[4420] in cryptography@c2.net mail archive
Re: 1024 bit RSA exportable?
daemon@ATHENA.MIT.EDU (Steve Schear)
Thu Apr 1 15:51:04 1999
Date: Thu, 01 Apr 1999 12:01:05 -0800
To: John Gilmore <gnu@toad.com>, Bill Frantz <frantz@netcom.com>
From: Steve Schear <schear@lvcm.com>
Cc: Eric Rescorla <ekr@rtfm.com>, cryptography@c2.net, gnu@toad.com
In-Reply-To: <199903312146.NAA17534@toad.com>
At 01:46 PM 3/31/99 -0800, John Gilmore wrote:
>> The way I read it, if you are using RSA for authentication, there are no
>> export restrictions (except perhaps the awful 5 nations). You do not need
>> to get a license.
>
>I concur. The awful 5 nations aren't even embargoed, if your export
>is "publicly available", which exempts you from the EAR totally
>(section 732.2). However, if you *ask* BXA about this, they may well
>tell you that your export is illegal even if the regs plainly exempt
>it. (They did that to Hugh Daniel about an old DNSSEC prototype; see
>http://www.toad.com/dnssec/. Hugh has appealed this and we'll see
>what the result is.) Meanwhile, my suggestion is to:
>
> * Get a good export lawyer
> * Read the regs. Follow the instructions in them.
> * Export what the regs permit you to export.
> * Don't ask BXA any questions if you can help it. Rely on
> the well established principle of "rule of law".
Yes, at the President's Export Council Subcommittee on Encryption meeting
in Palo Alto a few months back, William Reinsch (Under Secretary for Export
Administration) grudgingly admitted that companies and individuals were
under no obligation to submit their wares to the BXA prior to export.
--Steve
