Re: Question on export issues

On Dec 30, 2007, at 12:06 AM, dangeer.org wrote:
> never be permitted to export to the embargoed country
> list (Cuba, Iran, Sudan, Syria, North Korea, and
Libya).


Not Libya. See 15 C.F.R §740Spir[0], country group E: Cuba,
Iran,  
North Korea, Sudan, Syria.

Interestingly, 15 C.F.R. §746.8[1] also lists Rwanda:
"an embargo  
applies to the sale or supply to Rwanda of arms and related
matériel  
of all types and regardless of origin, including weapons and
 
ammunition." I am not a lawyer, and cannot tell whether
this applies  
to encryption.

We've recently had to jump through the BIS crypto export
hoops at  
OLPC. Our systems both ship with crypto built-in and, due to
their  
Fedora underpinnings, allow end-user installation of various
crypto  
libraries -- all open-source -- through our servers. It was
a  
nightmare; the regulations and paperwork appear to be
designed for the  
use case of individual applications that utilize a handful
of  
primitives and attempt to keep the user from examining or
modifying  
the utilized crypto. Trying to fit a Linux distribution into
this  
model proved, er, challenging. (We also found that projects
that we  
expected would know the drill cold, such as Fedora and
Mozilla, were  
actually not very familiar with the processes involved.)

Cheers,
Ivan.



[0] htt
p://www.access.gpo.gov/bis/ear/pdf/740spir.pdf
[1] http://
www.access.gpo.gov/bis/ear/pdf/746.pdf

--
Ivan Krstić <krsticsolarsail.hcs.harvard.edu> | http://radian.org

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Ivan Krsti? wrote, On 31/12/07 12:48 PM:
> We've recently had to jump through the BIS crypto
export hoops at  
> OLPC

I find that very strange considering this from a BIS FAQ
http://www.bis.doc.gov/encryption/encfaqs6_17_02.html

"all encryption source code that would be considered
publicly available under Section
734.3(b)(3) of the EAR (such as source code posted to the
Internet) and the corresponding
object code may be exported and reexported under License
Exception TSU -- Technology and
Software Unrestricted (specifically, Section 740.13(e) of
the EAR), once notification (or
a copy of the source code) is provided to BIS and the ENC
Encryption Request Coordinator."

What hoops did you have to jump through?

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

* IVAN KRSTI?:

> WE'VE RECENTLY HAD TO JUMP THROUGH THE BIS CRYPTO
EXPORT HOOPS AT
> OLPC. OUR SYSTEMS BOTH SHIP WITH CRYPTO BUILT-IN AND,
DUE TO THEIR
> FEDORA UNDERPINNINGS, ALLOW END-USER INSTALLATION OF
VARIOUS CRYPTO
> LIBRARIES -- ALL OPEN-SOURCE -- THROUGH OUR SERVERS. IT
WAS A
> NIGHTMARE; THE REGULATIONS AND PAPERWORK APPEAR TO BE
DESIGNED FOR THE
> USE CASE OF INDIVIDUAL APPLICATIONS THAT UTILIZE A
HANDFUL OF
> PRIMITIVES AND ATTEMPT TO KEEP THE USER FROM EXAMINING
OR MODIFYING
> THE UTILIZED CRYPTO. TRYING TO FIT A LINUX DISTRIBUTION
INTO THIS
> MODEL PROVED, ER, CHALLENGING.

DEBIAN HAS BEEN FILING NOTICES FOR CRYPTO EXPORT FOR YEARS
(AT BXA FOR
SOME TIME; NOWADAYS, IT'S LIKELY BIS).  SO FAR, NOBODY THERE
HAS
COMPLAINED THAT WHAT IS BEING DONE IS INSUFFICIENT.

HERE ARE SOME DETAILS:
<HTTP://WWW.DEBIAN.ORG/LEGAL/CRYPTOINMAIN>
THE ACTUAL PROCESS MAY HAVE CHANGED A BIT OVER THE YEARS.

------------------------------------------------------------
---------
THE CRYPTOGRAPHY MAILING LIST
UNSUBSCRIBE BY SENDING "UNSUBSCRIBE CRYPTOGRAPHY"
TO MAJORDOMOMETZDOWD.COM