-
Notifications
You must be signed in to change notification settings - Fork 3
/
crypto-faq.html
748 lines (642 loc) · 34.7 KB
/
crypto-faq.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<link rel="top" title="Home" href="http://www.mozilla.org/">
<link rel="stylesheet" type="text/css" href="css/print.css" media="print">
<link rel="stylesheet" type="text/css" href="css/base/content.css" media="all">
<link rel="stylesheet" type="text/css" href="css/cavendish/content.css" title="Cavendish" media="screen">
<link rel="stylesheet" type="text/css" href="css/base/template.css" media="screen">
<link rel="stylesheet" type="text/css" href="css/cavendish/template.css" title="Cavendish" media="screen">
<link rel="icon" href="images/mozilla-16.png" type="image/png">
<title>Mozilla Crypto FAQ</title>
<meta name="author" content="Frank Hecker">
<meta name="keywords" content="Mozilla, mozilla.org, cryptography, encryption, SSL, S/MIME, export control">
<meta name="description" content="Frequently asked questions about cryptographic functionality in Mozilla.">
<link rel="author" rev="made" href="mailto:[email protected]" title="crypto-faq.html">
<script src="__utm.js" type="text/javascript"></script>
</head>
<body id="www-mozilla-org" class="deepLevel">
<div id="container">
<p class="important">You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is
highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If
there are any pages on this archive site that you think should be added back to www.mozilla.org, please <a
href="https://bugzilla.mozilla.org/enter_bug.cgi?product=Websites&component=www.mozilla.org">file a bug</a>.</p>
<p class="skipLink"><a href="#mainContent" accesskey="2">Skip to main content</a></p>
<div id="header">
<h1><a href="/" title="Return to home page" accesskey="1">Mozilla</a></h1>
<ul>
<li id="menu_aboutus"><a href="about/" title="Getting the most out of your online experience">About</a></li>
<li id="menu_developers"><a href="developer/" title="Using Mozilla's products for your own applications">Developers</a></li>
<li id="menu_store"><a href="http://store.mozilla.org/?r=mozorg1" title="Shop for Mozilla products on CD and other merchandise">Store</a></li>
<li id="menu_support"><a href="support/" title="Installation, trouble-shooting, and the knowledge base">Support</a></li>
<li id="menu_products"><a href="products/" title="All software Mozilla currently offers">Products</a></li>
</ul>
<form id="searchbox_002443141534113389537:ysdmevkkknw" action="http://www.google.com/cse" title="mozilla.org Search">
<div>
<label for="q" title="Search mozilla.org's sites">search mozilla:</label>
<input type="hidden" name="cx" value="002443141534113389537:ysdmevkkknw">
<input type="hidden" name="cof" value="FORID:0">
<input type="text" id="q" name="q" accesskey="s" size="30">
<input type="submit" id="submit" value="Go">
</div>
</form>
</div>
<hr class="hide">
<div id="mBody">
<div id="side">
<ul id="nav">
<li><a title="Roadmap" href="roadmap.html"><strong> Roadmap</strong></a></li>
<li><a title="Projects" href="projects/"><strong> Projects</strong></a></li>
<li><a title="For developers" href="developer/"><strong> Coding</strong></a>
<ul>
<li><a title="Module Owners" href="owners.html"> Module Owners</a></li>
<li><a title="Hacking" href="hacking/"> Hacking</a></li>
<li><a title="Get the Source" href="http://developer.mozilla.org/en/docs/Download_Mozilla_Source_Code"> Get the Source</a></li>
<li><a title="Building Mozilla" href="http://developer.mozilla.org/en/docs/Build_Documentation"> Build It</a></li>
</ul>
</li>
<li><a title="Testing" href="quality/"><strong> Testing</strong></a>
<ul>
<li><a title="Downloads of mozilla.org software releases" href="download.html"> Releases</a></li>
<li><a title="Latest mozilla builds for testers" href="developer/#builds"> Nightly Builds</a></li>
<li><a title="For testers to report bugs" href="https://bugzilla.mozilla.org/"> Report A Problem</a></li>
</ul>
</li>
<li><a title="Tools for mozilla developers" href="tools.html"><strong> Tools</strong></a>
<ul>
<li><a title="Bug tracking system for mozilla testers." href="https://bugzilla.mozilla.org/"> Bugzilla</a></li>
