| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| |
| <html xmlns="http://www.w3.org/1999/xhtml"> |
| <head> |
| <meta name="generator" content="HTML Tidy, see www.w3.org" /> |
| |
| <title>Why We Took PEM Out of Apache</title> |
| </head> |
| <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
| |
| <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" |
| vlink="#000080" alink="#FF0000"> |
| <!--#include virtual="header.html" --> |
| |
| <h1 align="CENTER">Why We Took PEM Out of Apache</h1> |
| On May 17th, 1995, we were asked by a representative of NCSA to |
| remove any copies of NCSA httpd prior to 1.4.1 from our web |
| site. They were mandated by the NSA to inform us that |
| redistribution of pre-1.4.1 code violated the same laws that |
| make distributing Phill Zimmerman's PGP package to other |
| countries illegal. There was <strong>no</strong> encryption in |
| NCSA's httpd, only hooks to publicly available libraries of PEM |
| code. By the NSA's rules, even hooks to this type of |
| application is illegal. |
| |
| <p>Because Apache is based on NCSA code, and we had basically |
| not touched that part of the software, we were informed that |
| Apache was also illegal to distribute to foreign countries, and |
| advised (not mandated) by NCSA to remove it. So, we removed |
| both the copies of the NCSA httpd we had, and all versions of |
| Apache previous to 0.6.5.</p> |
| |
| <p>The Apache members are strong advocates of the right to |
| digital privacy, so the decision to submit to the NSA and |
| remove the code was not an easy one. Here are some elements in |
| our rationale:</p> |
| |
| <ul> |
| <li>The PEM code in httpd was not widely used. No major site |
| relied upon its use, so its loss is not a blow to encryption |
| and security on the world wide web. There are other efforts |
| designed to give much more flexible security - SSL and SHTTP |
| - so this wasn't a function whose absence would really be |
| missed on a functional level.</li> |
| |
| <li>We didn't feel like being just a couple more martyrs in a |
| fight being fought very well by many other people. Rather |
| than have the machine that supports the project confiscated |
| or relocated to South Africa, <em>etc.</em>, we think there |
| are more efficient methods to address the issue.</li> |
| </ul> |
| It kind of sickens us that we had to do it, but so be it. |
| |
| <p>Patches that re-implement the PEM code may be available at a |
| foreign site soon. If it does show up, we'll point to it - that |
| can't be illegal!</p> |
| |
| <p>Finally, here is a compendium of pointers to sites related |
| to encryption and export law. We can't promise this list will |
| be up to date, so send us mail when you see a problem or want a |
| link added. Thanks.</p> |
| |
| <ul> |
| <li><a |
| href="http://dir.yahoo.com/Computers_and_Internet/security_and_encryption/"> |
| Yahoo - Science: Mathematics: Security and |
| Encryption</a></li> |
| |
| <li><a href="http://www.eff.org/Privacy/Crypto/">EFF |
| Crypto/Privacy/Security Archive</a></li> |
| |
| <li><a |
| href="http://www.quadralay.com/www/Crypt/Crypt.html">Crypto |
| page at Quadralay</a></li> |
| |
| <li><a |
| href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography |
| Export Control Archives (Cygnus)</a></li> |
| |
| <li><a href="http://www.law.indiana.edu/law/iclu.html">ICLU - |
| Your Rights in Cyberspace</a></li> |
| </ul> |
| <a href="http://www.behlendorf.com/~brian/">Brian</a>, <a |
| href="mailto:brian@hyperreal.com">brian@hyperreal.com</a> |
| <!--#include virtual="footer.html" --> |
| </body> |
| </html> |
| |