Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Politech mailing list archives

FC: Response from Commerce Dept to "Is this man a crypto-criminal?"
From: Declan McCullagh <declan () well com>
Date: Tue, 18 Jan 2000 10:38:22 -0500
********


Date: Tue, 18 Jan 2000 10:01:49 -0500
From: "JIM LEWIS" <JLEWIS () bxa doc gov>
To: <politech () vorlon mit edu>, <declan () well com>
Cc: "EUGENE COTTILLI" <ECOTTILL () bxa doc gov>
Subject: Re: FC: Is this man a crypto-criminal? The Feds won't say...
Declan: This point is worth clarifying. The new regs remove restrictions from the posting of publicly available encryption source code for downloading. The regs say:
a) If you post encryption source code to a site on the net and anyone can access it, you do not need to have it reviewed by BXA or obtain a license.
b) Simply posting this "publicly available" encryption source code does not count as an export and does not trigger all the terrorist sanctions and other requirements created by various Federal sanctions laws.
(what this means is that if you post some code and Saddam Hussein downloads it, you are not liable. If Saddam calls you up and asks you to e-mail him the code, and you send the e-mail without applying for and receiving a license, you are liable).
c) You do need to send BXA an E-mail with the internet location of the posted source code and you are prohibited from sending (as opposed to posting) the encryption source code to a terrorist country or an individual on one of our denial lists.
d) if a foreign person makes a new product with the source code you've posted, there are no review or licensing requirements for that foreign product. If they pay you a royalty or licensing fee for a product they've developed for commercial sale, however, you may have to report some information to BXA.
It appears that the only requirement for Mr. Young is to notify us of the location of the source code (http://jya.com/crypto.htm).
I've attached the relevant section of the regs (from Page 2497 of the Federal Register) below. The entire reg (including the sections on commercial source code and reporting) can be found at http://www.bxa.doc.gov/
¯Begin reg text-------------------------------------------------------------------------------------------------------------------------------------------------- 
(e) Unrestricted encryption source code.
(1) Encryption source code controlled under 5D002, which would be considered publicly available under §734.3(b)(3) and which is not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code, is released from "EI" controls and may be exported or reexported without review under License Exception TSU, provided you have submitted written notification to BXA of the Internet location (e.g. URL or Internet address) or a copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see §740.17(g)(5) for mailing addresses). Intellectual property protection (e.g., copyright, patent or trademark) will not, by itself, be construed as an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code.
(2) You may not knowingly export or reexport source code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.
(3) Posting of the source code on the Internet (e.g., FTP or World Wide Web site) where the source code may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport, including that described in paragraph (e)(2) of this section. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732.
¯End Reg text--------------------------------------------------------------------------------------------------------------------------------------------------- 

>>> Declan McCullagh <declan () well com> 01/15/00 10:02AM >>>
*********

http://www.wired.com/news/politics/0,1283,33672,00.html

                        Is This Man a Crypto Criminal?
                        by Declan McCullagh (declan () wired com)

                        3:00 a.m. 15.Jan.2000 PST
                        Crypto maven John Young has a problem.

                        He may be a felon, guilty of a federal
                        crime punishable by years in prison. Or he
                        may not be. He'd just like to know one
                        way or another.






--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • FC: Response from Commerce Dept to "Is this man a crypto-criminal?" Declan McCullagh (Jan 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]