<li><a title="Latest status of mozilla builds" href="http://tinderbox.mozilla.org/showbuilds.cgi?tree=Firefox"> Tinderbox</a></li>
<li><a title="Latest checkins" href="http://bonsai.mozilla.org/cvsqueryform.cgi"> Bonsai</a></li>
<li><a title="Source cross reference" href="http://lxr.mozilla.org/seamonkey/"> LXR</a></li>
</ul>
</li>
<li><a title="Frequently Asked Questions." href="faq.html"><strong> FAQs</strong></a></li>
</ul>
</div>
<hr class="hide">
<div id="mainContent">
<center>
<h1>Mozilla Crypto FAQ</h1></center>
<center><b>Version 2.11</b><br>
Frank Hecker<br>
<a href="mailto:[email protected]">[email protected]</a><br>
September 10, 2000</center>
<p>In this document I try to answer some frequently asked questions
about the Mozilla web browser and mail/news client and its support for
SSL, S/MIME, and related features based on cryptographic
technology. Note that this document is for your information only and
is not intended as legal advice. If you wish to develop and
distribute cryptographic software, particularly for commercial sale or
distribution, then you should consult an attorney with expertise in
the particular laws and regulations that apply in your jurisdiction.
<p>I've updated this version of the Mozilla Crypto FAQ to discuss the
situation now that the RSA public key algorithm is in the public
domain and a full open source crypto implementation is being added to
the Mozilla code base. Information in the FAQ also reflects the new
U.S. encryption export regulations published on January 14, 2000, the
release on February 11, 2000, of source code for SSL, S/MIME, and
general PKI functionality for use in the Mozilla project, and the
"Bernstein advisory" issued by the Bureau of Export Administration on
February 17, 2000.
<p>The questions in this FAQ address Mozilla's support for encryption
and related security functionality, information important to Mozilla
contributors relating to encryption functionality in Mozilla, and
general questions on U.S. regulation of encryption technology.
<hr>
<h3>Cryptographic functionality in Mozilla</h3>
<ol>
<li><a href="#1-1">Have all the issues with Mozilla and crypto now
been resolved?</a><br> </li>
<li><a href="#1-2">What functionality is implemented by the Mozilla
crypto code released so far? When will Mozilla get full support for
SSL and S/MIME?</a><br> </li>
<li><a href="#1-3">What is the open source license used for the
Mozilla crypto code?</a><br> </li>
<li><a href="#1-4">Will mozilla.org accept new contributions of crypto
code?</a><br> </li>
<li><a href="#1-5">What about Mozilla support for PGP and other
protocols besides SSL and S/MIME? Will we be able to use GNU Privacy
Guard or other PGP versions with Mozilla?</a><br> </li>
<li><a href="#1-6">Is information available describing the format of
the PSM key and certificate database, so that other software can reuse
existing user keys and certificates managed by PSM?</a><br> </li>
</ol>
<h3>Information for Mozilla contributors</h3>
<ol>
<li><a href="#2-1">I want to mirror the Mozilla FTP site. Do I need to
do anything with regard to U.S. encryption export controls?</a><br> </li>
</ol>
<h3>Further information on U.S. export controls on encryption
software</h3>
<ol>
<li>
<a href="#3-1">What are the relevant U.S. government laws and
regulations governing export from the U.S. of encryption
software?</a><br> </li>
<li><a href="#3-2">I thought export of encryption software from
the U.S. was governed by the International Traffic in Arms
Regulations. What happened to the ITAR?</a><br> </li>
<li><a href="#3-3">Haven't U.S. export controls on encryption
software already been ruled unconstitutional?</a><br> </li>
<li><a href="#3-4">Where can I learn more about U.S. export controls
on encryption software?</a><br> </li>
</ol>
<hr>
<h2>Cryptographic functionality in Mozilla</h2>
<ol>
<li>
<a name="1-1"></a><b>Have all the issues with Mozilla and crypto now
been resolved?</b>
<p>Almost. Now that the RSA patent is in the public domain, Mozilla
crypto development can proceed with minimal restrictions. In the near
future the Mozilla code base will include a complete open source
cryptographic library, and Mozilla will include SSL support as a
standard feature.
