export regulations (was: [Cryptography Team] msh-crypto design and tests)

[Chris Muller]

> I've talked to James about the CinCom implementation a couple of
> times. On thing that's a little disturbing is that he tells me that
> they haven't alerted BIS (formerly BXA) as to the existence of the
> package. The current rules for US open source crypto developers are
> that you have to alert the BIS (Bureau of Industry and Security)
> before you export (i.e. - upload to a ftp site, post to a newsgroup,
> or include in an email distribution that goes overseas) you're
> supposed to send an email message to them telling them where they can
> find a copy. I think this is to insure that it's really open source
> and to provide them with a working copy should they find bad guys are
> using your source. (saves them from having to reverse engineer the
> code.) I could be wrong about this, but you probably want to double-
> check with them...

I must say you have shocked me out of ignorance.  Or, rather, this did:

  http://www.bis.doc.gov/Encryption/nlr.htm

This makes no sense..

"The following items require such notification:

    * Mass market encryption commodities and software with key lengths not
exceeding 64-bits;
    * Encryption items (including key management products and company
proprietary implementations) with key lengths not exceeding 56-bits for
symmetric algorithms, up to 512-bits for asymmetric key exchange algorithms,
and 112 bits for elliptic curve algorithms."

The (already exported) algorithms can be configured for larger key sizes, is
this talking about default values for key lengths?

But it looks like their stenographer got it backward..!  It says, "the
following items REQUIRE notification" but then they specify key sizes "NOT
exceeding" but they surely mean exceeding.  Unreal.

I was on the verge of "exporting" a domain of security classes leveraging our
Cryptography package.  Is this about the stinkin' default values?  You may have
saved me from jail..