From: Jim Gillogly <jim@acm.org>
Date: Thu, 17 Aug 95 17:30:36 PDT
To: cypherpunks@toad.com
Subject: Re: I need exportable crypto revisited.
In-Reply-To: <199508180000.UAA00325@frankenstein.piermont.com>
Message-ID: <199508180030.RAA04988@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain



> "Perry E. Metzger" <perry@piermont.com> writes:
> If you have hooks for arbitrary encryption, you will find it to be
> virtually impossible to export the product.

That's my understanding also (as I told him in e-mail) but I haven't found
any legal justification for it.  I spent a while poring over the ITARs,
section XIII.b (ftp://ftp.cygnus.com/pub/export/itar.in.full), and I
didn't see anything that looked likely.  Maybe "ancillary equipment" in
XIII.b.5, but that seems a stretch and is not at all specific.

I note that hash algorithms for message authentication are specifically
excluded from control in XIII.b.1.vi, which conflicts with what I was told
by somebody who'd gotten a nastygram from Commerce.  Sort of a relief,
since I've been giving my SHA implementation away freely
(rand.org:pub/jim/sha.tar.gz).

Has anybody who's been impaled on the stinky end of this stick been told the
chapter and verse?

	Jim Gillogly
	Sterday, 26 Wedmath S.R. 1995, 00:21