<p>After the U.S. government relaxed U.S. export regulations in
January 2000 to allow export of source code for open source software
implementing encryption, the major remaining legal obstacle to Mozilla
crypto development was the fact that RSA Security, Inc., held a
U.S. patent on the RSA public key algorithm. In February 2000 iPlanet
E-Commerce Solutions (a Sun-Netscape Alliance) released source code
through mozilla.org for the Personal Security Manager and Network
Security Services software; this source code included support for the
SSL protocol, but due to the RSA patent and related legal issues it
did not originally contain code for RSA or other cryptographic
algorithms.
<p>On September 6, 2000, RSA Security released the RSA patent into the
public domain, two weeks before the patent was scheduled to expire
(on September 20, 2000). Shortly thereafter the NSS developers began
work on an open source implementation of the RSA algorithm; that code,
together with code previously developed for other cryptographic
algorithms, will be included in a new version 3.1 of the NSS open
source cryptographic and PKI library.
<p>This new RSA-capable version of NSS will then be included in a
future version of the open source PSM software, which will provide SSL
support for Mozilla. At that point both NSS and PSM will be completely
buildable using the open source code available from the mozilla.org
site, and NSS and PSM will be included in the Mozilla binary releases
distributed by mozilla.org.
<p>For more information on the RSA patent see the
<a href="http://www.rsasecurity.com/news/pr/000906-1.html">RSA Security press release</a>
announcing release of the patent into the public domain, and the
<a href="http://www.patents.ibm.com/details?&pn=US04405829__">RSA patent</a>
itself.
<p>For information on new US encryption export regulations, see the
U.S. Department of Commerce
<a href="http://www.cdt.org/crypto/admin/000112commerceannounce.shtml">press
release</a>
announcing the new regulations as well as the
<a href="http://www.cdt.org/crypto/admin/000114cryptoregs.pdf">updated
regulations</a> (PDF)
themselves.
Export of source code for open source software is addressed in
<a href="http://www.access.gpo.gov/bis/ear/pdf/740.pdf">Part
740</a> (PDF),
section 740.13(e), "Unrestricted encryption source code"; export of
binaries is addressed in 740.17.
<!--
(You may also be interested in a more
<a href="http://www.hecker.org/writings/encryption-export-changes.html">in-depth
analysis</a>
of the new regulations, with an emphasis on how they affect open
source software.)
-->
<p>For more information on the SSL, S/MIME, PKI, and other crypto
source code being developed as part of the Mozilla project, see the
<a href="http://www.mozilla.org/projects/security/pki/">PKI project page</a>
and of course the
<a href="http://www.mozilla.org/projects/security/pki/src/download.html">source
code</a>
itself.
Also see the original
<a href="http://www.iplanet.com/alliance/press_room/press_releases/011800.html">Sun-Netscape
Alliance press release</a>
on the release of PKI source code and the corresponding
<a href="http://home.netscape.com/newsref/pr/newsrelease793.html">mozilla.org
press release</a>.
<br> </li>
<li>
<a name="1-2"></a><b>What functionality is implemented by the Mozilla
crypto code released so far? When will Mozilla get full support for
SSL and S/MIME?</b>
<p>The Mozilla crypto code will shortly include a full implementation
of the RSA and other cryptographic algorithms; that implementation
will form the basis of a complete open source SSL implementation for
Mozilla. S/MIME support is also under development, but may not be
available in Mozilla until after the 1.0 release.
<p>Version 3.1 of the Network Security Services library will include a
complete open source implementation of the cryptographic algorithms
needed for Mozilla SSL support, including the RSA public key algorithm
(now in the public domain). NSS 3.1 will be available in beta form in
September 2000, with the final release to follow in October 2000. NSS
3.1 will be used in the 1.3 release of PSM, which will provide a
complete open source implementation of SSL for Mozilla. PSM 1.3 will
also provide support for Mozilla users to obtain personal digital
certificates and perform other PKI-related functions.
