Correct and update Mozilla Crypto FAQ

RESOLVED FIXED

Status

www.mozilla.org
General
P3
normal
RESOLVED FIXED
19 years ago
6 years ago

People

(Reporter: hecker, Assigned: Samuel Sidler (old account; do not CC))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 years ago
The Mozilla Crypto FAQ is badly out of date; among other things, it has lots of
dead links (including almost all links to the EAR references) and has not been
updated to reflect the Bernstein ruling. There may also be some new questions
suggested as well that are not addressed in the current FAQ.
(Reporter)

Updated

19 years ago
Status: NEW → ASSIGNED

Comment 1

19 years ago
Could you add an answer to the question: "Why isn't at least a part of the
Mozilla tree based in a country with a more liberal law regarding
cryptography?"? The answer I'd like most would be "Good question. We're checking
that at the moment." :-)

OFFTOPIC: I was impressed by the quality of the FAQ. It wanswered most of my
questions and gave many, many references (which I didn't check out, so I can't
comment the quality of them).
(Reporter)

Comment 2

19 years ago
I'll add some more explanation on the issue of keeping part of the Mozilla CVS
tree in a country other than the US or Canada.  The basic issues here are
twofold:

1. If mozilla.org moved part of the Mozilla tree "offshore", or assisted others
in setting up part of the Mozilla tree offshore, and that part of the tree were
to be used for encryption source, then mozilla.org staff (and the US-based
companies employing them) would be at risk of violating US prohibitions on
"technical assistance" to non-US/Canada developers implementing crypto.

2. If US developers were to check in crypto source into such an offshore subtree
of the overall Mozilla tree (deliberately or by mistake) then they and the
US-based companies employing them would be in direct violation of US export
regulations.

The bottom line is that mozilla.org and the US-based companies employing
mozilla.org staff and Mozilla developers have a vested interest in not
supporting, promoting, or helping with Mozilla-related crypto development
outside the US and Canada.  Of course, Mozilla developers outside the US and
Canada are free to do as they wish, and may maintain their own independent
source repositories and CVS trees.

Also, thanks for your comment about the FAQ; my goal in writing it was to avoid
the vagueness and ambiguity of most web-based information on crypto regulations,
and to include nothing that could not be justified and substantiated based
on public information.

Back on-topic: On the references, unfortunately all the EAR references are
currently broken because John Young is no longer maintaining his copy of the EAR
online; thus I'll have to refer back to the US government's copy, which is not
as convenient, being in plain text not HTML.

Comment 3

18 years ago
The 2.0 release of the FAQ, besides addressing the changed export control
regulations, also corrects all instances of bad links. For the future I have
decided to link only to official copies of the EAR maintained by the U.S.
government, even though those documents are not always the best for linking to
(because they're not in HTML and don't have internal anchors).

The next release of the FAQ will be updated to reflect the actual first release
of source code.

Comment 4

18 years ago
Updated FAQ (to version 2.1) to reflect the release of the RSA patent into the 
public domain.

Comment 5

18 years ago
Frank, it is not clear to me, what the EARs say. What makes crypto code
different from other code?
- If I am an US citizen and what to ditribute modified version of the source or
binaries (i.e. != the version hosted on mozilla.org), what do I have to do?
Anything else that practically resticts the "open source" (as def. by OSI)
nature of (Mozilla) crypto code?
- If I am not an US citizen, what effects does this have? Do I have to care at
all?

Comment 6

18 years ago
BTW: As these are generic questions, not specific to Mozilla code, it is fine to
link to a well-written FAQ on another site.

Comment 7

17 years ago
reassigning to hecker's current account
Assignee: hecker → hecker
Status: ASSIGNED → NEW

Comment 8

17 years ago
New suggested question, from Tim Rowley <tor@cs.brown.edu>: "Why is 
mozilla/netscape writing NSS/PSM instead of using OpenSSL?"

I've been holding off on updating the FAQ until the PSM/NSS integration into the 
Mozilla build was complete, and mozilla.org-distributed binaries included PSM. 
After the beginning of the year I'll update the FAQ for that, for the question 
re OpenSSL, and for Ben's question. Also accepting bug (which I should have done 
a while ago).
Status: NEW → ASSIGNED
Frank: ping :-)  (see your last comment.)

Gerv

Comment 10

17 years ago
Do you need help?
QA Contact: timeless

Comment 11

17 years ago
Yes, I've been tied up doing other things and have not had a chance to work on
the crypto FAQ, so if you or anyone else volunteers to help I'd be glad to
accept your assistance. Feel free to edit the existing document, and then I'll
review the changes and make final revisions if needed. Here are the main things
I think need to be done: 1) Update existing answers where the information and/or
URLs are out of date or incorrect; 2) add some new questions and answers based
on people's suggestions; and 3) fix the HTML so that it validates as HTML 4.01
Strict.

Updated

14 years ago
Assignee: hecker → hecker
Status: ASSIGNED → NEW

Comment 12

13 years ago
What is the status on this? The FAQ needs to be updated to match the mozilla.org
Markup Reference.
Assignee: hecker → nobody
Component: Miscellaneous → www.mozilla.org
OS: Other → All
QA Contact: timeless → www-mozilla-org
Hardware: Other → All
(Assignee)

Updated

10 years ago
Assignee: nobody → samuel.sidler
(In reply to comment #11)
> Yes, I've been tied up doing other things and have not had a chance to work on
> the crypto FAQ, so if you or anyone else volunteers to help I'd be glad to
> accept your assistance. Feel free to edit the existing document, and then I'll
> review the changes and make final revisions if needed. Here are the main things
> I think need to be done: 1) Update existing answers where the information and/or
> URLs are out of date or incorrect; 2) add some new questions and answers based
> on people's suggestions; and 3) fix the HTML so that it validates as HTML 4.01
> Strict.

#1 was covered in bug 407960. If there are further broken links, please file separate bugs for them.

#2 should be spun off; file a new bug for every specific question you think should be added to the FAQ.

#3 was just fixed by me in revision 1.14.

Resolving as FIXED.

Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Product: mozilla.org → Websites
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.