(总是)在使用加密来验证用户时向美国当局报告? [英] (Always) report to US authorities when using encryption to authenticate users?
问题描述
这可能不是一个直接的代码问题,但它是 SO 上经常出现的一个问题,我觉得阅读它非常有用.
这是我不明白的.如果符合美国标准的移动应用程序就是这种情况 - 如果我部署的网站执行完全相同类型的身份验证逻辑,我是否需要向美国当局报告
关于如何构建良好的身份验证系统有很多很棒的材料 - 但从未提到过
顺便说一句☝️不要忘记向美国当局报告您使用加密对用户进行身份验证"
首先是 IANAL,因此请将此作为专业经验,而不是法律建议.无需通知任何特定的美国当局您在身份验证过程中使用加密.我怀疑之所以提出这些问题是因为 ITAR 法规认为某些类型的加密是武器"因此不能从美国合法出口(此处讨论 ITAR 和加密),因为您已经在(可能是合法的)拥有您使用的任何加密方案时,这些规则不适用于您.如果您与美国或任何其他国家/地区的军事或情报机构有联系,可能会有更具体的规定.
This might not be a direct code question, but it's one that comes up frequently on SO and I find very useful to read.
App Store - Help answering "Missing Compliance" (using Expo + Firebase)
Does my application "contain encryption"?
ITSAppUsesNonExemptEncryption export compliance while internal testing?
I don't live in the US and therefore don't navigate freely in their law system or stays up to date with changes. But using american products and platforms like the Apple App Store means that I have to comply with the national rules and policies.
There is this one thing about encryption compliance whenever I submit to the app store. It always ask me if I'm using encryption. The answer is yes - since fetching like OTA updates are https. The SO questions are often so yes to the first and no to the rest if https is the only encryption used.
BUT what if you are using encryption to authenticate a user. Then it seems like it has to be yes to encryption and yes to this question:
Does your app qualify for any of the exemptions provided in Category 5, Part 2 of the U.S. Export Administration Regulations?.
Here is what I don't get. If this is the case for US compliant mobile apps - do I need to report to US authorities if I deploy a web site that do the exact same type of authentication logic
There is a lot of great material on how to build a good authentication system - but have never come across a mention of
"BTW ☝️ don't forget to report to the US authorities that you authenticate your users with encryption"
First IANAL, so take this a professional experience, not legal advice. There is no requirement to notify any specific US authority that you use encryption in your auth process. I suspect that these questions are asked because of the ITAR Regulations that deem certain kinds of encryption to be "arms" and therefor not legally exportable from the US (Discussion of ITAR and Crypto here) given you are already in (presumably legal) possession of whatever encryption scheme you are using, these rules do not apply to you. There may be more specific regulations if you have an affiliation with the military or intelligence agencies of the US or any other country.
这篇关于(总是)在使用加密来验证用户时向美国当局报告?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
