export regulations (was: [Cryptography Team] msh-crypto design
andtests)
Ron Teitelbaum
Ron at USMedRec.com
Fri Oct 28 03:24:50 CEST 2005
Chris,
The rules clearly exempt open source projects. I'm working on getting
advice now. I'll keep everyone informed on our progress.
There are two things I'm researching, 1) since Squeak is not a US Project do
the export restrictions apply to us. 2) Who would be the official entity
for reporting if this does apply to us?
Ron
-----Original Message-----
From: cryptography-bounces at lists.squeakfoundation.org
[mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of Chris
Muller
Sent: Thursday, October 27, 2005 9:04 PM
To: cryptography at lists.squeakfoundation.org
Subject: export regulations (was: [Cryptography Team] msh-crypto design
andtests)
> I've talked to James about the CinCom implementation a couple of
> times. On thing that's a little disturbing is that he tells me that
> they haven't alerted BIS (formerly BXA) as to the existence of the
> package. The current rules for US open source crypto developers are
> that you have to alert the BIS (Bureau of Industry and Security)
> before you export (i.e. - upload to a ftp site, post to a newsgroup,
> or include in an email distribution that goes overseas) you're
> supposed to send an email message to them telling them where they can
> find a copy. I think this is to insure that it's really open source
> and to provide them with a working copy should they find bad guys are
> using your source. (saves them from having to reverse engineer the
> code.) I could be wrong about this, but you probably want to double-
> check with them...
I must say you have shocked me out of ignorance. Or, rather, this did:
http://www.bis.doc.gov/Encryption/nlr.htm
This makes no sense..
"The following items require such notification:
* Mass market encryption commodities and software with key lengths not
exceeding 64-bits;
* Encryption items (including key management products and company
proprietary implementations) with key lengths not exceeding 56-bits for
symmetric algorithms, up to 512-bits for asymmetric key exchange algorithms,
and 112 bits for elliptic curve algorithms."
The (already exported) algorithms can be configured for larger key sizes, is
this talking about default values for key lengths?
But it looks like their stenographer got it backward..! It says, "the
following items REQUIRE notification" but then they specify key sizes "NOT
exceeding" but they surely mean exceeding. Unreal.
I was on the verge of "exporting" a domain of security classes leveraging
our
Cryptography package. Is this about the stinkin' default values? You may
have
saved me from jail..
_______________________________________________
Cryptography mailing list
Cryptography at lists.squeakfoundation.org
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
More information about the Cryptography
mailing list