[146545] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS, NIST and ITAR questions
daemon@ATHENA.MIT.EDU (radix42@gmail.com)
Tue Sep  3 15:52:45 2013
X-Original-To: cryptography@metzdowd.com
To: "Cryptography Mailing List" <cryptography@metzdowd.com>
From: radix42@gmail.com
Date: Tue, 3 Sep 2013 19:21:43 +0000
Reply-To: radix42@gmail.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Ok, I dug around my email archives to see what the heck to google, and answered my own question regarding ITAR and NIST defined Suite B implementing software. 
Here it goes....
From http://www.nsa.gov/ia/programs/suiteb_cryptography/
...Says, effectively, that products that 'are configure to USE Suite B or technical documentation concerning the configuration of such products' are not subject to ITAR. The bis.doc.gov site listing requirements under ITAR for US Persons is, inconveniently, down for maintenance.
However, digging around in my document backup archives (insomnia provided the time for it...hours) and email un-earth the notification addresses required for ALL US based open-source Suite B implementations.
Yes, this is silly. No, they don't NORMALLY go after anyone for breaking the law for a NIST defined hash/digest/crypto algorithm.
But if the USG decides they don't like you (political views, activism, etc), that silly regulation can cost you years in prison. The legal term if art is 'selective prosecution'.
The relevant email addresses are:
crypt@nsa.gov enc@nsa.gov and web_site@bis.doc.gov
Required format and fields are:
Subject: TSU NOTIFICATION - Encryption
Message body:
SUBMISSION TYPE: TSU
SUBMITTED BY: <author or corporate contacts full legal name>
SUBMITTED FOR: <full legal names of all authors and corporate name if applicable>
POINT OF CONTACT: <full legal name of POC for compliance purposes>
PHONE and/or FAX: <10 digit number for either>
PRODUCT NAME/MODEL #: <product/program name and model/version>
ECCN: <5D002 for FIPS-180 hash functions, google cache for others, BIS site currently down, lovely>
<blank line>
NOTIFICATION: <download URL(s) for source file(s)>
There ya go. "Hashes aren't ITAR covered" is unfortunately 'Net Mythology. Silly as hell I admit. If the above helps any other US Persons put a fig leaf on themselves, that'd be great.
Cheers,
David Mercer
David Mercer
Portland, OR
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography