Re: U.S. export laws on SSH/SSL?

From: Chronos Tachyon (chronos@chronos.dyndns.org.no.spam.please.example.com)
Date: 03/17/02


From: Chronos Tachyon <chronos@chronos.dyndns.org.no.spam.please.example.com>
Date: Sun, 17 Mar 2002 22:23:36 GMT

Nico Kadel-Garcia wrote:
> "Chronos Tachyon" <chronos@chronos.dyndns.org.no.spam.please.example.com>
> wrote in message
> news:3C94128E.9040508@chronos.dyndns.org.no.spam.please.example.com...
   [Snip]
>>You can read the specifics at the BXA's website here:
>>
>>http://www.bxa.doc.gov/Encryption/Default.htm
>
>
> Oh, yeah, this deceptive little thing. They insist on your applying for and
> getting licenses. This is similar to getting a license to have a protest: at
> first it sounds OK, but when you *look* at the process and its history its
> basic use is to prevent upgrades to encryption beyond NSA ability to break,
> or fundamental changes in encryption technology so that the NSA will have to
> start all over.
>
> Think I'm kidding? They "offer suggestions" about applications that guide
> companies to alter the technologies. Also, the application has to describe
> the technology quite thoroughly. This often reveals enough about it to tell
> crackers (such as the NSA) where they should apply their resources to break
> it at will (whether through cracking the server's OS and steaing keys,
> taking advantage of the known vulnerabilities of routers and getting packets
> echoed to their own destination, or whatever other means they consider
> appropriate).
>
> Yes, I sound slightly paranoid. Yes, I have reasons to be so.
>
>

Quoth the FAQ:

--- CUT ---

26. Can an academic who creates an encryption source code program make
it available on the Internet, for example to students or academic
colleagues, without restriction on access?

Yes, under the revised regulations, encryption source code that would be
publicly available (and posting to the Internet itself would make it
publicly available), and which is not subject to an express agreement
for the payment of a licensing fee or royalty for the commercial
production or sale of any product developed using the source code, would
be eligible under License Exception TSU for "unrestricted" source code.
Under this policy, the software may be exported without prior submission
to the government for technical review (although concurrent notification
of the export is required). In addition, software exported under this
exception may be posted to the Internet without restriction and would
not be subject to any requirement to screen for access. Also, such
posting would not constitute knowledge of an export to a prohibited
destination under the EAR, including one of the seven terrorist states.
A license requirement would apply only to knowing exports and reexports
(i.e., direct transfer or e-mail) of the software to prohibited
end-users and destinations. In addition, exporters are not restrained
from providing technical assistance (as described in Section 744.9) to
foreign persons working with such source code.

--- CUT ---

Notifying the BXA that you provide encryption source code can be done by
a single e-mail and is outlined here:

http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html

Mind you, these loose regulations only apply to freely available source
code; if you're selling software, it's a whole 'nother ballgame.

-- 
Chronos Tachyon
http://chronos.dyndns.org/ -- WWED?
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
   4:02pm  up 5 days, 17:10,  1 user,  load average: 0.38, 0.52, 0.51



Relevant Pages

  • Re: U.S. export laws on SSH/SSL?
    ... Can an academic who creates an encryption source code program make ... > be eligible under License Exception TSU for "unrestricted" source code. ... > A license requirement would apply only to knowing exports and reexports ...
    (comp.os.linux.security)
  • Re: U.S. export laws on SSH/SSL?
    ... Can an academic who creates an encryption source code program make ... ]> be eligible under License Exception TSU for "unrestricted" source code. ... ]> A license requirement would apply only to knowing exports and reexports ...
    (comp.os.linux.security)
  • Re: News: .NET framework source code available soon...
    ... reference license? ... Microsoft has made no such imposition, and it's not at all about "that license has all what MS Has to say about it". ... that by accepting the license for A, ... with whether a person has seen the .NET source code. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Compare Linux and Freebsd Redux
    ... GPL and Linux are two completely separate things. ... The BSD license truly is free. ... the free or redistribution encumbered licenses ... the source code of your own, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: .INI reader module for VBDOS 1.0?
    ... You probably know I'm no license purist. ... or the politics of open source code. ... Trying to get a working binary on Linux like trying to find Bigfoot. ... It's not in this package, ...
    (comp.os.msdos.programmer)