"Hashes aren't ITAR covered" is a fact…. from "Revised U.S. Encryption Export
Control Regulations, January 2000" at
http://epic.org/crypto/export_controls/regs_1_00.html
> 3. It was not the intent of the new Wassenaar language for ECCN 5A002 to be
> more restrictive concerning Message Authentication Codes (MAC). "Data
> authentication equipment that calculates a Message Authentication Code (MAC)
> or similar result to ensure no alteration of text has taken place, or to
> authenticate users, but does not allow for encryption of data, text or other
> media other than that needed for the authentication" continues to be excluded
> from control under 5A002. These commodities are controlled under ECCN 5A992.
further, ECCN 5A992 is separated from the "high-functioning encryption" as
follows. From
http://www.governmentcontractslawblog.com/2008/11/articles/export-controls/encryption-export-restrictions-loosened-under-new-rules-that-reduce-prereview-and-reporting-requirements/
> Under the EAR, encryption items, which includes software, technology, and
> hardware incorporating encryption technology, generally fall into two
> categories:
>
> Ø Export Commodity Classification Number ("ECCN") 5A002/5D002, for
> certain enumerated, high-functioning encryption products and software; and
>
> Ø ECCN 5A992/5D992, for all other encryption items.
>
> Generally speaking, 5A992/5D992 products can be shipped without delay
> anywhere in the world (except for Cuba, Iran, North Korea, Sudan, and Syria)
> as No License Required ("NLR").
Clear (as mud)?
On Sep 3, 2013, at 12:21 PM, [email protected] wrote:
> Ok, I dug around my email archives to see what the heck to google, and
> answered my own question regarding ITAR and NIST defined Suite B implementing
> software.
>
> Here it goes....
> From http://www.nsa.gov/ia/programs/suiteb_cryptography/
> ...Says, effectively, that products that 'are configure to USE Suite B or
> technical documentation concerning the configuration of such products' are
> not subject to ITAR. The bis.doc.gov site listing requirements under ITAR for
> US Persons is, inconveniently, down for maintenance.
>
> However, digging around in my document backup archives (insomnia provided the
> time for it...hours) and email un-earth the notification addresses required
> for ALL US based open-source Suite B implementations.
> Yes, this is silly. No, they don't NORMALLY go after anyone for breaking the
> law for a NIST defined hash/digest/crypto algorithm.
>
> But if the USG decides they don't like you (political views, activism, etc),
> that silly regulation can cost you years in prison. The legal term if art is
> 'selective prosecution'.
>
> The relevant email addresses are:
> [email protected] [email protected] and [email protected]
>
> Required format and fields are:
> Subject: TSU NOTIFICATION - Encryption
> Message body:
> SUBMISSION TYPE: TSU
> SUBMITTED BY: <author or corporate contacts full legal name>
> SUBMITTED FOR: <full legal names of all authors and corporate name if
> applicable>
> POINT OF CONTACT: <full legal name of POC for compliance purposes>
> PHONE and/or FAX: <10 digit number for either>
> PRODUCT NAME/MODEL #: <product/program name and model/version>
> ECCN: <5D002 for FIPS-180 hash functions, google cache for others, BIS site
> currently down, lovely>
> <blank line>
> NOTIFICATION: <download URL(s) for source file(s)>
>
> There ya go. "Hashes aren't ITAR covered" is unfortunately 'Net Mythology.
> Silly as hell I admit. If the above helps any other US Persons put a fig leaf
> on themselves, that'd be great.
>
> Cheers,
>
> David Mercer
>
> David Mercer
> Portland, OR
> _______________________________________________
> The cryptography mailing list
> [email protected]
> http://www.metzdowd.com/mailman/listinfo/cryptography
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
