[146546] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS, NIST and ITAR questions
daemon@ATHENA.MIT.EDU (james hughes)
Tue Sep 3 17:12:33 2013
X-Original-To: cryptography@metzdowd.com
From: james hughes <hughejp@mac.com>
In-reply-to: <1033901917-1378236105-cardhu_decombobulator_blackberry.rim.net-15814705-@b14.c9.bise6.blackberry>
Date: Tue, 03 Sep 2013 13:06:20 -0700
To: radix42@gmail.com
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
james hughes <hughejp@mac.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
"Hashes aren't ITAR covered" is a fact=85. from "Revised U.S. Encryption E=
xport Control Regulations, January 2000" at
http://epic.org/crypto/export_controls/regs_1_00.html
> 3. It was not the intent of the new Wassenaar language for ECCN 5A002 to =
be more restrictive concerning Message Authentication Codes (MAC). "Data au=
thentication equipment that calculates a Message Authentication Code (MAC) =
or similar result to ensure no alteration of text has taken place, or to au=
thenticate users, but does not allow for encryption of data, text or other =
media other than that needed for the authentication" continues to be exclud=
ed from control under 5A002. These commodities are controlled under ECCN 5A=
992.
further, ECCN 5A992 is separated from the "high-functioning encryption" as =
follows. From =
http://www.governmentcontractslawblog.com/2008/11/articles/export-controls=
/encryption-export-restrictions-loosened-under-new-rules-that-reduce-prerev=
iew-and-reporting-requirements/
> Under the EAR, encryption items, which includes software, technology, and=
hardware incorporating encryption technology, generally fall into two cate=
gories:
> =
> =D8 Export Commodity Classification Number ("ECCN") 5A002/5D002, for=
certain enumerated, high-functioning encryption products and software; and
> =
> =D8 ECCN 5A992/5D992, for all other encryption items. =
> =
> Generally speaking, 5A992/5D992 products can be shipped without delay any=
where in the world (except for Cuba, Iran, North Korea, Sudan, and Syria) a=
s No License Required ("NLR"). =
Clear (as mud)?
On Sep 3, 2013, at 12:21 PM, radix42@gmail.com wrote:
> Ok, I dug around my email archives to see what the heck to google, and an=
swered my own question regarding ITAR and NIST defined Suite B implementing=
software. =
> =
> Here it goes....
> From http://www.nsa.gov/ia/programs/suiteb_cryptography/
> ...Says, effectively, that products that 'are configure to USE Suite B or=
technical documentation concerning the configuration of such products' are=
not subject to ITAR. The bis.doc.gov site listing requirements under ITAR =
for US Persons is, inconveniently, down for maintenance.
> =
> However, digging around in my document backup archives (insomnia provided=
the time for it...hours) and email un-earth the notification addresses req=
uired for ALL US based open-source Suite B implementations.
> Yes, this is silly. No, they don't NORMALLY go after anyone for breaking =
the law for a NIST defined hash/digest/crypto algorithm.
> =
> But if the USG decides they don't like you (political views, activism, et=
c), that silly regulation can cost you years in prison. The legal term if a=
rt is 'selective prosecution'.
> =
> The relevant email addresses are:
> crypt@nsa.gov enc@nsa.gov and web_site@bis.doc.gov
> =
> Required format and fields are:
> Subject: TSU NOTIFICATION - Encryption
> Message body:
> SUBMISSION TYPE: TSU
> SUBMITTED BY: <author or corporate contacts full legal name>
> SUBMITTED FOR: <full legal names of all authors and corporate name if app=
licable>
> POINT OF CONTACT: <full legal name of POC for compliance purposes>
> PHONE and/or FAX: <10 digit number for either>
> PRODUCT NAME/MODEL #: <product/program name and model/version>
> ECCN: <5D002 for FIPS-180 hash functions, google cache for others, BIS si=
te currently down, lovely>
> <blank line>
> NOTIFICATION: <download URL(s) for source file(s)>
> =
> There ya go. "Hashes aren't ITAR covered" is unfortunately 'Net Mythology=
. Silly as hell I admit. If the above helps any other US Persons put a fig =
leaf on themselves, that'd be great.
> =
> Cheers,
> =
> David Mercer
> =
> David Mercer
> Portland, OR
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
