On 10/27/2015 01:13 PM, Tom Kacvinsky wrote: > Hi, > > What US cryptographic export laws apply to OpenSSL? I am in need of > distributing the run time libraries (not the development kit), but I > don't want to run afoul of export laws. U.S. export law is a mess. Both "EAR" and "ITAR" can apply to OpenSSL derived code (ask me how I know from expensive personal experience). I get asked this question a lot in private E_mails, usually from corporate managers or lawyers. I have a standard blurb I send in response: <blurb> We aren't lawyers, and don't pretend to have an adequate understanding of U.S. export regulations (or those of any other nation, for that matter). You really need to consult with competent export control lawyers. U.S. exports controls are complex and quite nonsensical from the perspective of the uninitiated professional software developer. That said, the standard blurb expressing our personal, unofficial, non-authoritative, uninformed, unverified, and thoroughly worthless opinion follows: The OpenSSL project is comprised almost entirely of non-U.S. citizens who reside outside of the U.S., as do the principal computer systems on which this software is developed, stored, and distributed. Hence the OpenSSL project proper does not submit notifications to, or obtain any export permissions from, the U.S. Department of Commerce or Department of State. OpenSSL Software Services (OSS) is a U.S. corporation. The function of the OSF is to handle commercial contracting for OpenSSL developers, some of who realize most or all of their personal income from such work. When OSS itself supplies software to clients who desire to export we do perform the TSU filing. However, vendors who import from openssl.org and then export independently of OSS are responsible for their own BIS and/or DDTC filings for their resulting products. Since the OpenSSL product in most applications meets the BIS definition of "open source" (a definition different than the conventional use of that term, incidentally) for ECCN 5D002 it typically qualifies for the TSU exception which amounts to an electronic notification and a source code distribution or online reference to same. Note that notification is required for every distinct version of such software, which can add up to a lot of notifications. Incidentally the Apache Software Foundation does a nice job of explaining it: http://www.apache.org/dev/crypto.html. They have also automated the notification process to streamline the otherwise substantial manpower cost. There is also some discussion of export restrictions in Appendix F of the OpenSSL FIPS Object Module User Guide, http://www.openssl.org/docs/fips/UserGuide.pdf Again, you really need to seek appropriate legal counsel and should not make any decisions based on any comments by OSF or OpenSSL. </blurb> -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
