From: s1113645@tesla.cc.uottawa.ca
Date: Wed, 15 Nov 1995 01:12:41 +0800
To: cypherpunks@toad.com
Subject: NSA, ITAR, NCSA and plug-in hooks.
Message-ID: <Pine.3.89.9511140929.A25609-0100000@tesla.cc.uottawa.ca>
MIME-Version: 1.0
Content-Type: text/plain


I just found this tidbit while following Sameer's Apache WWW server link.
For those who were wondering if plug-in crypto hooks were still watched 
out for. One wonders how the ietf folks are managing to promote internet-wide
standards that are considered unexportable (Are they? What's the deal on 
photuris, PEM, ipsec and the rest of them?)

Ps. I may be totally wrong, but I remember seeing something posted last 
month about some ZKIPS scheme in relation with Netscape (zero knowledge 
proofs with web servers, huh? Confused).


-----------------------------------------------------------------------
   [IMAGE] 
   
                         WHY WE TOOK PEM OUT OF APACHE
                                       
   On May 17th, 1995, we were asked by a representative of NCSA to remove
   any copies of NCSA httpd prior to 1.4.1 from our web site. They were
   mandated by the NSA to inform us that redistribution of pre-1.4.1 code
   violated the same laws that make distributing Phill Zimmerman's PGP
   package to other countries illegal. There was no encryption in NCSA's
   httpd, only hooks to publicly available libraries of PEM code. By the
   NSA's rules, even hooks to this type of application is illegal. 
   
   Because Apache is based on NCSA code, and we had basically not touched
   that part of the software, we were informed that Apache was also
   illegal to distribute to foreign countries, and advised (not mandated)
   by NCSA to remove it. So, we removed both the copies of the NCSA httpd
   we had, and all versions of Apache previous to 0.6.5. 
   
   The Apache members are strong advocates of the right to digital
   privacy, so the decision to submit to the NSA and remove the code was
   not an easy one. Here are some elements in our rationale: 
     * The PEM code in httpd was not widely used. No major site relied
       upon its use, so its loss is not a blow to encryption and security
       on the world wide web. There are other efforts designed to give
       much more flexible security - SSL and SHTTP - so this wasn't a
       function whose absence would really be missed on a functional
       level. 
     * We didn't feel like being just a couple more martyrs in a fight
       being fought very well by many other people. Rather than have the
       machine that supports the project confiscated or relocated to
       South Africa, etc., we think there are more efficient methods to
       address the issue. 
       
   It kind of sickens us that we had to do it, but so be it. 
   
   Patches that re-implement the PEM code may be available at a foreign
   site soon. If it does show up, we'll point to it - that can't be
   illegal! 
   
   Finally, here is a compendium of pointers to sites related to
   encryption and export law. We can't promise this list will be up to
   date, so send us mail when you see a problem or want a link added.
   Thanks. 
     * Yahoo - Science: Mathematics: Security and Encryption 
     * EFF Crypto/Privacy/Security Archive 
     * Crypto page at Quadralay 
     * Cryptography Export Control Archives (Cygnus) 
     * ICLU - Your Rights in Cyberspace 
       
   Brian, brian@hyperreal.com