> The way I read it, if you are using RSA for authentication, there are no
> export restrictions (except perhaps the awful 5 nations). You do not need
> to get a license.
I concur. The awful 5 nations aren't even embargoed, if your export
is "publicly available", which exempts you from the EAR totally
(section 732.2). However, if you *ask* BXA about this, they may well
tell you that your export is illegal even if the regs plainly exempt
it. (They did that to Hugh Daniel about an old DNSSEC prototype; see
http://www.toad.com/dnssec/. Hugh has appealed this and we'll see
what the result is.) Meanwhile, my suggestion is to:
* Get a good export lawyer
* Read the regs. Follow the instructions in them.
* Export what the regs permit you to export.
* Don't ask BXA any questions if you can help it. Rely on
the well established principle of "rule of law".
I used to advise that people determine what the regs permit, then
apply to BXA to get a piece of paper confirming that determination. I
did that with the Kerberos Bones, and initially did it with DNSSEC.
We got the paper on both. But it turns out that such a piece of paper
is worthless; they reserve the right to change their mind at any
point, by sending you another piece of paper. And asking them the
question gives them the opportunity to lie about the regs. You are in
a much better legal position if you make your legal export *before*
they ever tell you it's illegal. Just be damn sure it *is* a legal
export according to the law.
> If the RSA is being used to encrypt a symetric key for privacy, then it is
> limited to 512 bits, the symetric key is limited to 64 bits, and you need
> to get a license. (Jim Gillogly says 1024 is now the limit in this
> situation.)
Jim is right -- the limit was raised to 1024 in December's regs changes,
when DES was decontrolled. See section 742.15 at:
http://www.access.gpo.gov/bxa/ear/ear_data.html
That URL gives the full Export Administration Regulations online, kept
fairly up to date by BXA.
Note however that they made yet another screwy process for exporting
such things. Rather than just saying, "These are exportable", instead
they are embargoed until you go through a "compelled speech" exercise
where you send them a copy of the product for "one-time review". If
they like the product after that review, they release you from the
draconain "EI" controls, but the product is still embargoed unless it
falls into the standard (non-encryption related) set of "License
Exceptions" (most things do). In other words, they haven't simplified
the process in "releasing more encryption from controls", they've
complicated it. Don't skip step #1 (get a good export lawyer).
It's amazing but true that some companies are still trying to export
40-bit/512 bit products even though they can now ship 56/1024 with
a similar process.
John
