[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: US relaxed export policy - When/IF and how?

To: <ietf-pkix@xxxxxxx>, <anders.rundgren@xxxxxxxxxx>
Subject: Re: US relaxed export policy - When/IF and how?
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Wed, 03 Nov 1999 08:40:13 -0700

Anders, my understanding is that although the new policy has been announced,
the devil is in the details (the regulations), which should be published around
December 15th. At that point it will be a race to see who can ship a product
the fastest.

One serious complication is the desire within certain factions of the US government
to exclude networking products from the general relaxation. To this end, they
are attempting to fashion a particular tortuous distinction between mass-market
products and "retail" products, claiming that a retail product is one the ordinary user
can buy off the shelf at ComputersRUs, vs. other products that are sold though
distribution channels and may or may not be custom installed. (These guys never
give up, even after a high-level executive decision has been made.)

The significant difference is that although non-retail products may be exported
(sold or given away) to individuals, they may not be exported to foreign governments
without extensive reporting and/or key size limitations. Why some government
procurement officer couldn't order the product in his own name isn't explained.
In addition, especially in Europe where many institutions are at least partially
government owned, it would presumably not be possible to sell full strength crypto
to Fiat, Airbus, Deutsche Telecom, the British Museum, or even some high
school in Zurich.

The absurdity of deciding crypto strength based on the type of store-front the
product was purchased through has certainly not be lost on organizations such as the
Business Software Alliance and the Alliance for Computer Privacy. If you can
download the product, even for free, off the Internet, that apparently doesn't
count as "retail". In fact, even if you do sell a product through a store-front
retail operation, such as a small-business, five user license version of something like
Novell's NetWare, if that version could be upgraded to cover more users by simply
buying additional licenses, that wouldn't be considered retail either.

Browsers will probably be exempt from this, although it certainly isn't clear why. But
servers, presumably including NT or the server version of Windows 2000, Solaris,
and even Linux, if it includes cryptography, would be more stringently controlled.

I predict you are going to see a lot of heavy political arm-twisting in the next several
months, especially on one particular Presidential candidate who announced the policy
and needs support and contributions from places like San Jose and Redmond.

Stay tuned, in other words.

Bob

>>> Anders Rundgren <anders.rundgren@jaybis.com> 11/03/99 07:47AM >>>
Hi all crypto-nerds :-)

We who live in Europe are used to live with pretty "crummy" solutions for achieving
secure Internet-banking etc. It is costly and inconvenient though!

Rumors says that the US government is changing the export regulations so my question is simply:

How long will we in Europe have to wait for strong cryptography in US-manufactured Browsers,
Operating systems, Certificates and Web-servers?

Regards
Anders Rundgren
Internet e-commerce Architect

Prev by Date: How to identify certs to users
Next by Date: Re: Timestamping Standards.
Previous by thread: Re: US relaxed export policy - When/IF and how?
Next by thread: Re: US relaxed export policy - When/IF and how?
Index(es):
- Date
- Thread