Title: Handling cryptography within an ASF release
This page provides PMC members with the information they need to ensure U.S. export control laws are satisfied for ASF product distributions that contain, or are designed or modified to use, cryptography for data confidentiality.
This page is not intended for users of Apache products. Users should consult the export control status of our products.
Note: The regulations covering US export control laws for encryption are continuously changing, and the latest modification of this page, to describe the current state of regulations, was May 24, 2019.
This page describes the process which should be continued until the Apache VP Legal Affairs approves an updated version.
Notices of updates to this page appear on the legal-discuss mailing list.
The U.S. Government places restrictions on the export of some types of software, including software employing cryptographic functions. Fortunately, EAR Section 742.15(b) applies to most of the cryptography of concern to the ASF.
PMCs considering including cryptographic functionality within their products, or designing their products to use other software with cryptographic functionality, should take the following steps before placing such code on any ASF server, including commits to subversion or git.
Section 742.15(b) of the Export Administration Regulations (EAR) authorizes exports and reexports, without review, of encryption source and object code provided the following conditions are met:
To satisfy the BIS requirements to make source code available for inspection, while minimizing the number of notification emails needed to be sent, the ASF maintains a single web page at https://www.apache.org/licenses/exports/ with links to the applicable source code for each version of each ASF product classified as ECCN 5D002.
To make updates to this ASF-wide Exports page as simple and consistent as possible, the source matrix is a .yaml file that anyone with site-dev karma (which includes all PMC chairs) can update. The exports web page is generated from this .yaml file.
Test any edits to the exports page using both the site build process (view index.html
before committing any changes) and by running the bisnotice.xsl
transform on the product added/changed (see below). You can probably figure out how to format the information for your project's product by following the example of other projects and reading the page. If you have any further questions about the content, or if you are not sure that a BIS notice is required, please check the FAQs first and then bring any remaining questions to the legal-discuss
mailing list. Note that the product data should only be version-specific if the classification changes (e.g., Apache HTTP Server version 1.3 vs 2.0) or if the link to the controlled source code needs to change, such as if the encryption library included in the product for different releases came from different manufacturers. In addition, it is possible to include both controlled and non-controlled (ECCN “n/a”) products in the list, but a BIS notice is only necessary for the products that have at least one version classified as ECCN 5D002.
After ensuring the distribution's cryptography qualifies for an exemption under Section 742.15(b) and after ensuring the applicable source code is linked from the ASF-wide export page, but before publicly posting the distribution or committing the controlled code, send an email using the template below.
An XSLT transformer called bisnotice.xsl can generate the BIS notice for a product based on the XML data. For example, running it as:
$ cd {SVNROOT}/infrastructure/site/trunk/</li> $ svn up</li> $ cd content/licenses/exports/</li> $ java -Xbootclasspath/p:../../../lib/xalan.jar org.apache.xalan.xslt.Process \ -in index.page/eccnmatrix.xml -xsl bisnotice.xsl \ -param product 'Apache HTTP Server'
will result in text output that looks like an email template for the PMC chair to send to the appropriate addresses. A generic example is below. Note that the product parameter selects which product(s) to print based on matching a substring of the product name. The template output is only correct when a single product is matched.
There are also some sample script files in the top-level directory (site/trunk): bisnotice.cmd
(Windows) and bisnotice.sh
(Un*x).
