Jim Canniff writes:
> Does anyone know what the current law is regarding exporting products with
> SSL? We're building an application that will be deployed in Taiwan and in
> other non-US sites. I've read various things ranging from: can't export SSL
> at all to can only use 40 bit (56 if register certificate) encryption in
> those products.
>
> Any resources for current laws would be appreciated. Thanks.
>
Probably the best place to start is with the web site at the
Bureau of Export Administration (BXA) at http://www.bxa.doc.gov/
There are FAQs on export in general and exporting crypto in
particular. There are also pointers to the actual law.
>From the sound of your question, I'm guessing this is a commercial
venture. If so, don't just read the material yourself, get your
corporate lawyer involved. Like as not, he'll involve a lawyer who
specializes in export law. I've spent time on and off for the last
year getting a number of commercial products I'm involved with
exportable. I can assure you it is complicated and often defies
logic. Recent changes in the law have simplified things a lot, but
only in certain scenarios. Requirements can range from just sending
mail to the BXA announcing what you are doing (e.g. open-source
cryptography) to full scale code audits by the NSA.
Sure, it's a pain, but it beats the potential consequences of messing
up. Besides, you should no more trust yourself to figure out the law,
then you'd trust your lawyer writing code ;->
Drew
--
Drew Sudell [EMAIL PROTECTED] http://www.op.net/~asudell
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
