Why We Took PEM Out of Apache
On May 17th, 1995, we were asked by a representative of NCSA to remove
any copies of NCSA httpd prior to 1.4.1 from our web site. They
were mandated by the NSA to inform us that redistribution of pre-1.4.1
code violated the same laws that make distributing Phill Zimmerman's
PGP package to other countries illegal. There was no
encryption in NCSA's httpd, only hooks to publicly available libraries
of PEM code. By the NSA's rules, even hooks to this type of
application is illegal.
Because Apache is based on NCSA code, and we had basically not touched
that part of the software, we were informed that Apache was also
illegal to distribute to foreign countries, and advised (not mandated)
by NCSA to remove it. So, we removed both the copies of the NCSA
httpd we had, and all versions of Apache previous to 0.6.5.
The Apache members are strong advocates of the right to digital
privacy, so the decision to submit to the NSA and remove the code was
not an easy one. Here are some elements in our rationale:
It kind of sickens us that we had to do it, but so be it.
- The PEM code in httpd was not widely used. No major site relied
upon its use, so its loss is not a blow to encryption and security on
the world wide web. There are other efforts designed to give much
more flexible security - SSL and SHTTP - so this wasn't a function
whose absence would really be missed on a functional level.
- We didn't feel like being just a couple more martyrs in a fight
being fought very well by many other people. Rather than have the
machine that supports the project confiscated or relocated to South
Africa, etc., we think there are more efficient methods to address the
Patches that re-implement the PEM code may be available at a foreign
site soon. If it does show up, we'll point to it - that can't be illegal!
Finally, here is a compendium of pointers to sites related to
encryption and export law. We can't promise this list will be up to
date, so send us mail when you see a problem or want a link added.