gnu@hoptoad.uucp (John Gilmore) (08/27/89)
US export controls on certain products containing cryptography is being shifted from the Department of State, Office of Munitions Control, to the Department of Commerce. This is a win because the Commerce regulations have a lot less hassle and paperwork, and because software that is 'freely available to the public' can be exported without any paperwork or hassle under Commerce regs (a.k.a. the Commodity Control List). This has not been announced yet, they are working out how to do that. This is the first time any transfer like this has happened. However, you should be able to get a copy of the exact wording of the new rules from the address below. You can also ask them for an explicit determination of whether your product falls under Commerce or State jurisdiction by filing a Commodity Jurisdiction Request. They can also help tell you what forms are needed (if any) to export your product. The following text was read to me over the phone and transcribed in a cramped phone booth; take it with a grain of salt. The categories that moved to Commerce are: "Cryptographic equipment for: (1) Authentication Equipment or software which calculates Message Authentication Codes or similar results to assure no alteration of text has taken place, or to authenticate users, but does not allow for encoding of data, text, or other media other than that needed for the authentication. (2) Access Control Equipment or software which protects passwords or personal ID numbers or similar data to prevent unauthorized access to computing facilities, but does not allow for encryption of files or text, except as directly related to the password and PIN protection. (3) Proprietary Software Protection Decryption-only routines for encrypted proprietary software, fonts, or other computer-related proprietary information for purposes of maintaining vendor control over said information when such decryption routines are not accessible to users of such software, fonts, or other information, and cannot be used for any other purpose. (4) Automatic Teller Devices Devices limited to issuance of cash or travelers checks, acceptance of deposits, account balance reporting, and similar financial functions." Note that the particular encryption technology (DES, RSA, Khufu, or shaved heads) does not matter, what matters is the use to which it can be put. Arbitrarily strong encryption can be exported under these rules. State and Commerce are continuing discussions on what additional categories can be moved over. (One that I have informally heard mentioned is low-tech encryption ancillary to the main purpose of a mass market product, e.g. Unix crypt.) In the meantime, products in the categories under discussion will be handled on a case-by-case basis. I have heard that the reason for the transfer is that NSA is getting swamped with export requests -- there are a lot more civilian uses for cryptography than there were 5 years ago -- and after deciding a bunch of cases individually, they feel safe enough about the above categories to "let go" of them and let Commerce handle them in a streamlined fashion. If you want help in determining the export status of your product, call: Computer Systems Technical Center +1 202 377 0708 There are several software people there who can help. If you want a copy of the new official rules, send your request to: Joseph L. Young, PhD, Chief Computer Systems Technical Center Office of Technology and Policy Analysis Bureau of Export Administration US Department of Commerce, Room 4082 14th and Constitution Avenues, NW Washington, DC 20230 Informal discussions a month ago with Jerry Rainville in the NSA (reachable via their Public Affairs office) indicated that if your software, AS SHIPPED, fits one of these categories, then it is exportable under the Commerce rules. Even for source code products like Kerberos, they seem willing to accept the risk that someone on the receiving end will modify the program to be able to encrypt or decrypt files. The determination of the software's function as shipped will be made by the shipper. If you have any questions, don't ask the net! Please call the phone number given above, ask them, and then post the question AND the authoritative answer (and the answerer's name). Comments, of course, are welcome. Thanks to Scott Lawrence for originally posting (in comp.protocols.kerberos a while ago) that this was in progress. That let me find the people doing it, and track its progress until it really happened. -- John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com "And if there's danger don't you try to overlook it, Because you knew the job was dangerous when you took it"