[2008-11-17 note: See update at bottom for new URL and submission e-mail address details.]
From rick Wed Feb 27 00:28:17 2002
Date: Wed, 27 Feb 2002 00:28:17 -0800
To: luv@luv.asn.au
Subject: Re: VPN software
User-Agent: Mutt/1.3.27i
Quoting Mike MacCana: (mikem@cyber.com.au):
[FreeS/WAN:]
> Red Hat: US based, so it doesn't come with the distro.
FYI, benighted USA crypto-export laws are no longer a serious obstacle to open-source crypto.
USA's Federal Commerce Department modified on 2000-10-19 its Bureau of Export Administration's (BXA's) Encryption Items regulation to allow the basically free export of binaries based on open source[1] source code, requiring only the usual notification e-mail to BXA. This is a further modification to a liberalisation, earlier that year, of controls over open source crypto in source-code form (the "TSU" exception to export controls).
You can read about that, here:
http://www.bxa.doc.gov/Encryption/EncryptionRuleOct2K.html
Disclaimer: I am not a lawyer, let alone an expert reader of Federal tea leaves.
[1] Naturally, they don't use anyone else's definition of open source, but felt obliged to invent their own bizarre definition, encompassing software for which no fee or payment is required for object code (other than reasonable and customary fees for reproduction and distribution).
-- Cheers, Remember: The day after tomorrow is the third day Rick Moen of the rest of your life. rick@linuxmafia.com
[2008-11-17 note: See update at bottom for new URL and submission e-mail address details.]
From rick Tue Mar 6 15:49:06 2001
Date: Tue, 6 Mar 2001 15:49:06 -0800
To: mr.bad@pigdog.org
Subject: [off-list] Re: [CrackMonkey] He's in!
User-Agent: Mutt/1.2.5i
[Sending you this off-list:]
> Don't ask me what TSU stands for.
Technology and Software Unrestricted.
> So, Open Source software doesn't have to go through a
registration
> process like proprietary software does.
You are correct, sir. Beware, however, that BXA's definition of the term is different from anyone else's.
> HOWEVER, if you read this TSU exception page, it seems
that there's a
> requirement to notify a particular email address when you
make a piece
> of software available:
>
>
http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html
crypt@bxa.doc.gov, and it's not exactly "when you make a piece of software unavailable", but rather when you become an "exporter" of TSU-covered code. (Be sure to sample the example notices in Matt Blaze's archive, noted below.)
I wrote the following to crackmonkey, last year, when the regulations were last revised:
Date: Sun, 17 Sep 2000 12:08:30 -0700
To: crackmonkey@crackmonkey.org
Subject: Re: [CrackMonkey] Another global networked
filesystem
The January regulations were semi-clued in an interesting manner. Quoting the revision to Export Administration Regulations published in the January 14, 2000 Federal Register (Vol. 65, No. 10, page 2492):
Also in section 740.13, to, in part, take into account the
"open
source" approach to software development, unrestricted
encryption
source code not subject to an express agreement for the payment
of
a licensing fee or royalty for commercial production or sale of
any
product developed using the source code can, without preview,
be
released from "EI" [encryption items] controls and exported
and
re-exported under License Exception TSU. Intellectual
property
protection (e.g., copyright, patent, or trademark) would not,
by
itself, be construed as an express agreement for the payment
of
a licensing fee or royalty for commercial production or sale of
any
product developed using the source code. To qualify,
exporters
must notify BXA [Bureau of Export Administration] of the
Internet
location (e.g., URL or Internet address) or provide a copy of
the
source code by the time of export. These notifications are
only
required for the initial export; there are no notification This is at http://www.bxa.doc.gov/Encryption/regs.htm
. Cryptographer Matt Blaze has set up a remailer alias at
"exports@crypto.com".
Anyone wanting to send the BXA notice under
"15 CFR Part 734, as revised on January 14, 2000" is invited to
use
that alias, which auto-appends your text to a public archive of
such
posts at http://www.crypto.com/exports/,
in addition to sending them
to the BXA. Just for fun, I have my own alias,
"nsa@linuxmafia.com", which
remails
to Blaze's alias. Pro bono publico. [2008-11-17 note: See update at bottom for new URL and
submission e-mail address details.] From rick Wed Sep 6 12:56:47 2000 Dear Rolf: You may (or may not) recall my writing earlier about the RSA
patent and
BetterTelnet. (1) This may not be news to you, but RSA Data Security,
Inc.
has, as of today, donated its U.S. RSA patent to the public
domain. (1a) Therefore, there's no longer any point in RSAREF,
anywhere. (2) I work for VA Linux Systems, Inc. (for whom I don't
speak). During
some internal discussions here at VA, it emerged that some of our
people
and some others at Red Hat Software, Inc. have been pushing hard
on the
Commerce Department's Bureau of Export Administration, to get
them to
clarify their rules about binary format open-source code.
