Subject: Re: pkg: crypto question
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: current-users
Date: 03/16/1998 15:54:28
> From what I've heard it seems to be okay to _import_ crypto software
> to USA, so it would be okay to add pgpi or SSLeay to packages.

> Am I right ?

Disclaimer: IANAL, least of all a crypto lawyer.  This is all based on
bits and pieces gleaned from various sources, and may be out-of-date or
just plain wrong.

That're partially right.

I think it is technically against ITAR to export *or import* restricted
software without the appropriate license.  It's just that nobody ever
prosecutes import violations, so in practice it amounts to OK.

I'm not sure what the point would be, though, because they couldn't be
exported again.  (Of course, if {ftp,sup} were moved to
machines in the free world, this wouldn't be an issue.)

It's also not entirely clear what could happen if, say, someone in
Finland or the Czech Republic were to check something like IDEA into
(or out of) the NetBSD source tree.  Who would be liable for the ITAR
violation?  I don't know - I don't think anyone does - and I'm not
inclined to make NetBSD a test case. :-(

Yet another reason ... no, this isn't the place for political rants.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B