<p>Note that due to various implementation issues, PSM support for
Mozilla on the Macintosh is lagging somewhat behind PSM support on
Windows, Linux, and other platforms. Also note that the NSS
developers are creating code for support of S/MIME secure messages;
however full S/MIME support within Mozilla will require further
development, and may not be available until after the Mozilla 1.0
release.
<p>Finally, note that NSS (and thus PSM) can also be built using a
licensed copy of the RSA BSAFE Crypto-C library (versions 4.1 or
5.0). iPlanet E-Commerce Solutions has released Netscape-branded
binary versions of Personal Security Manager that incorporate the RSA
BSAFE Library; the Netscape PSM software can be installed and used
with binary Mozilla versions.
<p>For the very latest information about PSM, NSS, and other
crypto-related Mozilla developments, see the
<a href="news://news.mozilla.org:23/mozilla.dev.tech.crypto">mozilla.dev.tech.crypto
newsgroup</a>
or the corresponding
<a href="mailto:[email protected]?subject=subscribe">dev-tech-crypto
mailing list</a>.
For more information on NSS 3.1 see the
<a href="http://www.mozilla.org/projects/security/pki/nss/plan_3_1.html">NSS 3.1 plan</a>
and the
<a href="http://www.mozilla.org/projects/security/pki/nss/buildnss_31.html">NSS 3.1 build instructions</a>;
for more information on PSM 1.3 see the
<a href="news://news.mozilla.org/399C830B.91F4195D%40netscape.com">PSM
1.3 task list</a>
posted by David Drinan.
<p>For more information on the Netscape PSM binaries see the
<a href="http://docs.iplanet.com/docs/manuals/psm/psm-mozilla/">Netscape Personal Security Manager for Mozilla</a>
page.<br> </li>
<li><a name="1-3"></a><b>What is the open source license used for the
Mozilla crypto code?</b>
<p>The released source code is dual-licensed under the MPL and
the GPL.
<p>The Mozilla SSL, S/MIME, and PKI source code is licensed under the
Mozilla Public License (version 1.1), with the GNU General Public
License (version 2.0 or later) available as an alternate license. You
may choose to use the code either under the terms of the MPL or under
the terms of the GPL.
<p>This form of licensing was chosen to allow the released Personal
Security Manager and Network Security Services source code to be used
in as many contexts as possible; for example, the PSM and NSS code can
be used in Mozilla under MPL terms, and can also be used in GNU and
other projects under GPL terms. If you create and distribute
modifications to the original PSM and NSS code, we ask that you in
turn make such modifications available under both the MPL and
GPL. (Note that mozilla.org will not accept contributed modifications
into future PSM/NSS source releases unless they are so licensed.)
<p>For more information see the
<a href="http://www.mozilla.org/MPL/MPL-1.1.html">Mozilla Public
License</a>
and the
<a href="http://www.gnu.org/copyleft/gpl.html">GNU General Public
License</a>.
Specific questions about licensing of the PSM and NSS source
code should be directed to the
<a href="news://news.mozilla.org/netscape.public.mozilla.license">netscape.public.mozilla.license</a>
newsgroup or the associated
<a href="mailto:[email protected]?subject=subscribe">mozilla-license
mailing list</a>.<br> </li>
<li><a name="1-4"></a><b>Will mozilla.org accept new contributions of
crypto code?</b>
<p>Yes, as long as patent or other legal issues do not prevent such
code from being used by the general community of Mozilla
developers. New contributions of crypto code should also be reviewed
and approved by the appropriate Mozilla module owners, just as with
any other Mozilla contributions.
<p>For more information about patents related to cryptographic
algorithms and implementation techniques, see the questions relating
to
<a href="http://www.rsasecurity.com/rsalabs/faq/6-3.html">patents on
cryptography</a>
in RSA Laboratories'
<a href="http://www.rsasecurity.com/rsalabs/faq/index.html">cryptography
FAQ</a>.
