[5691] in cryptography@c2.net mail archive
RE: No liberalization for source code, API's
daemon@ATHENA.MIT.EDU (Trei, Peter)
Mon Sep 20 10:34:53 1999
Message-ID: <D104150098E6D111B7830000F8D90AE8E62A76@exna02.securitydynamics.com>
From: "Trei, Peter" <ptrei@rsasecurity.com>
To: cryptography@c2.net, cypherpunks@cyberpass.net,
"'Greg Broiles'" <gbroiles@netbox.com>
Cc: "Trei, Peter" <ptrei@rsasecurity.com>
Date: Mon, 20 Sep 1999 10:24:59 -0400
MIME-Version: 1.0
Content-Type: text/plain
> ----------
> Greg Broiles[SMTP:gbroiles@netbox.com] wrote:
> Subject: No liberalization for source code, API's
>
> There's been some discussion of this in the press, but not much discussion
>
> of the specifics. BXA has published a "question-and-answer" document
> discussing the anticipated regulations; it's available at
> <http://www.bxa.doc.gov/Encryption/q&a99.htm>, and John Young has archived
>
> a copy at <http://cryptome.org/bxa091699.htm>.
>
[...]
> Also, their thinking about API's seems to have become more nuanced; they
> now envision two classes of API's which are treated differently for export
>
> purposes, to wit -
>
> >How does the update to encryption policy affect the export of
> >cryptographic application programming interfaces (CAPIs)?
> >
> >Cryptographic interfaces are divided into two classes: Open
> Cryptographic
> >Interfaces (OCI) andClosed Cryptographic Interfaces (CCI). OCI's are
> >considered crypto-with-a-hole because they permit a customer or other
> party
> >to insert cryptography into an encryption item. OCI's will continue to
> be
> >reviewed on a case-by-case basis through the licensing process.
> >
> >CCI's contain a mechanism (such as a digital signing key) that prevents
> a
> >customer or other party from inserting cryptography into an encryption
> item.
> >After a technical review of the binding mechanism, these products will
> be
> >eligible for export under a license exception. If destined to a
> commercial
> >enduser, the additional signing can take place under a license exception
> >after a technical review. If destined to a foreign government or
> military
> >entity, the additional signing requires a license.
> >
> >We intend to discuss this issue with industry as we consult on the
> >implementation of this regulation.
>
So, has MS-CAPI changed from a CCI to an OCI, now that
people can replace the _NSAKEY with their own, and use
any strength crypto components they wish?
Peter Trei
ptrei@rsasecurity.com
Disclaimer: I am not speaking for my employer.