TO: crypt AT bis.doc.gov, enc AT nsa.gov, web_site AT bis.doc.gov CC: {applicable project list} SUBJ: Section 742.15 NOTIFICATION - Encryption</p> SUBMISSION TYPE: Section 742.15 SUBMITTED BY: {PMC member sending email} SUBMITTED FOR: Apache Software Foundation POINT OF CONTACT: Secretary, Apache Software Foundation MANUFACTURER(S) {list of origin of all crypto code, e.g. "OpenSSL Project" or "Apache Software Foundation." If product includes multiple crypto items from different origins, list all origins.} PRODUCT NAME/MODEL #: {Apache product name(s) that include the source code found at the URL below, or any binaries that were created by compiling that source code -- do not specify version numbers if the future versions will use source code found at the same URL (even if the source is updated at that URL) } ECCN: 5D002 NOTIFICATION: http://www.apache.org/licenses/exports/
Should the software qualify for the Section 742.15(b) exemption, place the following notice into each distribution's README file:
This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org for more information. The Apache Software Foundation has classified this software as Export Commodity Control Number (ECCN) 5D002, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the "publicly available" Section 742.15(b) exemption (see the BIS Export Administration Regulations, Section 742.15(b)) for both object code and source code. The following provides more details on the included cryptographic software:
Be sure to add some information at the bottom of the notice about the components of the release including cryptography.
The product name is the name of the ASF product (e.g. “Apache Foo”), even if the notification is being made about another manufacturer‘s cryptography included in the ASF product. Do not list the ASF product’s version number.
the notification is a URL that directly or indirectly points to the source code for the crypto item built by the listed manufacturer that is distributed within the ASF product. At the ASF, we indirectly point to the source code by having all products list www.apache.org/licenses/exports/
as the NOTIFICATION url, and ensuring that this page is refreshed with the set of links to the crypto source code for the notifying product. If the product contains more than one crypto item, the exports page simply points to the source for each crypto item included in the product.
You must send the notification email prior to exporting/posting online. Note: this even includes distribution of code through publicly accessible servers/repositories before there has been any official release.
The obvious example is including something like an OpenSSL binary within a product distribution from a /dist URL. The less-obvious example is the point at which a software repository starts to include code that is specially designed to work with any other 5D002 item, whether that item is ever to be included within a product distribution or not. In other words, a project should send out a notification email just after making the decision to include code that is specially designed to work with crypto APIs but before actually committing such code. No need to worry about surprise Jira attachments with such code -- only the event of committing the code to the ASF product repository.
No. We do not need to worry about surprise Jira attachments with such code -- only code committed to the ASF product repository. The actual poster of these attachments would be the one ‘exporting’ the crypto, since it would not be an act of the ASF project as it addressed above.
Yes. The ASF is responsible for complying with the EAR, regardless of whether the item we are exporting has been previously exported under the Section 742.15(b) publicly available exemption or any license exception by another manufacturer/company/open source project.
Yes. Each product must qualify separately, which includes sending notifications for each.
No. As long as the email‘s notification URL for the source location still (directly or indirectly) points to the applicable source for each version’s crypto item, no additional process is required.
The notification URL for all products should point to https://www.apache.org/licenses/exports/
, which should be refreshed to include the project's cryptography data before the email is sent.
Each product needs to send only one notification email until information previously submitted is no longer accurate, e.g. a change in the manufacturer.
No, but it's a good idea to do so. See our self-imposed requirement to inform users.
When multiple crypto items exist within a single product, one email should be sent listing all manufacturers of encryption items in the product and the standard notification URL to the ASF-wide exports page with detailed information, including the location of the corresponding source code.
Yes, as long as the PMC is reasonably confident that the non-ASF location is likely to remain available for BIS inspection for the foreseeable future. If this is not the case at some point, the ASF should update the link to a location that will remain available.
It is fine to use whatever compiler switches you like. There is no need to provide compiler switch information, as long as the pointed source code is a superset of all the controlled source that ends up being distributed within the object/binary file.
No, but whether we are distributing source or object/binary files, we must always make sure a notification has been made pointing (directly or indirectly) to the associated source.
Within the single notification email (sent prior to either hosting libssl/libcrypto or committing code that binds to it), the ASF and the OpenSSL project should be listed as manufacturers, since both organizations produce encryption items included in the product. See the more generic Q&A on this topic.
The only required notification for an Apache project that is specially designed to use, but doesn't include, such crypto, is the notification for the ASF product code.
The ASF is a U.S.-based corporation and must comply with U.S. export controls. Incidentally, the U.S. is not the only country with controls on cryptography. Many other nations have similar restrictions, primarily driven by the Wassenaar Arrangement.