bxa regs, more info

The following mail was received from Jim Lewis at the BXA; my original email is embedded in his reply. This covers some questions I had about open source and products developed with it.

Summary:

If you export a source package that someone else has already posted (you mirror it), you have to notify the BXA.
If you have an archive full of crap, you can send a pointer to the top level, no need to list all the files.
If you update a package and don't change the cryptographic functionality or algorithms, you don't need to re-notify.
If overseas developers take a copy of this code, incorporate it, and post it (overseas), they don't have to notify BXA. However, if you take a copy of something from overseas, whether or not it has U.S. code in it, and post it, you have to notify.
If you post your source code, then compile it and want to post the binary, you have to go to BXA for a tech review first (for the binary).

From JLEWIS@bxa.doc.gov  Thu Jan 20 16:39:44 2000
Return-Path: 
...
Received: from jade.bxa.doc.gov (JADE.BXA.DOC.GOV [170.110.31.61])
	by mailrelay1.cc.columbia.edu (8.9.3/8.9.3) with ESMTP id QAA21828
	for ; Thu, 20 Jan 2000 16:38:43 -0500 (EST)
Received: by jade.bxa.doc.gov; id QAA25899; Thu, 20 Jan 2000 16:42:56 -0500 (EST)
Received: from bxa5.bxa.doc.gov(170.110.136.8) by jade.bxa.doc.gov via smap (V4.2)
	id xma025875; Thu, 20 Jan 00 16:42:48 -0500
Received: from BXA_MAIL-Message_Server by bxa5.bxa.doc.gov
	with Novell_GroupWise; Thu, 20 Jan 2000 16:40:29 -0500
Message-Id: 
X-Mailer: Novell GroupWise 5.5.2
Date: Thu, 20 Jan 2000 16:40:19 -0500
From: "JIM LEWIS" 
To: 
Subject: Re: Here's the email. Thanks!
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by merdeka.cc.columbia.edu id QAA26610
Status: OR

[ edited to: format for html, actually mark in bold the answers. otherwise untouched. }

I've written some really short answers in bold. Write back if you've got more questions.

>>> Ariel Glenn 01/20/00 12:21PM >>>
I have a few questions that I couldn't seem to find the answers to by studying the regs, and I was hoping that you could clear things up for me.

Here's the list.

If someone posts unrestricted cryptographic source code and then I make a copy of it available from my Web site, should I notify the BXA with a url? Yes (we may change this later on).
Example: suppose I want to mirror the files at the North American Crypto Archive that consist just of source code. This site is located in the U.S. and for those specific files there are no restrictions for retrieval, now that the new regs have gone into effect. Do I need to mail the BXA?

Is it sufficient to send mail with a pointer to a Web directory, or do I need to mention each package that is in the directory, when I notify the BXA? Pointer is sufficient.
Example: I sent mail earlier with a pointer to a directory which, at the moment, contains only one package, but I expect to add to it. Do I need to mail the BXA each time I add a file? If the initial archive has many files in it, do I need to list them all?

Related to that, do I need to notify any time a package is changed or updated? This is sort of a judgement call. If your updates don't change the cryptographic functinality, algorithm, etc, you don't need to come back in.
Example: I expect to update the sole package in my unrestricted source code directory as soon as I have time to finish a couple more perl scripts.

Then, on the question of foreign products made with this code:

Do the overseas developers have to notify BXA if they post a copy of this code or the code they developed? No
Example: I'm writing some certificate management code that will be useful in a project overseas. I expect that the overseas group may want to mirror it, and incorporate it into their ongoing work, which is also posted. What must they do, if anything?

If I take a copy of cryptographic code from overseas and wish to re-export it, do I need to notify the BXA for this too? Yes.
Does it matter whether there might be some U.S. developed code (from unrestricted source) in there, i.e. does this change the answer? No
Example: I would like to mirror openssl, which is developed outside of the U.S. What must I do? Additionally, the maintainers may decide to accept patches from the U.S.; if I mirror the code containing these, what must I do?

Last but not least... if I post a binary made from source code I exported, what do I have to do, notify? Get a license? Nothing? Suppose I post a binary made from source code posted to the Web outside of the U.S.; is the answer different?
You need to come in for a review, noting that the code was compiled or developed from an open source.
Example: I write a few things from scratch and expect to post them; may I also post their binaries, and if so, what do I need to do? I also write applications that use the openssl library; I expect to post source to these. Can I also post the binaries, and if so, what do I need to do?

I know that this is a rather detailed list of questions, but I want to be very sure that I know what I'm doing with the new regulations (and can help others here too). Your answers would go a long ways toward helping us understand how the new regulations work.

Thanks,

Ariel Glenn
AcIS R&D
Columbia University
ariel@columbia.edu