From: Rick Smith <smith@securecomputing.com>
Date: Sat, 10 May 1997 03:13:45 +0800
To: Will Rodger <cypherpunks@toad.com
Subject: Re: Clinton Admin. to announce new Crypto regs
In-Reply-To: <3.0.32.19970509112208.00f5b584@postoffice.worldnet.att.net>
Message-ID: <v03007804af9928766aa6@[172.17.1.61]>
MIME-Version: 1.0
Content-Type: text/plain


At 11:22 AM -0400 5/9/97, Will Rodger wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>At 10:39 PM 5/8/97 +0000, Rick Smith wrote:
>>These "new" regulations "to be issued" are scrambling to catch up with
>>previous and current practices. It doesn't change things at all.
>
>I disagree. Here's why:
>
>New regs unquestionably do change things for US banks. Right
>now banks may export nothing stronger than unescrowed DES. Period.

Interesting. That's inconsistent with what was said in the NRC crypto
policy report. The report stated or at least implied that any commercial
crypto equipment could be exported for sale to a financial institution,
though it had to get an export license. (sorry for imprecision, I don't
have my copy handy).

You seem to be suggesting that the licenses were consistently denied or
permanently delayed for stronger crypto. I can believe it -- a bureacracy
can hide lots of unwritten rules behind a poorly documented licensing
procedure. I personally don't know of an example of stronger crypto being
exported to an overseas financial institution.

However, you're probably right in saying this is a big improvement for
commercial software doing strictly financial crypto. If the BXA produces
similar rules to those they recently drafted, then some types of products
will indeed be easier to export. OpenMarket et al took a risk when they
took on the bureacracy to try to get an export license based on what looked
like an acceptable practice. I agree it must have been an ugly process to
go through, and would be vastly improved by explicit regulation.

Rick.
smith@securecomputing.com      secure computing corporation