> ----------
> Greg Broiles[SMTP:[EMAIL PROTECTED]] wrote:
> Subject: No liberalization for source code, API's
>
> There's been some discussion of this in the press, but not much discussion
>
> of the specifics. BXA has published a "question-and-answer" document
> discussing the anticipated regulations; it's available at
> <http://www.bxa.doc.gov/Encryption/q&a99.htm>, and John Young has archived
>
> a copy at <http://cryptome.org/bxa091699.htm>.
>
[...]
> Also, their thinking about API's seems to have become more nuanced; they
> now envision two classes of API's which are treated differently for export
>
> purposes, to wit -
>
> >How does the update to encryption policy affect the export of
> >cryptographic application programming interfaces (CAPIs)?
> >
> >Cryptographic interfaces are divided into two classes: Open
> Cryptographic
> >Interfaces (OCI) andClosed Cryptographic Interfaces (CCI). OCI's are
> >considered crypto-with-a-hole because they permit a customer or other
> party
> >to insert cryptography into an encryption item. OCI's will continue to
> be
> >reviewed on a case-by-case basis through the licensing process.
> >
> >CCI's contain a mechanism (such as a digital signing key) that prevents
> a
> >customer or other party from inserting cryptography into an encryption
> item.
> >After a technical review of the binding mechanism, these products will
> be
> >eligible for export under a license exception. If destined to a
> commercial
> >enduser, the additional signing can take place under a license exception
> >after a technical review. If destined to a foreign government or
> military
> >entity, the additional signing requires a license.
> >
> >We intend to discuss this issue with industry as we consult on the
> >implementation of this regulation.
>
So, has MS-CAPI changed from a CCI to an OCI, now that
people can replace the _NSAKEY with their own, and use
any strength crypto components they wish?
Peter Trei
[EMAIL PROTECTED]
Disclaimer: I am not speaking for my employer.