See the Mozilla
<a href="http://www.mozilla.org/projects/security/pki/">open source PKI
projects</a>
pages for the names and email addresses of the Mozilla module owners
for crypto-related code.<br> </li>
<li><a name="1-5"></a><b>What about Mozilla support for PGP and other protocols
besides SSL and S/MIME? Will we be able to use GNU Privacy
Guard or other PGP versions with Mozilla?</b>
<p>Support for PGP and other security-related protocols and formats
can potentially be added to Mozilla in the same manner as SSL and
S/MIME; if anyone is interested in working on such support within the
Mozilla project then they are welcome to do so. We know of at least
two efforts which may produce PGP support for Mozilla.
<p>As noted above, the PSM code implements SSL and (in the future)
S/MIME support for Mozilla by taking advantage of generic high-level
Mozilla public APIs used to add new protocols and message
formats. These same APIs can be used to add support to Mozilla for
other security schemes, including potentially PGP. If anyone is
interested on working such support within the Mozilla project then
they are welcome to do so. However note that, as with SSL and S/MIME,
mozilla.org will not host code implementing patented algorithms that
are not generally usable by all Mozilla developers (including Mozilla
developers creating products for commercial sale and distribution).
<p>Also note that Mozilla support for PGP and other security schemes
may also be made available by commercial security vendors or by
independent developers, using the various public APIs already present
in Mozilla. Based on statements made in various Internet forums it
appears that the developers of GNU Privacy Guard may create a plugin
module to support invocation of GnuPG functionality from Mozilla;
Network Associates may also create a commercial PGP plugin for
Mozilla. You should contact those vendors or developers directly for
more information concerning their plans.
<p>See the Open Directory references for
<a href="http://dmoz.org/Computers/Security/Products_and_Tools/Cryptography/PGP/">general
PGP information</a>, including contact information for companies and
independent developers producing PGP implementations.<br> </li>
<li><a NAME="1-6"></a><b>Is information available describing the
format of the PSM key and certificate database, so that other software
can reuse existing user keys and certificates managed by PSM?</b>
<p>Yes, documentation of the database format is available; however
we cannot guarantee that the format of the database will remain
unchanged in the future.
<p>The initial release of SSL, S/MIME, and general PKI source code
from iPlanet E-Commerce Solutions includes some documentation on the
format of the key and certificate database. As with Mozilla
documentation in general, mozilla.org will be glad to host any other
documentation contributed to describe database formats, APIs, and
other technical aspects of the released SSL, S/MIME, and PKI source
code.
<p>However, as with APIs internal to Mozilla modules, mozilla.org
cannot guarantee that the format of the key and certificate database
will remain unchanged over time; in particular, changes may be
introduced at some point that break compatibility with existing
applications. Also, changing the database directly from an
application risks causing database corruption and subsequent problems
in PSM and applications like Mozilla using PSM. For these reasons we
strongly recommend that Mozilla developers and others access the key
and certificate database only through public APIs provided by the NSS
library.
<p>For more information see the documentation for the
<a href="http://www.mozilla.org/projects/security/pki/nss/db_formats.html">cert7.db certificate database</a>.
Also see the documents
<a href="http://www.sei.cmu.edu/publications/documents/99.reports/99tn010/99tn010dtic.html">"Into
the Black Box: A Case Study in Obtaining Visibility into Commercial
Software"</a>,
<a href="http://www.drh-consultancy.demon.co.uk/cert7.html">"Netscape
Certificate Database Information"</a>,
and
<a href="http://www.drh-consultancy.demon.co.uk/key3.html">"Netscape
Communicator Key Database Format"</a>,
the results of independent attempts to describe the
format of the Netscape Communicator 4.x key and certificate database
(with which the PSM key and certificate database format is
compatible).<br> </li>
</ol>
<h2>Information for Mozilla contributors</h2>
<ol>
<li><a name="2-1"></a><b>I want to mirror the Mozilla FTP site. Do
I need to do anything with regard to U.S. encryption export
controls?</b>
<p>No, you do not. As long as you are simply mirroring the Mozilla
site as is, you do not need to provide any notification to the Bureau
of Export Administration or NSA. If you are outside the U.S. you do
not need to provide such notification in any case, but you may need to
take other actions to comply with laws and regulations in your own
country concerning encryption technologies.
