[lug] New encryption export rules, and my US mirror of gnupg source rpm

[Neal McBurnett]

Well folks, it is now ok for people in the US to publish the *source
code* for open cryptography on the Internet, if you notify
crypt at bxa.doc.gov first!

So I did!  Check out

	http://bcn.boulder.co.us/~neal/crypto/gnupg/

This is GNU Privacy Guard, the highly-regarded patent-free
general-purpose encryption program evolved from PGP as specified by
the IETF's "openpgp" Proposed Standard, RFC2440.

Below are some news stories and full details on the new regulations.
Yes, there are other problems with the regulations (as EFF points out
at http://www.eff.org/11300_crypto_release.html, there are still
unconstitutional restrictions especially for executable programs,
etc....), but let's take advantage of what we can!  Note that
exporting compiled, ready-to-run software is easier than it used to
be, but not as easy as source code.

I see no indication of whether they realize that implementations in
scripting languages have an even nicer advantage here.  I think the
advantage they give to open source implementations over binary-only
ones will help the open source movement, at least a little.

Go Linux!  Go Mozilla!

Neal McBurnett <neal at bcn.boulder.co.us>
http://bcn.boulder.co.us/~neal/      (with PGP key)

News:
http://www.newsalert.com/bin/story?StoryId=Coh1B0b8ZtJeZmZiXnZy4

The "source law":
http://www.bxa.doc.gov/Encryption/Default.htm

Some excerpts pertinant to source code:

http://www.epic.org/crypto/export_controls/regs_1_00.html

 3. Also in 740.13, to, in part, take into account the "open source"
 approach to software development, unrestricted encryption source code
 not subject to an express agreement for the payment of a licensing
 fee or royalty for commercial production or sale of any product
 developed using the source code can, without review, be released from
 "EI" controls and exported and reexported under License Exception
 TSU. Intellectual property protection (e.g., copyright, patent, or
 trademark) would not, by itself, be construed as an express agreement
 for the payment of a licensing fee or royalty for commercial
 production or sale of any product developed using the source code. To
 qualify, exporters must notify BXA of the Internet location (e.g.,
 URL or Internet address) or provide a copy of the source code by the
 time of export. These notifications are only required for the initial
 export; there are no notification requirements for end-users
 subsequently using the source code. Notification can be made by
 e-mail to crypt at bxa.doc.gov.

 Review and classification are not required for foreign made products
 using this source code. Moreover, under 744.9, exporters of
 unrestricted encryption source code are not restrained from providing
 technical assistance to foreign persons working with such source
 code. In addition, exporters of source code are not subject to
 Internet download screening requirements under 734.2(b)(9)(iii).
 Posting of the source code on the Internet (e.g., FTP or World Wide
 Web site), where it may be downloaded by anyone, would not establish
 "knowledge" (as that term is defined in the EAR) of a prohibited
 export or reexport. Such posting would not trigger "red flags"
 necessitating the affirmative duty to inquire under the "Know Your
 Customer" guidance provided in Supplement No. 3 to Part
 732. Otherwise, compliance with EAR requirements as to prohibited
 exports and reexports still apply.

 Open Cryptographic Interface". A mechanism which is designed to allow
 a customer or other party to insert cryptographic functionality
 without the intervention, help or assistance of the manufacturer or
 its agents, e.g., manufacturer's signing of cryptographic code or
 proprietary interfaces. If the cryptographic interface implements a
 fixed set of cryptographic algorithms, key lengths or key exchange
 management systems, that cannot be changed, it will not be considered
 an "open" cryptographic interface. All general application
 programming interfaces (e.g., those that accept either a
 cryptographic or non-cryptographic interface but do not themselves
 maintain any cryptographic functionality) will not be considered
 "open" cryptographic interfaces.

http://www.bxa.doc.gov/Encryption/qanda.htm

 34. Is an open cryptographic interface the same as a
 "crypto-with-a-hole" product?  Yes. Any product that contains an
 interface that is not fixed and that permits a third party to insert
 cryptographic functionality, needs a binding mechanism to be
 considered a closed interface and eligible for License Exception ENC
 treatment. Exporters are encouraged to review the updated definition
 for "open cryptographic interface" in part 772.

 12. Does posting encryption source or object code on the Internet
 constitute an export under the EAR?  Yes, it can as the definition of
 the export of encryption source code and object code software under
 the provisions of section 734.2(b)(9) includes such action. For
 publicly available source code under sections 740.13(e) and
 740.17(a)(5)(i), while such source code is exempted under section
 734.2(b)(9)(ii) and (iii), and is thus not subject to those
 provisions (including screening procedures), the source code
 nonetheless remains subject to the EAR. Please note that section
 734.2(b)(9)(i) defines "export" to include the actual shipment,
 transfer, or transmission out of the United States or transfer in the
 United States to an embassy or affiliate of a foreign country. For
 all other encryption source code and object code software, posting
 constitutes an export unless the person making the software available
 on the Internet takes precautions to prevent unauthorized transfers.

 14. Would posting to a "newsgroup" site fall within the types of
 eligible Internet posting methods for publicly available source code
 eligible under Section 740.13(e), License Exception TSU?  Yes. The
 listing of eligible Internet postings described in License Exception
 TSU, e.g., FTP and World Wide Web site, is illustrative in nature,
 not exclusive.

 15. Can an academic who creates an encryption source code program
 make it available on the Internet, for example to students or
 academic colleagues, without restriction on access?  Yes, under the
 revised regulations, encryption source code that would be publicly
 available (and posting to the Internet itself would make it publicly
 available), and which is not subject to an express agreement for the
 payment of a licensing fee or royalty for the commercial production
 or sale of any product developed using the source code, would be
 eligible under License Exception TSU for "unrestricted" source
 code. Under this policy, the software may be exported without prior
 submission to the government for technical review (although
 concurrent notification of the export is required). In addition,
 software exported under this exception may be posted to the Internet
 without restriction and would not be subject to any requirement to
 screen for access. Also, such posting would not constitute knowledge
 of an export to a prohibited destination under the EAR, including one
 of the seven terrorist states. A license requirement would apply only
 to knowing exports and reexports (i.e., direct transfer or e-mail) of
 the software to prohibited end-users and destinations. In addition,
 exporters are not restrained from providing technical assistance (as
 described in Section 744.9) to foreign persons working with such
 source code.