FYI
Begin forwarded message: *From:* "Roy T. Fielding" <[email protected]> *Date:* 3 February 2012 21:41:42 GMT *To:* [email protected] *Subject:* *Re: Is a TSU notice needed for software using javax.crypto?* *Reply-To:* [email protected] On Feb 1, 2012, at 10:28 AM, Nick Burch wrote: On Tue, 31 Jan 2012, Roy T. Fielding wrote: Please note that the BIS requirements have changed since the last time we updated the export requirements. AFAIK, we no longer need to send notices for merely using publicly available crypto packages. You wouldn't happen to know any references for that change, would you? With a bit of digging ... http://www.bis.doc.gov/encryption/default.htm and, specifically, Note 3 of http://www.bis.doc.gov/encryption/ccl5pt2.pdf which eliminates the old way of inheriting 5D002 classification just because we package a binary with OpenSSL or bouncycastle. (If someone can point me at the new exemption details, then I can have a go at updating the page to reflect the changes) Of course, that assumes we can understand the new regs. In the past, Cliff actually confirmed our interpretations with some regulator in the BIS. I don't know if we need to do that again, or if we can just proceed based on a reasonable interpretation of the regulations (and assume they'll tell us otherwise if we are wrong). ....Roy --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