<p>As a mirror of the Mozilla FTP site you will automatically be
distributing open source encryption code as well. If you are a
U.S. resident and/or your mirror site is in the U.S. then you are
required to comply with applicable U.S. regulations governing the
export of encryption software. Your particular obligations depend on
your exact circumstances, and we cannot provide legal advice to you.
<p>However, in an advisory opinion issued in reference to the
Bernstein case, the Bureau of Export Administration (BXA) has stated
the following: "Concerning the posting onto a mirror or archive site
of already-posted source code, notification is required only for the
initial posting." BXA and NSA have already been notified of the
posting of encryption-related source code on the Mozilla site, and in
light of this opinion we have therefore decided <em>not</em> to ask
mirror sites to provide notification themselves.
<p>Note that in any case the notification procedures outlined in the
Export Administration Regulations apply only to U.S. residents and
sites located in the U.S. If you are not a U.S. citizen or resident
and your mirror site is located outside the U.S. then you are not
subject to U.S. encryption export regulations; however you may be
subject to other regulations related to encryption, and are
responsible for complying with any such regulations applying in your
jurisdiction.
<p>For information on notification requirements related to the export
of open source encryption source code, see the
<a href="http://w3.access.gpo.gov/bxa/ear/ear_data.html">Export Administration Regulations</a>, in particular
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:740.pdf">Part 740</a>,
sections 740.13(e), "Unrestricted encryption source code", and
740.17(g), "Reporting requirements". For the statement by the Bureau of
Export Administration on notification requirements for mirror sites, see
the section "Notification Requirements" in the
<a href="http://cryptome.org/bxa-bernstein.htm">Bernstein advisory
opinion</a>
contained in the letter dated February 17, 2000, from James Lewis of
BXA to Cindy Cohn, counsel for Daniel Bernstein.<br> </li>
</ol>
<h2>Further information on U.S. export controls on encryption software</h2>
<ol>
<li><a name="3-1"></a><b>What are the relevant U.S. government laws
and regulations governing export from the U.S. of encryption
software?</b>
<p>The Export Administration Regulations, the Export Administration
Act of 1979, and related U.S. presidential executive orders address
export of encryption software from the U.S.
<p>The main U.S. government regulations governing the export from the
U.S. of cryptographic software are the Export Administration
Regulations (EAR), also known as 15 CFR chapter VII subchapter C, or
15 CFR Parts 730-774. ("CFR" stands for "Code of Federal
Regulations.") The Export Administration Regulations were created by
the Bureau of Export Administration (BXA) and were designed primarily
to implement the requirements of the Export Administration Act of 1979
(as amended), also known as 50 USC appendices 2401-2420. ("USC" stands
for "United States Code.") The EAA was passed as temporary
legislation; however the President of the United States has
periodically issued orders to continue the EAA and EAR, exercising
authority under the International Emergency Economic Powers Act, also
known as 50 USC 1701-1706.
<p>For more information see
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:730.pdf">15 CFR Part 730</a>,
section 730.2 (concerning statutory authority for the EAR),
and the document
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:lagauth.pdf">"Principal
Statutory Authority for the Export Administration Regulations"</a>,
which contains copies of the Export Administration Act of 1979 (as
amended), the International Emergency Economic Powers Act (as
amended), and related legislation and executive orders.<br> </li>
<li><a name="3-2"></a><b>I thought export of encryption software from
the U.S. was governed by the International Traffic in Arms
Regulations. What happened to the ITAR?</b>
<p>The ITAR still exist, but are no longer used in the context of
export control of encryption software; for this purpose they have been
replaced by the EAR.
<p>Authority for non-military encryption export was transferred from
the U.S. State Department to the U.S. Department of Commerce by
Presidential Executive Order 13026 on November 15, 1996, for
regulation under the Export Administration Regulations (EAR), along
with all other export-controlled commercial products. At that time
encryption hardware, software, and technology was transferred from
the U.S. Munitions List to the Commerce Control List (CCL) of the
EAR.
