[1745] in cryptography@c2.net mail archive
Re: Export control policy documentation?
daemon@ATHENA.MIT.EDU (Rich Graves)
Mon Oct 13 13:08:44 1997
Date: Mon, 13 Oct 1997 09:47:18 -0700 (PDT)
From: Rich Graves <llurch@networking.stanford.edu>
To: cryptography@c2.net
In-Reply-To: <v04001b00b067e518b03e@[206.151.234.126]>
[coderpunks moved to bcc]
On Mon, 13 Oct 1997, Paul Robichaux wrote:
> Does there exist any written description of the things a download Web site
> should check to stay out of export trouble? Netscape, PGP, and Microsoft
> all allow downloads-- did they all just copy what Jeff Schiller did with
> the MIT PGP site, or is there more formal guidance around somewhere?
The MIT PGP and Kerberos distribution, Cornell's KClient distribution, and
the old Cypherpunks FTP site were designed around the old ITAR regulations.
The guidelines are (deliberately?) vague. The regs are online at
<URL:http://www.bxa.doc.gov/>. AFAIK, this is the best official guidance
available. PGP Inc's download CGI (and Stanford's) is copy-pasted from A.
Unofficially, Commerce isn't completely stupid; they know there's nothing
you can do to prevent naughty downloads, but as long as you keep up with
Netscape's, MIT's, and PGP's practice, you're probably safe. Also, they're
not eager for a reprise of the Bernstein case.
[It's considered export to distribute strong crypto from]
file transfer protocol and World Wide Web sites, unless the person
making the software available takes precautions adequate to prevent
unauthorized transfer of such code outside the United States. Such
precautions shall include:
(A) Ensuring that the facility from which the software is available
controls the access to and transfers of such software through such
measures as:
(1) The access control system, either through automated means or
human intervention, checks the address of every system requesting or
receiving a transfer and verifies that such systems are located within
the United States;
(2) The access control system, provides every requesting or
receiving party with notice that the transfer includes or would include
cryptographic software subject to export controls under the Export
Administration Act, and that anyone receiving such a transfer cannot
export the software without a license; and
(3) Every party requesting or receiving a transfer of such software
must acknowledge affirmatively that he or she understands that the
cryptographic software is subject to export controls under the Export
Administration Act and that anyone receiving the transfer cannot export
the software without a license; or
(B) Taking other precautions, approved in writing by the Bureau of
Export Administration, to prevent transfer of such software outside the
U.S. without a license.
