Here is a link to the BXA page about exporting encryption. They way I read it, and applied it, is you don't need permission or registration to use 3DES in countries except in countries labeled as terrorist countries or if you organization falls into the terrorist category.
If you are sending commercial software to "U.S. companies and their subsidiaries" for "internal company use" it is just fine with the U.S. Government. As far as I can tell site-to-site VPN's fall into this category as well as VPN remote access by employees, interns, or contractors. I think we have some ex-lawyers on the list and would be very interested in their interpretation. If I'm incorrect, I've got a very big problem and would like to correct it as soon as possible. Feedback encouraged. http://www.bxa.doc.gov/Encryption/EncFactSheet6_17_02.html U.S. Department of Commerce * Bureau of Industry and Security Office of Strategic Trade & Foreign Policy Controls Information Technology Controls Division COMMERCIAL ENCRYPTION EXPORT CONTROLS License Exception ENC eligibility for equipment controlled under ECCN 5B002 The new rule clarifies that test, inspection and production equipment controlled under ECCN 5B002 is eligible for export and reexport to U.S. subsidiaries, government and non-government end-users in the European Union (plus the eight additional countries) and non-government end-users in all other countries (except in Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria) under the provisions of License Exception ENC. Certain encryption items may be exported and reexported without review or notification This rule clarifies that, when a license is not otherwise required, no review or notification is required to export or reexport the following: 1. Encryption items (including technology and source code) to U.S. companies and their subsidiaries (except exports and reexports to subsidiaries located in designated terrorist supporting countries, and encryption technology or source code to foreign nationals of these countries) for internal company use, including the development of new products by employees, contractors and interns of U.S. companies. Exporters are referred to Section 734.2 of the EAR for applicable definitions of "export" and "reexport" that apply to encryption source code and technology. (The encryption products that are developed using these items are subject to the EAR and require review before they are sold or transferred outside the company.) -----Original Message----- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 8:51 AM To: [EMAIL PROTECTED] Subject: Re: Export Control with 3DES encryption [7:60573] Thank you very much! This page bring me directly to the registration page. However, I am wondering if I register with Cisco or with some government organization? If I register with Cisco link below, will they automatically submit it to certain government organization? Thanks much! Thomas ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > yes, here is a link on the Cisco web site: > > http://www.cisco.com/cgi-bin//Software/Crypto/crypto_main.pl > > this should get you started. > > HTH > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" > > > > > ""Thomas N."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi All, > > > > I plan to buy VPN routers, ship them to Japan then deploy VPN between > Cisco > > routers using 3DES encryption between Japan and U.S. for my company. Do I > > need to register with the government or certain organization? How the > > process work? Also, where can I find a list of countries allowed to > export > > 3DES products to? Thanks All in advance! > > > > Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60737&t=60573 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
