From: Greg Broiles <gbroiles@netbox.com>
Date: Thu, 13 Feb 1997 23:49:25 -0800 (PST)
To: anand@querisoft.com
Subject: Re: crypto restrictions
In-Reply-To: <330466AB.3D19@querisoft.com>
Message-ID: <3.0.1.32.19970213235356.0279f13c@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

At 05:20 AM 2/14/97 -0800, anand abhyankar wrote:
>1) is it illegal to develop an encryption tool (s/w) in the US which
>uses > 40 bit size session keys and then export that s/w outside of the
>US.

Yes, that's illegal, unless you get permission for the export. Getting
permission requires jumping through many hoops, and is far from a sure thing.
(It's easier to count on not getting permission. You almost certainly won't
get permission if you want to use >40 bits and you're not going to force your
customers to share their keys with the government.) 

Consequently, the US is a bad place to write crypto software if you want to
make it available worldwide. 

>2) is it illegal to encrypt some data inside the us with a key > 40 bit
>in size and then send that data outside the US.

Data which may be exported as plaintext may be exported as ciphertext. Data
which may not be exported as plaintext may not be exported as ciphertext. But
in the latter case, it's harder to catch you. :) 


-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQEVAgUBMwQZ6f37pMWUJFlhAQFbUAf/SWehrYRT4wGzPUNTDvF5wQEOBiuq0cZu
pOcqcOHHYiUKdD2txkT4abb7uV2z6E1TAN0q8r5QULkwV/+A3I2ARChHjYeZqyv4
ZvrbIb6UXLxdkz0xTBjGShjfAwGsegJDb9lb83Ha4UaXBAJSV/KdK2Hr7QFJwd5p
gSokXHH8VUb/EF5am/5PvQc0rvXsgHeAx2k77wKNclodVy3E62ymaOt/wf/FIPXW
ZLo9h18b5TtyRqpmqBHvG8h/YVq6edMFf7zcBmPgw1yzh9/LSH3+M7uhJ0JceT6d
fTT6jQUz3+dKDa7rs0s6Kf+X/e10Y0AeJ+kVQgsqsfPqRpFsUjvyLw==
=a1sX
-----END PGP SIGNATURE-----

--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.
                            |