Hi,
> The way I read it, if you are using RSA for authentication, there are no
> export restrictions (except perhaps the awful 5 nations). You do not need
> to get a license.
The regulations, as written, do seem to imply this. However, in
practice, it isn't that simple. For example, one implementation of
DNSSEC (which has gone out of its way to be authentication only) which
included RSAREF was initially permitted for export but this status was
changed after it was pointed out to BXA that the code used in that
version of DNSSEC was not significantly different from the code found on
the floppies for "Applied Cryptography" (which is, "of course", not
exportable).
It appears that the definition of whether authentication code is
exportable or not now depends on whether BXA (NSA) feels the code can be
"easily" converted to encryption uses.
As we believe getting a preliminary version of DNSSEC out is important
so organizations can begin understanding DNSSEC's operational
implications, ISC has taken (some arguably unnecessary) steps to remove
any hint of encryption in our DNSSEC implementation in BIND 8.2.
Whether the authentication code in BIND 8.2 is considered "easy" to
covert to encryption is something presumably NSA will decide. Unless we
hear otherwise, we are self-classifying BIND 8.2 as exportable based on
the regulations as written.
Regards,
-drc
