gnu@hoptoad.uucp (John Gilmore) (08/27/89)
US export controls on certain products containing cryptography
is being shifted from the Department of State, Office of Munitions
Control, to the Department of Commerce. This is a win because
the Commerce regulations have a lot less hassle and paperwork,
and because software that is 'freely available to the public'
can be exported without any paperwork or hassle under Commerce regs
(a.k.a. the Commodity Control List).
This has not been announced yet, they are working out how to do
that. This is the first time any transfer like this has happened.
However, you should be able to get a copy of the exact wording
of the new rules from the address below. You can also ask them for
an explicit determination of whether your product falls under
Commerce or State jurisdiction by filing a Commodity Jurisdiction
Request. They can also help tell you what forms are needed (if
any) to export your product.
The following text was read to me over the phone and transcribed in a
cramped phone booth; take it with a grain of salt. The categories that
moved to Commerce are: "Cryptographic equipment for:
(1) Authentication
Equipment or software which calculates Message Authentication
Codes or similar results to assure no alteration of text has
taken place, or to authenticate users, but does not allow for
encoding of data, text, or other media other than that needed
for the authentication.
(2) Access Control
Equipment or software which protects passwords or personal ID
numbers or similar data to prevent unauthorized access to
computing facilities, but does not allow for encryption of
files or text, except as directly related to the password and
PIN protection.
(3) Proprietary Software Protection
Decryption-only routines for encrypted proprietary software,
fonts, or other computer-related proprietary information
for purposes of maintaining vendor control over said
information when such decryption routines are not accessible
to users of such software, fonts, or other information, and
cannot be used for any other purpose.
(4) Automatic Teller Devices
Devices limited to issuance of cash or travelers checks,
acceptance of deposits, account balance reporting, and similar
financial functions."
Note that the particular encryption technology (DES, RSA, Khufu, or
shaved heads) does not matter, what matters is the use to which it
can be put. Arbitrarily strong encryption can be exported under
these rules.
State and Commerce are continuing discussions on what additional
categories can be moved over. (One that I have informally heard
mentioned is low-tech encryption ancillary to the main purpose of a
mass market product, e.g. Unix crypt.) In the meantime, products in the
categories under discussion will be handled on a case-by-case basis.
I have heard that the reason for the transfer is that NSA is getting
swamped with export requests -- there are a lot more civilian uses for
cryptography than there were 5 years ago -- and after deciding a bunch
of cases individually, they feel safe enough about the above categories
to "let go" of them and let Commerce handle them in a streamlined
fashion.
If you want help in determining the export status of your product,
call:
Computer Systems Technical Center
+1 202 377 0708
There are several software people there who can help. If you want a
copy of the new official rules, send your request to:
Joseph L. Young, PhD, Chief
Computer Systems Technical Center
Office of Technology and Policy Analysis
Bureau of Export Administration
US Department of Commerce, Room 4082
14th and Constitution Avenues, NW
Washington, DC 20230
Informal discussions a month ago with Jerry Rainville in the NSA
(reachable via their Public Affairs office) indicated that if your
software, AS SHIPPED, fits one of these categories, then it is
exportable under the Commerce rules. Even for source code products
like Kerberos, they seem willing to accept the risk that someone
on the receiving end will modify the program to be able to encrypt
or decrypt files. The determination of the software's function as
shipped will be made by the shipper.
If you have any questions, don't ask the net! Please call the phone
number given above, ask them, and then post the question AND the
authoritative answer (and the answerer's name). Comments, of course,
are welcome.
Thanks to Scott Lawrence for originally posting (in comp.protocols.kerberos
a while ago) that this was in progress. That let me find the people
doing it, and track its progress until it really happened.
--
John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com
"And if there's danger don't you try to overlook it,
Because you knew the job was dangerous when you took it"