[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Export Control Classification Number (ECCN) For openLDAP

Hi Rick,

I'm not a lawyer, so my opinion doesn't hold any legal weight. Having said
that, I will offer the following:

I am not aware of any code in OpenLDAP that implements reversible
encryption, which is what the US government restrictions apply to.
Therefore, OpenLDAP itself is not subject to export controls.

Reversible encryption capabilities, such as those used by SSL and Kerberos,
are provided by separate packages, such as OpenSSL, GnuTLS, Heimdal
Kerberos, or MIT Kerberos. These are governed by specific export
restrictions. We had to jump through similar hoops when we developed our
tested, certified, and packaged distributions of OpenLDAP, which do include
these technologies. I would elaborate further, but this was some time ago
and, besides, I don't understand all of the legal ins and outs. Maybe
someone on the OpenSSL mailing list or one of the Kerberos lists could
provide additional information.

Our own approach is to make a basic package available to embedders at
minimum cost, which does not include any encryption software. This
eliminates export restrictions on the embedder's product and provides the
embedder with an opportunity to up-sell its customers to more advanced
versions of LDAP services that include SSL, SASL, and Kerberos technology,
and feature enhanced performance, resilience, and functionality.

The short of it is as follows:

If you are just bundling OpenLDAP and not including OpenSSL or Kerberos,
then you don't need to worry about export restrictions.

Hope this helps...

Matthew Hardin
Symas Corporation
Packaged, certified, and supported OpenLDAP distributions:

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-
> software@OpenLDAP.org] On Behalf Of Rick Clark
> Sent: Tuesday, July 27, 2004 9:27 AM
> To: OpenLDAP-software@OpenLDAP.org
> Subject: Export Control Classification Number (ECCN) For openLDAP
> My company is interested in embedding openLDAP in our enterprise software
> product suite. We export our software to other countries around the world
> (obviously not Cuba, Iran, Sudan, Iraq, Libya, North Korea, Syria, etc.).
> We need to know what the Export Control Classification Number (ECCN) for
> openLDAP since it contains encryption code. The US government requires an
> ECCN classification for all software exported that contains some form of
> encryption.
> Does anyone in the group know what the ECCN classification for openLDAP or
> can point me in the right direction ?
> Thanks
> Rick