Why We Took PEM Out of Apache
On May 17th, 1995, we were asked by a representative of NCSA to
remove any copies of NCSA httpd prior to 1.4.1 from our web
site. They were mandated by the NSA to inform us that
redistribution of pre-1.4.1 code violated the same laws that
make distributing Phill Zimmerman's PGP package to other
countries illegal. There was no encryption in
NCSA's httpd, only hooks to publicly available libraries of PEM
code. By the NSA's rules, even hooks to this type of
application is illegal.
Because Apache is based on NCSA code, and we had basically
not touched that part of the software, we were informed that
Apache was also illegal to distribute to foreign countries, and
advised (not mandated) by NCSA to remove it. So, we removed
both the copies of the NCSA httpd we had, and all versions of
Apache previous to 0.6.5.
The Apache members are strong advocates of the right to
digital privacy, so the decision to submit to the NSA and
remove the code was not an easy one. Here are some elements in
It kind of sickens us that we had to do it, but so be it.
- The PEM code in httpd was not widely used. No major site
relied upon its use, so its loss is not a blow to encryption
and security on the world wide web. There are other efforts
designed to give much more flexible security - SSL and SHTTP
- so this wasn't a function whose absence would really be
missed on a functional level.
- We didn't feel like being just a couple more martyrs in a
fight being fought very well by many other people. Rather
than have the machine that supports the project confiscated
or relocated to South Africa, etc., we think there
are more efficient methods to address the issue.
Patches that re-implement the PEM code may be available at a
foreign site soon. If it does show up, we'll point to it - that
can't be illegal!
Finally, here is a compendium of pointers to sites related
to encryption and export law. We can't promise this list will
be up to date, so send us mail when you see a problem or want a
link added. Thanks.