Mailing List Archive: Removal of PEM from Apache (fwd)

Removal of PEM from Apache (fwd)

Nov 14, 1995, 4:00 PM

Post #1 of 4 (241 views)

keep this private to new-httpd for now.

I talked with her on the phone - here's the scoop. They need someone (I have
volunteered for now, but if there's someone who feels more qualified perhaps
we can work on this together) from the Apache project to write up an
explanation of why we removed the PEM code from the Apache code. I would
*presume* they are also talking to the folks at NCSA - Beth? Brandon? I am
basically going to state that we removed it at the *suggestion* of NCSA after
they were contacted on this matter, and since we're a loose group of
volunteers working on this in our spare time we removed it rather than run
the risk of entanglement with the government. I will also mention that it
severely restricts some of the more commercial applications we would like to
build, like the SSL functionality.

Any objections, comments, etc?

Brian

---------- Forwarded message ----------
Date: Tue, 14 Nov 1995 15:11:17 -0800
From: Cindy Cohn <Cindy@McGlashan.com>
To: brian@hyperreal.com
Cc: mer0@steefel.attmail.com, tien@well.sf.ca.us
Subject: Removal of PEM from Apache

Hello,

I am the lead attorney on a federal case called Bernstein v. Department of
State, being brought with the assistance of the Electronic Frontier
Foundation to challenge the ITAR restrictions on the export of cryptographic
information. You can read more about the case at http://www.eff.org in
their Alerts section.

In response to our case, the government attorneys have maintained to the
court that they are only interested in controlling "software which can
function to encrypt." They have asserted to the court that they do not
otherwise restrict export or attempt to chill the use of encryption
techniques, which they admit are legal in the US.

We would like to inform the Judge of the truth, that even those who do not
themselves offer cryptography are being asked to change their sites to make
it more difficult for others to use and acquire cryptographic information.
Would you be willing to sign a short Declaration describing your experience
with the NSA and State Department, including the representations which they
made to you about the scope of the ITAR, the timeline of these facts, a
description of what they asked you to do, and your decisionmaking process?
We would submit it along with declaration from others to contradict the
government's misrepresentations of its processes.

If you would like to discuss this further, please contact me at (415)
341-2585.

Thanks for your consideration,

Cindy A. Cohn

************************
Cindy A. Cohn (Cindy@McGlashan.com)
McGlashan & Sarrail, Professional Corporation
177 Bovet Road, 6th Floor
San Mateo, CA 94402
(415) 341-2585 (tel)
(415)341-1395 (fax)

Re: Removal of PEM from Apache (fwd) [ In reply to ]

rst at ai

Nov 14, 1995, 5:12 PM

Post #2 of 4 (239 views)

Permalink

Brian --- that sounds fine here...

rst

Re: Removal of PEM from Apache (fwd) [ In reply to ]

sameer at c2

Nov 14, 1995, 5:28 PM

Post #3 of 4 (241 views)

Permalink

I was at the most recent court hearing in this case. In
addition to having a statement about the ITAR, it may be helpful for
interested members of the apache group to attend future hearings on
the issue. It had a very good effect both on the morale of our counsel
making the arguments to the judge (Cindy) and I think the judge was
probably pretty impressed by the turnout. We had about 30 or so people
show up a the least hearing. You can probably be added to the
notifications regarding future hearings and such by subscribing to
cypherpunks-announce@toad.com or mailing john gilmore at gnu@toad.com.

> I am the lead attorney on a federal case called Bernstein v. Department of
> State, being brought with the assistance of the Electronic Frontier
> Foundation to challenge the ITAR restrictions on the export of cryptographic
> information. You can read more about the case at http://www.eff.org in
> their Alerts section.

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

Re: Removal of PEM from Apache (fwd) [ In reply to ]

efrank at ncsa

Nov 14, 1995, 5:34 PM

Post #4 of 4 (246 views)

Permalink

They haven't contacted me yet, but yes you should direct them to
me. I came in on the discussion between the NSA & NCSA at the end
of the loop, but I was at a meeting where it was clearly indicated
that ITAR covers not only the encryption technology, but the hooks
to allow encryption to be added and any collaboration that indicates
in any way where those hooks would go if they were there. (ie. we
had to remove not only the code but the "ifdef"s that surrounded
them.) During the discussion we indicate the hopelessness of removing
the old software from circulation which contained the hooks. They
indicated to us that all that was required from us was a good faith
effort to remove the code from our site and for us to request that
our collaborators do the same. Collaborators were defined as groups
we knew used our code or based products on our code.

-Beth

> keep this private to new-httpd for now.
>
> I talked with her on the phone - here's the scoop. They need someone (I have
> volunteered for now, but if there's someone who feels more qualified perhaps
> we can work on this together) from the Apache project to write up an
> explanation of why we removed the PEM code from the Apache code. I would
> *presume* they are also talking to the folks at NCSA - Beth? Brandon? I am
> basically going to state that we removed it at the *suggestion* of NCSA after
> they were contacted on this matter, and since we're a loose group of
> volunteers working on this in our spare time we removed it rather than run
> the risk of entanglement with the government. I will also mention that it
> severely restricts some of the more commercial applications we would like to
> build, like the SSL functionality.
>
> Any objections, comments, etc?
>
> Brian
>
>
> ---------- Forwarded message ----------
> Date: Tue, 14 Nov 1995 15:11:17 -0800
> From: Cindy Cohn <Cindy@McGlashan.com>
> To: brian@hyperreal.com
> Cc: mer0@steefel.attmail.com, tien@well.sf.ca.us
> Subject: Removal of PEM from Apache
>
> Hello,
>
> I am the lead attorney on a federal case called Bernstein v. Department of
> State, being brought with the assistance of the Electronic Frontier
> Foundation to challenge the ITAR restrictions on the export of cryptographic
> information. You can read more about the case at http://www.eff.org in
> their Alerts section.
>
> In response to our case, the government attorneys have maintained to the
> court that they are only interested in controlling "software which can
> function to encrypt." They have asserted to the court that they do not
> otherwise restrict export or attempt to chill the use of encryption
> techniques, which they admit are legal in the US.
>
> We would like to inform the Judge of the truth, that even those who do not
> themselves offer cryptography are being asked to change their sites to make
> it more difficult for others to use and acquire cryptographic information.
> Would you be willing to sign a short Declaration describing your experience
> with the NSA and State Department, including the representations which they
> made to you about the scope of the ITAR, the timeline of these facts, a
> description of what they asked you to do, and your decisionmaking process?
> We would submit it along with declaration from others to contradict the
> government's misrepresentations of its processes.
>
> If you would like to discuss this further, please contact me at (415)
> 341-2585.
>
> Thanks for your consideration,
>
> Cindy A. Cohn
>
>
>
> ************************
> Cindy A. Cohn (Cindy@McGlashan.com)
> McGlashan & Sarrail, Professional Corporation
> 177 Bovet Road, 6th Floor
> San Mateo, CA 94402
> (415) 341-2585 (tel)
> (415)341-1395 (fax)
>
>
>

--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu