Path: utzoo!utgpu!watmath!gamiddleton From: gamiddleton@watmath.waterloo.edu (Guy Middleton) Newsgroups: ont.archives Subject: Re: Kerberos official distribution Message-ID: <23667@watmath.waterloo.edu> Date: 15 Feb 89 19:43:23 GMT References: <89Jan30.204455est.38031@neat.ai.toronto.edu> <23469@watmath.waterloo.edu> Reply-To: gamiddleton@watmath.waterloo.edu (Guy Middleton) Distribution: ont Organization: University of Waterloo [MFCF/ICR] Lines: 139 In article <23469@watmath.waterloo.edu> gamiddleton@watmath.waterloo.edu (Guy Middleton) [that's me] writes: > Our University Lawyers tell me that the export regulations do not apply to > Canada. I have sent mail to MIT about it. I suspect that it is legal to FTP > this stuff; more info coming when I am sure. I received this reply when I queried MIT about the situation: From jon@BITSY.MIT.EDU Wed Feb 8 03:12:29 1989 From: Jon Rochlis Date: Wed, 8 Feb 89 00:40:17 EST I've heard the same thing about export to Canada, though I can't state that as an offical MIT position. If your lawyers say its okay I would just do it and not worry about it, but that's just my personal opinion. -- Jon Also, included in the Kerberos distribution, in the 'doc' directory, is a file 'kerberos.mail', which contains a discussion of export problems. Here is an edited version of one of the messages in that discussion: From: ehrgood@wnpv01.enet (TOM EHRGOOD, WNP, DTN 427-5698) To: @cryptomemo.dis, ehrgood Subject: Crypto Export Controls - Answer To Gilmore [ ... ] Gilmore, which we received on January 28th. Gilmore's memo, which I am separately forwarding, argues that the posting of cryptographic software to certain widely available bulletin boards places that software in the "public domain," with the consequence that export licenses are not required for the exports of that software. Gilmore's analysis has been given wide distribution on various networks. Gilmore is mistaken in his analysis and in his conclusion. Given the high national security sensitivity of cryptography, generally, and DES encryption, specifically, it is important to set the record straight. The fundamental points that Gilmore gets wrong are: o Exports of cryptographic software are governed by the State Department's International Traffic in Arms Regulations ("ITAR"), not by the Commerce Department's Export Administration Regulations ("EAR"). Exports would be governed by Commerce's EAR only if State waived jurisdiction. o Although State Department regulations contain a "public domain" exemption for technical data, cryptographic software does not qualify as "technical data," and thus the "public domain" exemption does not apply. A legal analysis follows. [ ... ] Part 123 of ITAR contains rules governing export licenses for the export of "defense articles." The basic rule is stated in Section 123.1(a) as follows: Any person who intends to export a defense article must obtain a license from the Office of Munitions Control prior to the export unless the export qualifies for an exemption under the provisions of this Subchapter. Part 123 sets forth a number of exemptions in sections 123.16 through 123.22. None is these exemptions covers the posting of cryptographic software on a bulletin board. Section 126.5 exempts from the licensing requirement any exports of unclassified defense articles or unclassified technical data to Canada for end-use in Canada or return to the United States. This exemption would be potentially applicable only if the ONLY exports that might take place as a result of the bulletin board posting were exports to Canada. (See section 120.10, which defines "export" to include "[s]ending or taking defense articles outside the United States in any manner.") In any event, care would have to be taken to ensure that applicable documentation requirements are met to invoke properly the exemption. [ ... ] What has complicated the picture and confused Gilmore is that Commerce's Commodity Control List -- Commerce's counterpart to the United States Munitions List -- contains a category 1527A covering "cryptographic equipment . . . and software controlling or performing the function of such cryptographic equipment." Gilmore identified this regulatory control provision, but he misinterpreted it. Gilmore found the note in category 1527A, which states that Exporters requesting a validated license from the Department of Commerce must provide a statement from the Department of State, Office of Munitions Control, verifying that the equipment intended for export is under the licensing jurisdiction of the Department of Commerce. Gilmore mistakingly says, however, that "we are not requesting a validated license, we are using the general license, so this requirement does not apply . . . ." Gilmore missed the 1527A heading: "Validated License Required: Country Groups QSTVWYZ." These designated country groups comprise every country in the world except Canada. Consequently, a validated license issued by Commerce is required in order to make any export of 1527A-controlled cryptographic software. And because a validated license is required, exporters seeking such a license must, per the note quoted above, submit a State Department statement "verifying" that Commerce has jurisidiction over that cryptographic software. Such a statement would generally take the form of an ITAR section 120.5 commodity jurisdication determination. In sum, unless the State Department has issued a statement verifying Commerce jurisdiction over the cryptographic software that Gilmore has in mind, Commerce's controls do not apply. And without such a statement, Gilmore's analysis of section 379.3 of EAR (General License GTDA) is completely irrelevant. III. Conclusions ----------- Gilmore's conclusion that the posting of cryptographic software to a bulletin board places it in the public domain and thus exempts it from export licensing controls is flat-out wrong. U.S. law is clear: in order to export "cryptographic software" within the meaning of Category XIII(b) of the United States Munitions List to any country other than Canada, a State Department export license is required. If there is any reason to believe or suspect that a non-U.S. or non-Canadian national will gain access to that bulletin board, an export to a third country should be assumed and a license is required.. If there is any question whether specific encryption software constitutes "cryptographic software" within the meaning of Category XIII(b), clarification can be obtained under procedures established pursuant to section 120.5 of ITAR. A determination from State under 120.5 that it does not have jurisdiction is the prerequisite to bringing the control question into Commerce's export regulations. --- -Guy Middleton, University of Waterloo gamiddleton@watmath.waterloo.edu