Re: U.S. export laws on SSH/SSL?
From: Chronos Tachyon (chronos@chronos.dyndns.org.no.spam.please.example.com)Date: 03/17/02
- Next message: Baho Utot: "zlogin"
- Previous message: Julio: "Re: security related question"
- In reply to: Nico Kadel-Garcia: "Re: U.S. export laws on SSH/SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chronos Tachyon <chronos@chronos.dyndns.org.no.spam.please.example.com> Date: Sun, 17 Mar 2002 22:23:36 GMT
Nico Kadel-Garcia wrote:
> "Chronos Tachyon" <chronos@chronos.dyndns.org.no.spam.please.example.com>
> wrote in message
> news:3C94128E.9040508@chronos.dyndns.org.no.spam.please.example.com...
[Snip]
>>You can read the specifics at the BXA's website here:
>>
>>http://www.bxa.doc.gov/Encryption/Default.htm
>
>
> Oh, yeah, this deceptive little thing. They insist on your applying for and
> getting licenses. This is similar to getting a license to have a protest: at
> first it sounds OK, but when you *look* at the process and its history its
> basic use is to prevent upgrades to encryption beyond NSA ability to break,
> or fundamental changes in encryption technology so that the NSA will have to
> start all over.
>
> Think I'm kidding? They "offer suggestions" about applications that guide
> companies to alter the technologies. Also, the application has to describe
> the technology quite thoroughly. This often reveals enough about it to tell
> crackers (such as the NSA) where they should apply their resources to break
> it at will (whether through cracking the server's OS and steaing keys,
> taking advantage of the known vulnerabilities of routers and getting packets
> echoed to their own destination, or whatever other means they consider
> appropriate).
>
> Yes, I sound slightly paranoid. Yes, I have reasons to be so.
>
>
Quoth the FAQ:
--- CUT ---
26. Can an academic who creates an encryption source code program make
it available on the Internet, for example to students or academic
colleagues, without restriction on access?
Yes, under the revised regulations, encryption source code that would be
publicly available (and posting to the Internet itself would make it
publicly available), and which is not subject to an express agreement
for the payment of a licensing fee or royalty for the commercial
production or sale of any product developed using the source code, would
be eligible under License Exception TSU for "unrestricted" source code.
Under this policy, the software may be exported without prior submission
to the government for technical review (although concurrent notification
of the export is required). In addition, software exported under this
exception may be posted to the Internet without restriction and would
not be subject to any requirement to screen for access. Also, such
posting would not constitute knowledge of an export to a prohibited
destination under the EAR, including one of the seven terrorist states.
A license requirement would apply only to knowing exports and reexports
(i.e., direct transfer or e-mail) of the software to prohibited
end-users and destinations. In addition, exporters are not restrained
from providing technical assistance (as described in Section 744.9) to
foreign persons working with such source code.
--- CUT ---
Notifying the BXA that you provide encryption source code can be done by
a single e-mail and is outlined here:
http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html
Mind you, these loose regulations only apply to freely available source
code; if you're selling software, it's a whole 'nother ballgame.
-- Chronos Tachyon http://chronos.dyndns.org/ -- WWED? Guardian of Eristic Paraphernalia Gatekeeper of the Region of Thud 4:02pm up 5 days, 17:10, 1 user, load average: 0.38, 0.52, 0.51
- Next message: Baho Utot: "zlogin"
- Previous message: Julio: "Re: security related question"
- In reply to: Nico Kadel-Garcia: "Re: U.S. export laws on SSH/SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