That
pushing yielded partial success on July 17: http://www.bxa.doc.gov/Encryption/July2KProposedRegSum.html Note the closing sentence: "Additionally, the draft clarifies
that
object code compiled from source code that is considered
publicly
available is treated the same as the source code." Progress is slow, because getting the Feds to concede loss of
authority
is always. So, at present, the draft has not been approved and
only
open-source crypto source code may be freely exported. Rolf, if none of this interests you, let me know, and I won't
bother
you. (I hope it will help you concerning BetterTelnet.) I've had some odd conversations today about encryption export,
here at
VA Linux Systems. Not conclusive, but interesting. What follows
should
probably be treated as mildly confidential (though not
secret). (1) Source Forge's machines here in the USA are now carrying
large
amounts of strong crypto (source and binaries). It happened
passively,
and the company legal staff retroactively gave their blessing.
(VA
Linux Systems created and runs Source Forge, http://www.sourceforge.net/.) Some months ago, the Mozilla Project interpreted the Jan. 14
Bureau of
Export Administration (BXA) regulations as meaning that
Mozilla
crypto-enabled binaries were allowed, and advised Mozilla mirrors
to
e-mail BXA agency and inform them of intent to provide these
binaries.
Source Forge was one of those mirrors. Shortly thereafter, the OpenBSD Project likewise began
mirroring OpenSSL
and OpenSSH binary packages. These likewise ended up on Source
Forge. Allegedly, the company lawyers advised that, since we do not
hide what
we do, ended up carrying binaries just by carrying on normal
operation
without heroic measures to prevent it, and will gladly take
immediate
action to remove any material if officially instructed, we're
covered.
Other questions, such as whether and how VA will offer
open-source
strong crypto for its Linux system load, remain undecided. I've been pushing for a resolution on the latter matter in
particular,
and will be heading a round-table discussion on it this
evening,
immediately after work. [2008-11-17 note: See update at bottom for new URL and
submission e-mail address details.] From rick Thu Nov 30 19:32:45 2000 Hello, Rolf. You may remember me as a fellow working for VA
Linux (for
whom I'm not speaking), who maintains a list of all known SSH
software
at http://linuxmafia.com/pub/linux/security/ssh-clients
, and who
offered you some unsolicited information about Commerce
Department
matters. Well, there is news. http://www.bxa.doc.gov/Encryption/EncryptionRuleOct2K.html
or
http://www.bxa.doc.gov/Encryption/pdfs/EncryptionRuleOct2K.pdf
has the
text of the Oct. 19 regulation revision, which amends Sec.
740.13
covering the TSU (Technology and Software Unrestricted) exception
to
EI (encryption items) export controls. The new addition says
that, if a
codebase's source code meets the provisions of the TSU exception
-- no
fee or payment required other than resaonable and customary fees
for
reproduction and distribution, and
crypt@bxa.doc.gov has been
notified
about the planned public availability -- then object code
compiled from
that source code may be exported under the same terms. IANAL, but I estimate as you do that your SSH-enabled
BetterTelnet
source code qualifies for exception BXA (given notification to
the crypt
e-mail address). Therefore, your binary code does likewise. Which
I
believe clears the last obstacle out of your way. If you give e-mail notice to BXA, I'd urge you to do so
through Matt
Blaze's mechanism for same. It's explained at
http://www.crypto.com/exports/
. I hope this helps, and hope my mail stands out as useful in a
way that
all the annoying nag-mail wanting to know when your SSH will be
release
isn't. ;-> [2008-11-17 note: See update at bottom for new URL and
submission e-mail address details.] Date: Thu, 5 Dec 2002 12:41:10 -0800 Quoting Hari-Isoft (hari@isofttechindia.com): > I would like to know the key-length used for 3DES data
encryption in An old set of notes I have says single DES starts out with
64-bit keys,
but it's 56-bit when you account for the parity bit. Thus the
raw
key-length of 3DES is 56 * 3 = 168 bit. The effective length
as
implemented (3DES-CBC algorithm?) may be less: Maybe one of the
real
crypto people will comment. > Also, I am interested in the export regulations
concerning openssh in Quoting from a post I made elsewhere on that subject, two
years ago: ---<snip>--- The January [2000] regulations were semi-clued in an
interesting manner.
Quoting the revision to Export Administration Regulations
published in
the January 14, 2000 Federal Register (Vol. 65, No. 10, page
2492): Also in section 740.13, to, in part, take into account the
"open
source" approach to software development, unrestricted
encryption
source code not subject to an express agreement for the payment
of
a licensing fee or royalty for commercial production or sale of
any
product developed using the source code can, without preview,
be
released from "EI" [encryption items] controls and exported
and
re-exported under License Exception TSU. Intellectual
property
protection (e.g., copyright, patent, or trademark) would not,
by
itself, be construed as an express agreement for the payment
of
a licensing fee or royalty for commercial production or sale of
any
product developed using the source code. To qualify,
exporters
must notify BXA [Bureau of Export Administration] of the
Internet
location (e.g., URL or Internet address) or provide a copy of
the
source code by the time of export. These notifications are
only
required for the initial export; there are no notification
requirements for end-users subsequently using the source
code.
