[1748] in cryptography@c2.net mail archive
Re: Export control policy documentation?
daemon@ATHENA.MIT.EDU (William H. Geiger III)
Tue Oct 14 06:53:53 1997
From: "William H. Geiger III" <whgiii@invweb.net>
Date: Mon, 13 Oct 97 20:45:55 -0500
To: Rich Graves <llurch@networking.stanford.edu>
In-Reply-To: <Pine.GUL.3.95.971013093450.20114A-100000@Networking.Stanford.EDU>
Cc: cryptography@c2.net, coderpunks@toad.com
-----BEGIN PGP SIGNED MESSAGE-----
In <Pine.GUL.3.95.971013093450.20114A-100000@Networking.Stanford.EDU>, on
10/13/97
at 11, Rich Graves <llurch@networking.stanford.edu> said:
>[coderpunks moved to bcc]
>On Mon, 13 Oct 1997, Paul Robichaux wrote:
>> Does there exist any written description of the things a download Web site
>> should check to stay out of export trouble? Netscape, PGP, and Microsoft
>> all allow downloads-- did they all just copy what Jeff Schiller did with
>> the MIT PGP site, or is there more formal guidance around somewhere?
>The MIT PGP and Kerberos distribution, Cornell's KClient distribution,
>and the old Cypherpunks FTP site were designed around the old ITAR
>regulations. The guidelines are (deliberately?) vague. The regs are
>online at <URL:http://www.bxa.doc.gov/>. AFAIK, this is the best official
>guidance available. PGP Inc's download CGI (and Stanford's) is
>copy-pasted from A. Unofficially, Commerce isn't completely stupid; they
>know there's nothing you can do to prevent naughty downloads, but as long
>as you keep up with Netscape's, MIT's, and PGP's practice, you're
>probably safe. Also, they're not eager for a reprise of the Bernstein
>case.
>[It's considered export to distribute strong crypto from]
>file transfer protocol and World Wide Web sites, unless the person making
>the software available takes precautions adequate to prevent unauthorized
>transfer of such code outside the United States. Such precautions shall
>include:
> (A) Ensuring that the facility from which the software is available
>controls the access to and transfers of such software through such
>measures as:
> (1) The access control system, either through automated means or
>human intervention, checks the address of every system requesting or
>receiving a transfer and verifies that such systems are located within
>the United States;
Nope I sure don't do that.
> (2) The access control system, provides every requesting or receiving
>party with notice that the transfer includes or would include
>cryptographic software subject to export controls under the Export
>Administration Act, and that anyone receiving such a transfer cannot
>export the software without a license; and
I do do this.
> (3) Every party requesting or receiving a transfer of such software
>must acknowledge affirmatively that he or she understands that the
>cryptographic software is subject to export controls under the Export
>Administration Act and that anyone receiving the transfer cannot export
>the software without a license; or
I do this.
> (B) Taking other precautions, approved in writing by the Bureau of
>Export Administration, to prevent transfer of such software outside the
>U.S. without a license.
I don't do this.
I have a web site for distribution of OS/2 binaries and source code of
PGP. While I provide the obligatory ITAR export message I do not ip
checking and as far as I am concerned anyone from anywhere can DL the
software (even "evil" countries like China, Cuba, Iraq, Iran, France
...ect where the citizens need this type of software the most). The only
reason I provide the ITAR message is as a courtesy to the person accesing
my site who does not wish to inadvertently get involved in this mess.
- --
- ---------------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html
- ---------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNELQiY9Co1n+aLhhAQGpJwQAr5urSrN/VTMStd08o9j2kvxeVkWLd+ji
Bp3qML+pwa9Hc8leD6NZP68pMD/LAUfNRyENqMLlwr6c3Nq8sWhX+vO9Gk0p7oxN
AJFyYIAXJmwYfxVkO3fglljCgPa5hoDd2GVWe0HycqLD7OPQ+iltpIuM3vl6Wix1
NCHXez7y2ac=
=jwrM
-----END PGP SIGNATURE-----
