(始终)在使用加密对用户进行身份验证时向美国当局报告? [英] (Always) report to US authorities when using encryption to authenticate users?
问题描述
这可能不是直接的代码问题,但这是SO上经常出现的问题,我认为阅读非常有用.
这是我不明白的.如果适用于美国的移动应用程序属于这种情况-如果我部署的网站执行与身份验证逻辑完全相同的类型,是否需要向美国当局报告
关于如何构建良好的身份验证系统,有很多很棒的材料-但从未提及过
"BTW☝️不要忘记向美国当局报告您已使用加密对用户进行身份验证"
首次使用IANAL,因此请以专业经验代替法律建议.无需通知任何特定的美国机构您在身份验证过程中使用加密.我怀疑这些问题是由于ITAR法规而提出的,该法规认为某些类型的加密是武器".并且因此无法从美国合法出口(此处讨论ITAR和加密),前提是您已经无论您使用的是哪种加密方案(都合法),这些规则均不适用于您.如果您与美国或任何其他国家的军事或情报机构有从属关系,则可能会有更具体的规定.
This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.
App Store - Help answering "Missing Compliance" (using Expo + Firebase)
Does my application "contain encryption"?
ITSAppUsesNonExemptEncryption export compliance while internal testing?
I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.
There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.
BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.
Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic
There is a lot of great material on how to build a good authentication system - but have never come across a mention of
"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"
First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.
这篇关于(始终)在使用加密对用户进行身份验证时向美国当局报告?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
