Replies: 4 comments
-
I think you can safely put that worry to rest. This library is an implementation of very standard cryptographic algorithms codified in RFC4880 and RFC4880-bis, and there's nothing particularly novel here cryptographically. Also, the devs are an international group so it's hard to see how US would have jurisdiction in any case, but I understand the desire to be "safe." |
Beta Was this translation helpful? Give feedback.
-
The US doesn't have jurisdiction over the international developers, but it does have jurisdiction over US companies that export the code the international developers wrote. As an analogy, A French company makes a product which is purchased by a US company and shipped to a warehouse in the US. The product is then sold and shipped to a person in England. This would count as reexport (IMHO/IANAL) and reexport of encryption source code is covered by export restrictions for US companies and individuals: So, it isn't the fact that it is a novel algorithm, it is the fact that it can strongly encrypt data at all. The escape hatch to having to be licensed for export/reexport of such source code appears to be that they cannot limit free speech of companies or citizens, so published works are exempt (thanks largely to Phil Zimmermann, Daniel J. Bernstein, and the EFF). The trick is they have defined published as the URL being sent to those two addresses on every change of the URL hosting the code or (if changes are not available via the URL) every change of the code being sent to those two addresses. So it looks like this doesn't need to be a git hook, just a one time email of the repo URL to those addresses, which is something I think we can handle on our own (if someone hasn't beaten us to it already). It might be handy for other US companies/citizens if you mention that you have emailed the repo URL to them in the README.md (with a reference to that document), but I don't think it is needed. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the detailed explanation. Go for it, and if feel free to make a PR to edit the README as well. |
Beta Was this translation helpful? Give feedback.
-
Not a lawyer. The email is indeed one time only. openpgpjs is indeed subject simply by being hosted in the US (GitHub) then exported world wide. The single email fulfills the obligations as long as the algorithms are known and the code is public. What is more interesting though @cowens to you is how your own app or code is treated under the us export laws (and other country import laws), for which you may need to ask a lawyer, since it depends on many factors (mass market or not, public or private, developers where, hosted where, submitted where and how and to whom, etc) |
Beta Was this translation helpful? Give feedback.
-
I am worried about US laws concern export of encryption algorithms that are considered munitions. From what I can glean from this EFF article about US Export Controls, I don't have to worry about algorithms that have been "published" where "published" means the URL for the source code (or copies of the source code) has been sent to crypt@bis.doc.gov and enc@nsa.gov for each change.
Does this project handle that (via, say, a git hook) or is this an effort I need to take on for myself?
Beta Was this translation helpful? Give feedback.
All reactions