<p>For more information see the document
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:lagauth.pdf">"Principal
Statutory Authority for the Export Administration Regulations"</a>,
which contains a copy of Executive Order 13026.<br> </li>
<li><a name="3-3"></a><b>Haven't U.S. export controls on encryption
software already been ruled unconstitutional?</b>
<p>Yes in a specific case, but the decision may yet be
overruled. Also, the case itself may be declared moot in light of the
new U.S. encryption export regulations.
<p>For several years Professor Daniel Bernstein (currently at the
University of Illinois at Chicago) has pursued a lawsuit against the
U.S. government essentially claiming that U.S. export control
regulations on encryption software and related conduct with regard to
cryptography (e.g., "technical assistance") were
unconstitutional. (Bernstein's suit was originally directed at the
ITAR and related regulations, since at the time the suit was filed the
current Export Administration Regulations were not yet in effect with
respect to encryption software.) Bernstein claimed that the
U.S. export regulations were in essence a licensing scheme designed to
impede or prohibit certain types of speech (e.g., publishing
cryptographic source code in electronic form), and were therefore
unconstitutional under the First Amendment to the
U.S. constitution. The U.S. government claimed in return that
cryptographic software was regulated based solely on its ability to be
used to secure communications and data, and that the national security
interest in so regulating it overrode any First Amendment protections;
as the export regulations put it, "encryption software is controlled
because of its functional capacity, and not because of any
informational value of such software". The government also claimed
that publication of cryptographic software in electronic form made
such functional use easier than publication in printed form, and that
that was sufficient to justify treating the two forms differently in
the regulations.
<p>On August 25, 1997, the U.S. District Court for the Northern
District of California issued a final ruling (written by Judge Marilyn
Hall Patel) that "the [U.S. government] encryption regulations are an
unconstitutional prior restraint in violation of the First Amendment."
The U.S. government appealed this decision to the U.S. 9th Circuit
Court of Appeals, and on May 6, 1999, the court upheld the
District Court's ruling in a 2-1 decision, with Judge Betty Fletcher
writing for the majority that the ITAR and EAR export restrictions
against encryption are an unconstitutional prior restraint of free
expression, impermissible under the First Amendment to the
U.S. Constitution.
<p>However this ruling did not settle the issue of the
constitutionality of U.S. export control regulations. The
U.S. Department of Justice has sought to appeal the decision, first to
all eleven members of the 9th Circuit Court of Appeals (referred to as
the court <i>en banc</i>, or full court) and then possibly to the
U.S. Supreme Court. Until the appeals process is completed the
U.S. government will continue to enforce current U.S. export
regulations.
<p>In light of the new encryption export regulations it is also
possible that the Bernstein case may be declared moot on the basis
that Professor Bernstein is now free to do what he originally
requested to do, i.e., publish his encryption source code online.
<p>For more information see the
<a href="http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/">archives
on the Bernstein case</a> maintained by the
<a href="http://www.eff.org/">Electronic Frontier Foundation</a>,
particularly the 9th Circuit Court of Appeals
<a href="http://www.eff.org/bernstein/Legal/19990506_circuit_decision.html">ruling</a>,
the
<a href="http://www.eff.org/bernstein/19990507_bxa_pressrel.html">press
release</a> issued by the U.S. Bureau of Export Administration
immediately afterward, and the U.S.
<a href="http://w3.access.gpo.gov/bxa/ear/ear_data.html">Export
Administration Regulations</a>
themselves, particularly
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:ccl5-pt2.pdf">15
CFR Part 774, Supplement No. 1, Category 5, Part 2</a>,
entry 5D002 (note on "functional capacity") and
<a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=bxa&docid=f:734.pdf">15
CFR Part 734</a>, paragraphs 734.3(b)(2) and (b)(3)
and accompanying note (printed form vs. electronic form).
