james hughes wrote:
On May 23, 2006, at 11:58 AM, [EMAIL PROTECTED] wrote:
Thanks, Gary, for you very thorough review!
I am not a lawyer, either, not even a native English speaker, so I have
not attempted to decipher the huge amount of information you link to. I
rely on the judgment of my colleagues, who went through this
export/import control hell, several times. They said, the
classification for the encrypting drives was granted to Seagate,
because the ciphertext is only accessible with very expensive
equipment. I don't know, what classifications we could have got
otherwise.
Hmm interesting...
This means that an encrypting tape drive is a no-no.... Hmmm. DECRU
and Neoscale have been exporting these devices... Can you guys help
here with some clarifications?
James,
I think you need to draw the distinction between those products which
have been able to qualify under the 'mass market' commodity
classification of Cryptography Note 3 - see end of this email (and are
thereby exempt from ECCN 5A002 and 5D002 - but are still controlled
under 5A992 or 5D992), and any other product.
Also exempt from 5A002 but controlled under 5A992 are those products I
listed before - personalized smart cards, consumer radio, pay TV
receivers, software & media copy protection, banking/finance equipment
and mobile/cordless phones.
Incidentally, I still contend that *any* product using AES, by virtue of
it being a symmetric algorithm using keys >64 bits, would still have to
be reviewed and apply for a license under ECCN 5A002 or 5D002 according
to the NB attached to Cryptography Note 3 and cannot be exported under
the NLR (No License Required) rules. On that basis I think any product
based on P1619 would have to be reviewed and granted a license under 5A002.
Nowhere (AFAIK) do these regulations state anything about the ciphertext
being exposed, though one condition of qualification under 'mass market'
is the "the cryptographic functionality cannot easily be changed by the
user". Essentially what the regs are trying to control are those devices
which could be used for general cryptography purposes other than the
specific one the product they were designed for. So if you made an
encryption processor that interfaced to a non-encrypting drive, then you
might be able to use that in a high speed Gigabit communications
network. This might work against you in being granted a license, but it
doesn't automatically exclude you (at least, the regs don't say so...).
This was the point I was trying to make - that in principle *any*
commodity can get an export license - they are handled on a case by case
basis. The regs are written in such a way that they list the exemptions,
but don't list exclusions - i.e. if it does such and such then it are
excluded from being granted a license. But clearly some products will
have an easier time than others. Products where the cryptographic
function is single use and not general purpose would be easier to get a
license in my opinion.
The way it looks at the moment, if you are a mass market commodity
meeting certain conditions (see below), or a product in the list above,
you just need to be 'reviewed' under 5A992 but may be able to export
without a 'license' (NLR'). However, for any product using symmetric
encryption with keys >64 bits, mass market or not, you need to be
reviewed under 5A002/5D002 (5A is h/w, 5D is s/w).
All this is based on my own reading and interpretation of the US EAR
documents, I could be wrong so if anyone does know any different then
please do correct me. Most of you may value your leisure time and sanity
more than perhaps I do and may prefer to pay a lawyer to tell you the
answer!
Regards,
Gary
Note 3: Cryptography Note: ECCNs 5A002
and 5D002 do not control items that meet all of
the following:
a. Generally available to the public by being
sold, without restriction, from stock at retail
selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be
easily changed by the user;
c. Designed for installation by the user
without further substantial support by the
supplier; and
d. When necessary, details of the items are
accessible and will be provided, upon request, to
the appropriate authority in the exporter's country
in order to ascertain compliance with conditions
described in paragraphs (a) through (c) of this
note.
N.B. to Cryptography Note: Mass market
encryption commodities and software eligible for
the Cryptography Note are subject to the
notification or review requirements described in
§742.15(b)(1) and (b)(2) of the EAR, unless
specifically excluded from these requirements by
§742.15(b)(3) of the EAR. Mass market
commodities and software employing a key length
greater than 64 bits for the symmetric algorithm
must be reviewed in accordance with the
requirements of §742.15(b)(2) of the EAR in
order to be released from the “EI” and “NS”
controls of ECCN 5A002 or 5D002. All other
mass market commodities and software eligible
for the Cryptography Note are controlled under
ECCN 5A992 or 5D992 (without review) and may
be exported or reexported to most destinations
without a license, following notification, in
accordance with the requirements of
§742.15(b)(1) of the EAR.
