From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id VAA10788; Fri, 5 Apr 2002 21:36:33 +0200 (MET DST) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id VAA10608 for ; Fri, 5 Apr 2002 21:36:32 +0200 (MET DST) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id g35JaVT21239; Fri, 5 Apr 2002 21:36:31 +0200 (MET DST) Received: (from xleroy@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id VAA01732; Fri, 5 Apr 2002 21:36:31 +0200 (MET DST) Date: Fri, 5 Apr 2002 21:36:31 +0200 From: Xavier Leroy To: Sven Cc: caml-list@inria.fr Subject: Re: [Caml-list] Cryptokit: cryptographic library for OCaml Message-ID: <20020405213631.A8035@pauillac.inria.fr> References: <20020405160214.A3921@pauillac.inria.fr> <20020405162920.E21403@dpt-info.u-strasbg.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20020405162920.E21403@dpt-info.u-strasbg.fr>; from luther@dpt-info.u-strasbg.fr on Fri, Apr 05, 2002 at 04:29:20PM +0200 Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk > Mmm, what are the legal restriction related to this ? Is it legal to > distribute it in france (legislation may have changed since last i checked > about such things a few years ago) ? Is it legal to distribute it from an US > based server (i think yes, but you would need to declare the software to the > NSA or something such). I wish I knew for sure :-) I spent significant time reading the French laws on the DCSSI Web site (http://www.scssi.gouv.fr/fr/reglementation/index.html). (FYI, the DCSSI is roughly the French equivalent of the NSA.) It appears that cryptographic means ("moyens de cryptographie", whatever that means) are regulated differently depending on whether they are used for authentication (passwords, signature, data integrity), confidentiality (encryption), copy protection, in mobile phones, for bank transactions, in spread-spectrum devices, etc. >>From this list, it appears that only whole software applications or hardware devices are subject to regulations. A library like my Cryptokit doesn't by itself ensure authentication, confidentiality, etc: this is a property of the application that uses it. Cryptokit just transforms streams of bytes in various ways. Heck, you could use the AES implementation it provides just to generate pseudo-random numbers (don't laugh -- the PRNG in the library does exactly this). So, I think I'm not violating any French regulation by distributing this library. Now, if you use it in a program, it is up to you to make sure you comply with the law. (E.g. a Caml-powered spread-spectrum device is a no-no :-) As for other countries, I haven't the least idea of their regulations. To get definitive answers to your questions, you'll need to consult a competent lawyer, not me. - Xavier Leroy ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners