The Mozilla Crypto FAQ is badly out of date; among other things, it has lots of dead links (including almost all links to the EAR references) and has not been updated to reflect the Bernstein ruling. There may also be some new questions suggested as well that are not addressed in the current FAQ.
Could you add an answer to the question: "Why isn't at least a part of the Mozilla tree based in a country with a more liberal law regarding cryptography?"? The answer I'd like most would be "Good question. We're checking that at the moment." :-) OFFTOPIC: I was impressed by the quality of the FAQ. It wanswered most of my questions and gave many, many references (which I didn't check out, so I can't comment the quality of them).
I'll add some more explanation on the issue of keeping part of the Mozilla CVS tree in a country other than the US or Canada. The basic issues here are twofold: 1. If mozilla.org moved part of the Mozilla tree "offshore", or assisted others in setting up part of the Mozilla tree offshore, and that part of the tree were to be used for encryption source, then mozilla.org staff (and the US-based companies employing them) would be at risk of violating US prohibitions on "technical assistance" to non-US/Canada developers implementing crypto. 2. If US developers were to check in crypto source into such an offshore subtree of the overall Mozilla tree (deliberately or by mistake) then they and the US-based companies employing them would be in direct violation of US export regulations. The bottom line is that mozilla.org and the US-based companies employing mozilla.org staff and Mozilla developers have a vested interest in not supporting, promoting, or helping with Mozilla-related crypto development outside the US and Canada. Of course, Mozilla developers outside the US and Canada are free to do as they wish, and may maintain their own independent source repositories and CVS trees. Also, thanks for your comment about the FAQ; my goal in writing it was to avoid the vagueness and ambiguity of most web-based information on crypto regulations, and to include nothing that could not be justified and substantiated based on public information. Back on-topic: On the references, unfortunately all the EAR references are currently broken because John Young is no longer maintaining his copy of the EAR online; thus I'll have to refer back to the US government's copy, which is not as convenient, being in plain text not HTML.
The 2.0 release of the FAQ, besides addressing the changed export control regulations, also corrects all instances of bad links. For the future I have decided to link only to official copies of the EAR maintained by the U.S. government, even though those documents are not always the best for linking to (because they're not in HTML and don't have internal anchors). The next release of the FAQ will be updated to reflect the actual first release of source code.
Updated FAQ (to version 2.1) to reflect the release of the RSA patent into the public domain.
Frank, it is not clear to me, what the EARs say. What makes crypto code different from other code? - If I am an US citizen and what to ditribute modified version of the source or binaries (i.e. != the version hosted on mozilla.org), what do I have to do? Anything else that practically resticts the "open source" (as def. by OSI) nature of (Mozilla) crypto code? - If I am not an US citizen, what effects does this have? Do I have to care at all?
BTW: As these are generic questions, not specific to Mozilla code, it is fine to link to a well-written FAQ on another site.
reassigning to hecker's current account
Assignee: hecker → hecker
Status: ASSIGNED → NEW
New suggested question, from Tim Rowley <firstname.lastname@example.org>: "Why is mozilla/netscape writing NSS/PSM instead of using OpenSSL?" I've been holding off on updating the FAQ until the PSM/NSS integration into the Mozilla build was complete, and mozilla.org-distributed binaries included PSM. After the beginning of the year I'll update the FAQ for that, for the question re OpenSSL, and for Ben's question. Also accepting bug (which I should have done a while ago).
Status: NEW → ASSIGNED
Frank: ping :-) (see your last comment.) Gerv
Do you need help?
QA Contact: timeless
Yes, I've been tied up doing other things and have not had a chance to work on the crypto FAQ, so if you or anyone else volunteers to help I'd be glad to accept your assistance. Feel free to edit the existing document, and then I'll review the changes and make final revisions if needed. Here are the main things I think need to be done: 1) Update existing answers where the information and/or URLs are out of date or incorrect; 2) add some new questions and answers based on people's suggestions; and 3) fix the HTML so that it validates as HTML 4.01 Strict.
What is the status on this? The FAQ needs to be updated to match the mozilla.org Markup Reference.
Assignee: hecker → nobody
Component: Miscellaneous → www.mozilla.org
OS: Other → All
QA Contact: timeless → www-mozilla-org
Hardware: Other → All
Assignee: nobody → samuel.sidler
(In reply to comment #11) > Yes, I've been tied up doing other things and have not had a chance to work on > the crypto FAQ, so if you or anyone else volunteers to help I'd be glad to > accept your assistance. Feel free to edit the existing document, and then I'll > review the changes and make final revisions if needed. Here are the main things > I think need to be done: 1) Update existing answers where the information and/or > URLs are out of date or incorrect; 2) add some new questions and answers based > on people's suggestions; and 3) fix the HTML so that it validates as HTML 4.01 > Strict. #1 was covered in bug 407960. If there are further broken links, please file separate bugs for them. #2 should be spun off; file a new bug for every specific question you think should be added to the FAQ. #3 was just fixed by me in revision 1.14. Resolving as FIXED.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.