Steve Krause <[EMAIL PROTECTED]> queried the List:
>Looking for updated info on the current Cryptology laws in effect in France.
>I need to know what level of encryption I can run in/out of France. I'm
>getting conflicting info.....
<snip>
>>From what I can gather 40bit Max is still in effect until a 128bit policy is
>signed sometime in 2001.....
I don't believe that is accurate. As I understand it, the supply
and use of symmetric crypto with keys up to 128-bits in length now requires
only a (prior) declaration of use to French authorities. No prior
permission or license is required, as of March, 1999.
You might find Security Portal's brief interpretation of the
French Government's 3/17/99 decree on crypto authorization informative and
useful. See:
<http://www.securityportal.com/research/cryptopolicies/france.html>
I understood that the French effectively approved 128-bit key
crypto in January, 1999, when Prime Minister Jospin used his regulatory
authority to increase the key-length of symmetric crypto which was to be
henceforth routinely approved/licensed for private and commercial use and
promised the statutory changes that followed in March. See:
<http://www2.epic.org/reports/crypto2000/countries.html#Heading39>
The more fundamental March 17, 1999, decree by the French
government (Decree 99-199) is available in English
at: http://jya.com/fr-decrees.htm
IANAL -- and it is sensible to get professional help if real
business or money is at issue -- but the March Jospin decree seemed to
effectively remove restrictions on the sale, use, or import of crypto with
keys up to 128-bits (where the vendor or importer has previously given the
French government "notice" of the technology, and the crypto device or
software is intended for the private use of a natural, not corporate,
person.)
For corporate entities, the decree also seems to permit the sale,
use, or import of symmetric cryptosystems with key lengths up to 128-bit
without a license... but it does requires a prior notification to the
French authorities of intention to use the cryptosystem, or if the
cryptosystem has not been previously provided or explained to the French
government.
I presume that such a dramatic change in French crypto policy has
inevitably entailed a considerable amount of confusion and misinterpretation.
At least to me, for instance, it is not clear whether, or to what
extent, the Jospin liberalization of French crypto policy now permits the
sale, use, or import of strong public-key cryptosystems or other forms of
trustworthy key management technology.
The EPIC and Koops surveys, already cited, give a lot of useful
background info and references for the January 1999 announcement by Jopin
that flipped French crypto policy topsy turvy. See:
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
For those who are bilingual or adept at Babelfish, see the full
French decrees at:
Decree 99-199:
< http://www.internet.gouv.fr/francais/textesref/cryptodecret99199.htm>
Decree 99-200:
<http://www.internet.gouv.fr/francais/textesref/cryptodecret99200.htm>
Ruling:
<http://www.internet.gouv.fr/francais/textesref/cryptoarrete4.htm>
Hope this helps.
Suerte,
_Vin
The Privacy Guild
Chelsea, MA USA
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
