[openssl-users] Cryptographic export laws + OpenSSL
marquess at openssl.com
Tue Oct 27 18:17:08 UTC 2015
On 10/27/2015 01:13 PM, Tom Kacvinsky wrote:
> What US cryptographic export laws apply to OpenSSL? I am in need of
> distributing the run time libraries (not the development kit), but I
> don't want to run afoul of export laws.
U.S. export law is a mess. Both "EAR" and "ITAR" can apply to OpenSSL
derived code (ask me how I know from expensive personal experience).
I get asked this question a lot in private E_mails, usually from
corporate managers or lawyers. I have a standard blurb I send in response:
We aren't lawyers, and don't pretend to have an adequate understanding
of U.S. export regulations (or those of any other nation, for that
matter). You really need to consult with competent export control
lawyers. U.S. exports controls are complex and quite nonsensical from
the perspective of the uninitiated professional software developer.
That said, the standard blurb expressing our personal, unofficial,
non-authoritative, uninformed, unverified, and thoroughly worthless
The OpenSSL project is comprised almost entirely of non-U.S. citizens
who reside outside of the U.S., as do the principal computer systems
on which this software is developed, stored, and distributed. Hence
the OpenSSL project proper does not submit notifications to, or
obtain any export permissions from, the U.S. Department of Commerce
or Department of State.
OpenSSL Software Services (OSS) is a U.S. corporation. The
function of the OSF is to handle commercial contracting for OpenSSL
developers, some of who realize most or all of their personal income
from such work. When OSS itself supplies software to clients
who desire to export we do perform the TSU filing. However, vendors
who import from openssl.org and then export independently of OSS are
responsible for their own BIS and/or DDTC filings for their
Since the OpenSSL product in most applications meets the BIS
definition of "open source" (a definition different than the
conventional use of that term, incidentally) for ECCN 5D002 it
typically qualifies for the TSU exception which amounts to an
electronic notification and a source code distribution or online
reference to same. Note that notification is required for every
distinct version of such software, which can add up to a lot of
Incidentally the Apache Software Foundation does a nice job of
explaining it: http://www.apache.org/dev/crypto.html. They have
also automated the notification process to streamline the otherwise
substantial manpower cost.
There is also some discussion of export restrictions in Appendix F
of the OpenSSL FIPS Object Module User Guide,
Again, you really need to seek appropriate legal counsel and should not
make any decisions based on any comments by OSF or OpenSSL.
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users