal status of such a
>workaround?


According to "International Traffic in Arms Regulations" (ITAR),  anything
that does encryption is a "munition".  Such items require approval for both
export *and* import.  [See footnotes below]

I propose that the solution is this:

1. *BSD should have a common source and object tree without encryption.  
   386bsd 0.1 did this.

2. There should be a US encryption package.  This should be distributed
   only within the US.

3. There should be a non-US encryption package.  This should be distributed
   only outside the US.

The correct steps to fetch a *BSD distribution then become:
	1. Get the common part (i.e. nearly everything) from wherever you
	   can find it.  Install it.
	2. Get the encryption package for your site.  This doesn't have to
	   be from the same site.  There could be some sites that have only
	   the encryption package.  Install it.

It would be nice if the no-encryption version could work without fetching
one of the encryption packages, but I don't consider that necessary.



Footnote:

Rare instance of me using a disclaimer:  I'm not an expert in these areas.
I'm just a guy who knows how to read (and type :).

Section 121.1 General. The United States Munitions List.

Category XIII - Auxiliary Miltary Equipment

...
(b) Speech scramblers, privacy devices, cryptographic devices and 
software (encoding and decoding),  and components specifically desinged
or modified therefore, ...etc...
...

Category XVIII

Technical data (as defined in section 120.21) relating to the defense articles
listed in other categories of the United States Munitions List.

Section 123.1  Requirements for export licenses.

(a) Any person who intends to export a defense article must obtain a license
from the Office of Munitions Control prior to the export unless the export
qualifies for an exemption under the provisions of this subchapter.
...

Section 123.2  Imports

No defense article may be imported into the United States unless (a) it
was previously exported temporarily under a license issued by the Office of
Munitions Control; or (b) it constitutes a temporary import/intransit
shipment license under section 123.3; or (c) its import is authorized by
the Department of the Treasury (see 27 CFR parts 47, 178, and 179).
...


According to my reading, this makes it illegal to import or export the
algorithm for Ceasers Cipher...

Section 120.18 defines "Public Domain", but I couldn't find any reference
to public domain in any of the other sections.  There may be a loophole
here somewhere...