Home > Articles > Security > Network Security

  • Print
  • + Share This
From the author of

Making Sure You Are Legal

In their infinite wisdom, agencies of the U.S. government have created regulations that make it a crime in some situations to export certain strong encryption software from the United States. This is ostensibly done with the intent to prevent strong encryption capabilities from falling into the hands of unfriendly governments and terrorists. The actual result of this situation, however, is that most good encryption software development is now done in other countries and is imported to the United States, rather than vice versa. Encryption software that is imported to the United States cannot always be exported from the United States—even to the original author of the software! This situation is still changing, and the United States has relaxed many of its export policies. However, as long as there are any prohibited countries, exporters must continue to be extremely vigilant about their distributions.

Until recently, the company RSA Data Security, Inc., had a U.S. patent on certain public/private key encryption algorithms used in SSL. In 2000, the patent to the RSA algorithm expired, so restrictions no longer exist on most of this code. However, if you have code specifically from RSA, you may still be bound by its license agreement. See http://www.rsa.com for more information.

If you just plan to use Apache with mod_ssl as a secure Web server at your organization, this probably is all right. However, if you plan to distribute the Web server or a machine containing it overseas, check with an attorney to determine what the applicable U.S. export laws are and to make sure that you are in compliance with them. Luckily, recent changes in both U.S. law and governmental attitude are making the traffic in cryptography easier. Time will tell whether this trend will continue.

  • + Share This
  • 🔖 Save To Your Account