From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 11 Jan 96 18:42:52 PST
To: cypherpunks@toad.com
Subject: legal question
Message-ID: <199601120242.VAA19147@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



A question for our local attorneys.

There have been several times in the past where people have questioned
whether cryptographic hash functions like SHA and the like are
exportable under the ITAR?

In a joint declaration of facts not in dispute as part of Karn
v. State Department, the following was agreed by the government:
(see http://www.qualcomm.com/people/pkarn/export/karnsf.html)

     34. Three of the source code listings on the diskette and in Part
         Five of the Applied Cryptography book, MD-5, N-HASH, and SHS
         are "hashing routines" that perform a data authentication
         function and, by themselves, are not controlled for export
         under the ITAR because cryptographic software that is solely
         limited to a data authentication function is excluded from
         Category XIII(b) of the United States Munitions List. See 22
         C.F.R. 121.1 XIII(b)(vi).

Would this not mean that the government is estopped from ever again
claiming that hash functions are export controlled under the ITAR?

Just curious as to whether or not things have been made more clear...

Perry

PS they also admit in the same declaration to having broken Enigma in
WWII. A shocking revelation.