See also the
<a href="http://cryptome.org/bernstein-bxa.htm">request for an
advisory opinion</a>
made to the Bureau of Export Administration by Bernstein's lawyers
and the resulting
<a href="http://cryptome.org/bxa-bernstein.htm">advisory opinion</a>
issued by BXA in response to that request.<br> </li>
<li><a name="3-4"></a><b>Where can I learn more about U.S. export
controls on encryption software?</b>
<p>For more information on U.S. export control of encryption software
and related topics, see the following online references:
<ul>
<li>The
<a href="http://www.eff.org/pub/Privacy/ITAR_export/index.html">ITAR,
EAR and encryption export archive</a> maintained by the
<a href="http://www.eff.org/">Electronic
Freedom Foundation</a> (EFF).<br> </li>
<li>The
<a href="http://www.epic.org/crypto/">cryptography policy page</a>
maintained by the
<a href="http://www.epic.org/">Electronic Privacy Information
Center</a> (EPIC).<br> </li>
<li>The <a href="http://www.cdt.org/crypto/">encryption page</a>
maintained by the
<a href="http://www.cdt.org/">Center for Democracy and
Technology</a> (CDT).<br> </li>
</ul>
<p>The following books may also be of interest if you want to know more
about the history and politics of U.S. export control of encryption
software:
<ul>
<li><cite><a href="http://www.amazon.com/exec/obidos/ISBN=0262041677/">Privacy
on the Line: The Politics of Wiretapping and Encryption</a></cite>, by
Whitfield Diffie and Susan Landau.
Provides historical context and technical background for the recent political
battles around encryption and privacy issues.<br> </li>
<li><cite><a href="http://www.amazon.com/exec/obidos/ISBN=026201162X/">Technology
and Privacy: The New Landscape</a></cite>, by Philip Agre and Marc
Rotenberg (ed.). A set of ten essays on various aspects of privacy and
technological developments affecting it.<br> </li>
<li><cite><a href="http://www.amazon.com/exec/obidos/ISBN=0471122971/">The
Electronic Privacy Papers: Documents on the Battle for Privacy in the
Age of Surveillance</a></cite>, by Bruce Schneier and David Banisar
(ed.). A collection of public documents relating to U.S. encryption
policy and related topics.<br> </li>
<li><cite><a href="http://www.amazon.com/exec/obidos/ISBN=0387944419/">Building
in Big Brother: The Cryptographic Policy Debate</a></cite>, by Lance
Hoffman (ed.). An earlier (circa 1995) collection of essays and public
documents, with a concentration on the Clipper chip controversy and
the Digital Telephony Act.<br> </li>
<li><cite><a href="http://www.amazon.com/exec/obidos/ASIN/1893044076/">Cryptography
& Liberty 2000: An International Survey of Encryption Policy</a></cite>,
by the Electronic Privacy Information Center.
The latest in a series of annual surveys of government policies
relating to encryption, covering over a hundred
countries.<br> </li>
<li><cite><a href="http://www.amazon.com/exec/obidos/ISBN=9041106359">The
Limits of Trust: Cryptography, Governments, and Electronic
Commerce</a></cite>,
by Stewart Baker and Paul Hurst. An in-depth (but badly outdated)
discussion of the legal framework for regulation of cryptography in
various countries around the world, including the U.S.<br> </li>
</ul>
See the
<a href="http://www.epic.org/bookstore/">EPIC bookstore</a>
for more recommendations of books discussing privacy in general and
public policies related to privacy issues.<br> </li>
</ol>
<hr class="hide">
</div>
</div>
<div id="footer">
<ul>
<li><a href="sitemap.html">Site Map</a></li>
<li><a href="security/">Security Updates</a></li>
<li><a href="contact/">Contact Us</a></li>
<li><a href="foundation/donate.html">Donate</a></li>
</ul>
<p class="copyright">
Portions of this content are © 1998–2009 by individual mozilla.org
contributors; content available under a Creative Commons license | <a
href="http://www.mozilla.org/foundation/licensing/website-content.html">Details</a>.</p>
<p>
<span>Last modified December 11, 2007</span>
<span><a href="http://bonsai-www.mozilla.org/cvslog.cgi?file=mozilla-org/html/crypto-faq.html&rev=&root=/www/">Document History</a></span>
</p>
</div>
</div>
</body>
</html>