1997-08-20 - Draft CCL Encryption Items Rule

Header Data

From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: 082043e1f19f1a93ea74dd6b5c021d14834b2ea2427d008f488633204a17fa14
Message ID: <1.5.4.32.19970820223706.0072b9e8@pop.pipeline.com>
Reply To: N/A
UTC Datetime: 1997-08-20 23:07:08 UTC
Raw Date: Thu, 21 Aug 1997 07:07:08 +0800

Raw message

From: John Young <jya@pipeline.com>
Date: Thu, 21 Aug 1997 07:07:08 +0800
To: cypherpunks@toad.com
Subject: Draft CCL Encryption Items Rule
Message-ID: <1.5.4.32.19970820223706.0072b9e8@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain



We've received from anonymous a July 25 draft of an Encryption
Items Interim Rule for the Export Administration Regulations
which describes Commerce Control List changes in response to 
public comments on the December 30, 1996 interim rule.

   http://jya.com/bxa-ei-rule.htm  (82K)

The draft is in Federal Register format but, as far as we have been
able to find, has not been published there. So if this doc was published
we'd like to hear.

Assuming the draft is legitimate, here's its summary of provisions (much
expanded in the full document):

[Begin summary]

Based on public comments to the December 30 interim rule, this interim rule
specifically makes the following changes:

- In §732.2, clarifies that BXA will consider acknowledgments and
assurances in electronic form provided that they are adequate to assure
legal undertakings similar to written acknowledgments and assurances.

- In §734.3, clarifies that downloading or causing the downloading of
encryption source code and object code in Canada is not controlled and does
not require a license, and clarifies that the methods used as precautions
to prevent unauthorized transfer of such code outside the United States or
Canada must be approved by BXA.

- In §740.6, clarifies that letters of assurance may be accepted in the
form of a letter or any other written communication from the importer,
including communications via facsimile.

- In §740.8, adds recovery encryption technology to the list of items
eligible for export under License Exception KMI, after a one-time review,
and adds a paragraph to authorize exporters of non-key recovery products
under License Exception KMI to service and support existing customers of
those products after the two-year transition period.  This section is also
amended by adding a paragraph to authorize exporters of non-recovery
encryption products under License Exception KMI to export additional
quantities of such products to existing customers under a license after the
two-year transition period.

- §740.8 is also amended by adding a new paragraph to authorize, after a
one-time review, exports and reexports under License Exception KMI of
non-key recovery financial-specific encryption items of any key length that
are restricted by design (e.g., highly field-formatted with validation
procedures, and not easily diverted to other end-uses)  for financial
applications to secure financial transactions, for end-uses such as intra
or inter-banking transfers and home banking.  No business and marketing
plan to develop, produce, and/or market similar encryption items with
recoverable features is required. Conforming changes are also made in
§742.15.

- In §740.9, removes the reference to Country Group D:1.  This clarifies
that encryption software controlled for EI reasons under ECCN 5D002 may be
pre-loaded on a laptop and exported under the tools of trade provisions of
License Exception TMP or License Exception BAG.

- In §740.14, clarifies existing provisions of License Exception BAG and
imposes a restriction on the use of BAG for exports or reexports of
EI-controlled items to terrorist supporting destinations or by other than
U.S. citizens and permanent residents.

-  §742.15 is amended adding a new paragraph that authorizes exports under
an Encryption Licensing Arrangement of general purpose non-key recovery,
non-voice encryption items of any key length for use by financial
institutions (such as banks) in all destinations except Cuba, Iran, Iraq,
Libya, North Korea, Syria and Sudan.  Applications will be reviewed on a
case-by-case basis, and must be supported by a satisfactory business and
marketing plan which explains in detail the steps the applicant will take
during the two year transition period beginning January 1, 1997 to develop,
produce, and/or market similar encryption items with recoverable features.

- In Supplement No. 4 to part 742, paragraph (3), revises "reasonable
frequency" to "at least once every three hours" to resolve the ambiguity on
how often the output must identify the key recovery agent and
material/information required to decrypt the ciphertext.

- In Supplement No. 4 to part 742, paragraph (6)(i), clarifies that the
U.S. government must be able to obtain the key(s) or other
material/information needed to decrypt all data, without restricting the
means by which the key recovery products allow this.

- In Supplement No. 6 to part 742, eliminates the test vector requirement
for 7-day mass-market classification requests and replaces it with a
requirement to provide a copy of the encryption subsystem source code.

-  In Supplement No. 6 to part 742, adds 40-bit DES as being eligible for
consideration for mass-market eligibility, subject to the additional
criteria listed in this supplement.

- In §§ 748.9 and 748.10, clarifies a long-standing policy that no support
documentation is required for exports of technology or software, and it
removes the requirement for such support documentation for exports of
technology or software to Bulgaria, Czech Republic, Hungary, Poland,
Romania, or Slovakia.  This rule also exempts from support documentation
requirements all encryption items controlled under ECCNs 5A002, 5B002,
5D002 and 5E002.  This conforms with the practice under the ITAR prior to
December 30, 1996.

- In §750.7, authorizes certain specified changes to Commerce and State
Encryption Licensing Arrangements by letter.

- In §752.3, excludes encryption items controlled for EI reasons from
eligibility for a Special Comprehensive License.

- In §770.2, adds a new interpretation to clarify that encryption software
controlled for EI reasons under ECCN 5D002 may be pre-loaded on a laptop
and exported under the tools of trade provision of License Exception TMP or
the personal use exemption under License Exception BAG, subject to the
terms and conditions of such License Exceptions.

- In part 772, adds new definitions for "effective control", "encryption
licensing arrangement", "financial institution" and "recovery encryption
products".

- In Supplement No. 1 to part 774, Category 5 - Telecommunications and
Information Security is amended by revising ECCN 5A002 to authorize exports
of components and spare parts under License Exception LVS, provided the
value of each order does not exceed $500 and to clarify that equipment for
the encryption of interbanking transactions is not controlled under that
entry.

- Revises the phrase "up to 56-bit key length DES" where it appears to read
"up to or equal to 56-bit key length DES", and makes other editorial
changes.

[End summary]






Thread