
From: Brian Gladman [mailto:gladman@seven77.demon.co.uk]
Sent: 24 November 1999 12:18
To: UK Crypto List
Subject: Proposed US Relaxation of Encryption Export Controls


A leaked copy of the proposed changes to US export controls has appeared on
many lists in the last 24 hours.

These changes were preceeded by a great publicity drive by the US
administration to convince us all that there was about to be a radical
change in direction in the US in respect of encryption export controls.
There may be some important relaxations but I must admit I am less than
certain of this because the document is obscure in the extreme.

I have quickly been through what is a truly ghastly document that seems
quite deliberetely intended to obscure rather than clarify the US encryption
export control situation. There are a lot of restrictions on exports to the
seven 'nasty' countries but ignoring these, here are my conclusions:

(1) Publicly available source code, not owned by anyone, is no longer
subject to control provided BXA are informed of its existence.

(2) But binaries derived from such software are still subject to licensing
constraints.

(3) Applications that are licensed for export with key lengths of up to 56
bits (symmetric) and up to 512 bits (asymmetric) can have their key lengths
increased to 64 and 1024 bits respectively provided that nothing else has
changed.

(4) Complete applications containing encryption designed for retail use
(i.e. finance and e-commerce applications) can be exported without
restriction (except to nasty countries) provided thet they are not easily
modifiable for other purposes.

(5) Parts of the document appear to say that commodity encryption software
can be freely exported without licenses to anyone except foreign governments
but this seems inconsistent with (3) above.  I find the clauses here almost
impossible to interpret because the primary clauses define exclusions that
are then covered by secondary clauses even though the primary clause has
already excluded them.  It's basically a complete mess.  BXA needs to chuck
this lot out, learn to write in clear english (or even american but not in
this legal gobbledegook), and start again.

(6) Commercial encryption source code and general purpose toolkits for
non-government end users can be exported SUBJECT to classification (and
hence control) by BXA.

(7) But all products derived from these items are subject to BXA licensing
no matter where they are produced (i.e. US extra territorial controls on the
use of US encryption source code).

(8) All encryption components offering open interfaces and all products
offering holes into which such components can be put remain subject to
license controls.

I have to admit that I am confused by several items and I hope the Lawyers
who are used to reading this sort of stuff will comment.  In particular I am
not clear whether restrictions remain in place on commodity encryption
products with long keys (> 64/1024).   However it IS clear that constraints
on encryption components remain and this is a serious continuing constraint.

The other interesting development is that item (1) appears to be a massive
boost for the development of a secure linux kernel since Microsoft
proprietary OS products are still unable to offer good encryption without a
license and cannot be delivered with a 'crypto shaped hole' in them.  So all
the problems of crypto code signing in the US remain.

In contrast it appears that the international community will be able to
freely exchange publicly available source code, including encryption source
code, without restriction.  Binaries cannot be exported but this hardly
matters since parallel independent compilation in and outside the US from
common source code will be possible. It will mean that distribution
companies such as RedHat, SuSe etc. will have to have independent US and
non-US distribution chains with 'Chinese Walls' if they distribute from the
US but if they move elsewhere for just the compilation and binary
distribution steps they can have just one distribution base that is not
subject to licensing provided that all the code involved is public.

I knew that the USG had it in for Microsoft but I did not realise that they
wanted to put the company out of business completely! But maybe all
Microsoft has to do is publish the source of the Windows 2000 kernel and
make it money from all higher level code. For security reasons Microsoft
needs to do this anyway so these regulations may push security provision in
exactly the right direction. Maybe we will thank the USG after all!

Of course I may have all of this wrong since the whole document is a
complete mess so I would appreciate any observations that others may have on
these issues.

    Brian