Notification can be made by e-mail to
crypt@bxa.doc.gov . [...] This is at http://www.bxa.doc.gov/Encryption/regs.htm
. Cryptographer Matt Blaze has set up a remailer alias at Just for fun, I have my own alias,
"nsa@linuxmafia.com", which
remails
to Blaze's alias. Pro bono publico. ---<snip>--- ---<snip>--- http://www.bxa.doc.gov/Encryption/EncryptionRuleOct2K.html
or
http://www.bxa.doc.gov/Encryption/pdfs/EncryptionRuleOct2K.pdf
has the
text of the Oct. 19 regulation revision, which amends Sec.
740.13
covering the TSU (Technology and Software Unrestricted) exception
to
EI (encryption items) export controls. The new addition says
that, if a
codebase's source code meets the provisions of the TSU exception
-- no
fee or payment required other than resaonable and customary fees
for
reproduction and distribution, and
crypt@bxa.doc.gov has been
notified
about the planned public availability -- then object code
compiled from
that source code may be exported under the same terms. IANAL, but I estimate as you do that your SSH-enabled
BetterTelnet
source code qualifies for exception BXA (given notification to
the crypt
e-mail address). Therefore, your binary code does likewise. Which
I
believe clears the last obstacle out of your way. If you give e-mail notice to BXA, I'd urge you to do so
through Matt
Blaze's mechanism for same. It's explained at
http://www.crypto.com/exports/
. ---<snip>--- [2008-11-17 Update: The above-mentioned "bxa" (Bureau of
Export Administration) Web site and associated e-mail address have
vanished since I wrote the above. BXA's function appears to have
been transferred to the Commerce Department's Bureau of Industry
and Security, and the page about License Exception TSU is now at
http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html. At this writing, they now want three copies of the notification mail,
to: crypt@bis.doc.gov, enc@nsa.gov, and web_site@bis.doc.gov, with
subject header "tsu notification - encryption". See the Web page for
further details.]
requirements for end-users subsequently using the source
code.
Notification can be made by e-mail to
Date: Wed, 6 Sep 2000 12:56:47 -0700
To: rbraun@cstone.net
Subject: RSA patent & export news
User-Agent: Mutt/1.1.5i
--
Cheers, "Teach a man to make fire, and he will be warm
Rick Moen for a day. Set a man on fire, and he will be warm
rick@linuxmafia.com for the rest of his life." -- John A. Hrastar
From rick Thu Sep 7 12:58:11 2000
Date: Thu, 7 Sep 2000 12:58:11 -0700
From: Rick Moen <rick>
To: rbraun@cstone.net
Subject: export news, again
User-Agent: Mutt/1.1.5i
--
Cheers, "Teach a man to make fire, and he will be warm
Rick Moen for a day. Set a man on fire, and he will be warm
rick@linuxmafia.com for the rest of his life." -- John A. Hrastar
Date: Thu, 30 Nov 2000 19:32:45 -0800
To: rbraun@cstone.net
Subject: New BXA crypto regulation (good news)
User-Agent: Mutt/1.2.5i
--
Cheers, "Reality is not optional."
Rick Moen -- Thomas Sowell
rick@linuxmafia.com
To: secureshell@securityfocus.com
Subject: Re: 3DES key-length for data authentication
From: Rick Moen rick@linuxmafia.com
> openssh. I thought that it should be 192 (3 * 64) bits, but
the sshd
> man page states 128 bit key used for 3DES.
> USA.
"exports@crypto.com".
Anyone wanting to send the BXA notice under
"15 CFR Part 734, as revised on January 14, 2000" is invited to
use
that alias, which auto-appends your text to a public archive of
such
posts at http://www.crypto.com/exports/,
in addition to sending them
to the BXA.
And from a note I wrote to Rolf Braun, author of Better Telnet
for
MacOS (whose beta supports SSH):
Again, I am not a lawyer, and this message is not legal
advice.
Businesses contemplating export of strong cryptographic code
under the
TSU exception to EI export controls should consult competent
legal
counsel. For one thing, the regulatory category that BXA
considers to
apply to you may depend on matters external to the nature of your
code,
e.g., what sort of business you are. I can't predict what
these
considerations might be, but a good attorney presumably
could.
--
Cheers, Open-source SourceForge retakes the lead:
Rick Moen http://gforge.org/ Thank you, Tim Perdue.
rick@linuxmafia.com