[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Krypto-Paper

To: "Mailingliste Fitug" <debate@fitug.de>
Subject: Krypto-Paper
From: Christiane.Schulzki@t-online.de (Chr. Schulzki-Haddouti)
Date: Wed, 14 Oct 1998 12:19:37 +0200
Comment: This message comes from the debate mailing list.
Reply-To: "Chr. Schulzki-Haddouti" <christiane.schulzki@t-online.de>
Sender: owner-debate@fitug.de
Dieses Papier wurde gestern beim DIHT umhergereicht.
Zentral: Die veraenderte Haltung in Sachen "Key Recovery Agents"

http://www.bxa.doc.gov/Encryption/EncrypolicyUpdate.htm
SUMMARY OF ENCRYPTION POLICY UPDATE

1. Release up to "56 bit DES and equivalent" hardware and software

Hardware and software exports of up to "56 bits DES and equivalent" products
will be eligible for license exception treatment to all users and destinations
(except the seven State supporters of terrorism) after a one-time technical
review. No further key recovery plans or renewals of existing key recovery plans
are required. This release includes up to 56 bit DES, RC2, RC4, RC5 and CAST.
Products with asymmetric key sizes up to 1024 bits will be permitted.
Semi-annual post-facto reporting of end users for non-mass market exports to
military and government end-users will be required.

2. Relax requirements for Key Recovery products

Remove from the regulations the requirement to name and review key recovery
agents for exports of key recovery products. Require post-facto reporting of key
recovery agents and the end users of key recovery products (currently
semi-annual). Supplement 5 (Key Recovery Agent Criteria) will be removed from
regulations.

3. Sectors

Semi-annual post-facto reporting is required within each sector.

U.S. Subsidiaries: Approve exports of any encryption with any key length, with
or without key recovery, to subsidiaries of U.S. companies (defined in Commerce
regulation) world-wide (except the seven state sponsors of terrorism) under
license exception, for the protection of internal business operations. This
policy will also extend favorable treatment, to "strategic, partners" under
license.

Insurance Companies: Treat insurance companies like banks and securities firms
by adding them to the definition of "financial institution." The result is
license exception treatment to institutions headquartered in nations listed in
the recent amendments to the EAR relating to banks and financial institutions (6
3 FR 50156).

Health/Medical: Permit the export under license exception of any encryption with
any key length, with or without key recovery, to organizations in the strictly
defined health and medical sectors (see attached definitions) located in the
nations listed in the banking regulation. Exports outside the country list found
in the banking regulation receive a policy of approval under Encryption
Licensing Arrangements (ELAs), recognizing that certain destinations may be
denied on foreign policy or other grounds. The EAR will exclude biochemical
firms, pharmaceutical firms and military agencies from eligibility for the
license exception. Exports to such end users are possible under individual
license.

On-Line Merchants: The EAR will permit license exception treatment for the
export of client-server applications (e.g., SSL) and applications tailored to
on-line transactions, with any encryption algorithm and with any key length and
with or without key recovery, to on-line merchants (see attached definitions),
located in the country list found in the banking regulation . Exports would be
limited to those that facilitate secure electronic transactions between
merchants and their customers. Exports outside the country list found in the
banking regulation receive a policy of approval under ELA, recognizing that
certain destinations may be denied on foreign policy or other grounds. Foreign
merchants (non-US owned and controlled) that sell items and services controlled
on the U.S. munitions list are excluded from this policy. For merchants having
separate business units, only those business units selling munitions items are
excluded from this policy of approval and license exception.

4. Recoverable Products

Permit exports, under Export Licensing Arrangements, of recoverable products
(see attached definitions) to foreign commercial firms for internal company
proprietary use, only (i.e. not sold for individual use) that are located in the
following countries:

1. Austria, Australia, Belgium, Canada, Denmark, Finland, France, Germany,
Iceland, Ireland, Italy, Japan, Luxembourg, The Netherlands, New Zealand,
Norway, Portugal, Spain, Sweden, Switzerland, and the United Kingdom.

2. Anguilla, Antigua, Argentina, Aruba, Bahamas, Barbados, Brazil, Dominica,
Ecuador, Greece, Hungary, Kenya, Monaco, Poland, Seychelles, St. Kitts and
Nevis, St. Vincent/Grenadines, Trinidad and Tobago, Turkey and Uruguay.

In addition, for those commercial firms headquartered in countries listed in 1
above, further permit exports, ELAs, of recoverable products to their foreign
subsidiaries for internal company proprietary use in all destinations except the
seven countries identified as State supporters of terrorism.

For both 1 and 2 above, this policy of approval excludes those commercial firms
or separate business units of commercial firms engaged in the manufacturing and
distribution of products or services controlled on the U.S. Munitions List.
Service providers are also excluded from this policy. Semi-annual post export
reporting of end users is required. Exports to those end users and countries not
listed under this policy are possible under Validated Licenses or Export
Licensing Arrangements on a case-by-case basis.

Definitions (preliminary)

Insurance company means:

a) A company organized and regulated under the laws of any of the United States
and its branches and affiliates whose primary and predominant business activity
is the writing of insurance or the reinsuring of risk, or

b) A company organized and regulated under the laws of a foreign country and its
branches and affiliates, regulated by an insurance Commissioner or an equivalent
foreign regulatory authority and whose primary and predominant business activity
is the writing of insurance or the reinsuring of risks.

Health/Medical

Any entity, the primary purpose of which is the lawful provision of "medical or
other health services", not including biochemical and pharmaceutical
manufacturers and military or government entities.

On-line merchants

A seller of goods using electronic means (e.g., the Internet) to conduct
commercial transactions and is defined to be a person that deals in goods of the
kind involved in the transaction.

Recoverable products

1. A stored data product containing a recovery feature that, when activated,
allows recovery of the plaintext* of encrypted data without the assistance of
the end user; or

2. A product or system designed such that network administrator or other
authorized persons who are removed from the end user can provide law enforcement
access to plaintext without the knowledge or assistance of the end user. This
includes, for example, products or systems where plaintext exists and is
accessible at intermediate points in a network or infrastructure system,
enterprise-controlled key escrow and enterprise-controlled key recovery systems,
and products which permit recovery of plaintext at the server where a system
administrator controls and/or can provide recovery of plaintext across an
enterprise, and so on.

* Plaintext indicates that data that is initially received by or presented to
the recoverable product before encryption takes place.


Go to the Encryption page
Follow-Ups:
- Re: Krypto-Paper
  - From: Rigo Wenning <wenning2@rz.uni-sb.de>
Prev by Date: Re: [FYI] Die WENDE im BSI?
Next by Date: Re: Fraunhofers MP3
Prev by thread: Aaron Debunks Crypto Myths (fwd)
Next by thread: Re: Krypto-Paper
Index(es):
- Date
- Thread