[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] BXA meets end of the year deadline

Crypto-Controls Advisory Service - a MK Technology Affiliate


--------------------------------- CUT -------------------------------

                 BXA meets end of the year deadline by publishing
                 major crypto changes

                            BXA just barely met its commitment to
                            publishing by year-end the regulation
                            implementing the September 1998
                            announcement to
                 decontrol 56-bit encryption hardware and software.
                 The reg appeared in the New Year's Eve edition of the
                 Federal Register.

                 Generally, exporters of 56-bit crypto products will
                 see some relief, yet, as always, certain items are
                 excepted from license exception treatment, like tool
                 kits and chips. BXA listened closely to industry
                 groups with which it consulted during the drafting
                 process and the resulting reg, while complicated,
                 makes more sense then it seemed to in initial drafts.
                 For example, BXA yielded to industry pressure to make
                 non-recoverable products formerly eligible for KMI
                 (September 22, 1998 rule) eligible for the new
                 license exception ENC. In addition, BXA won a victory
                 for industry by permitting key exchange sizes for
                 56-bit products up to 1024 bits.

                 Products using 56-bit DES or equivalent algorithms
                 will now be generally exportable to all destinations
                 except the T-7 under the new license exception ENC.
                 "Strong crypto" will be allowed for U.S. subs, banks,
                 financial institutions and insurance companies,
                 health service providers and on-line merchants under
                 ENC. The key thing here is that there are different
                 reporting requirements depending on the type of

                 Here are a few highlights of the new regs:

                      All products have to undergo a one time review
                      to qualify for ENC. (If an item has been
                      classified or licensed by BXA then it is not
                      necessary to go in again) The reg makes it clear
                      that distributors and resellers can use take
                      advantage of product reviews undertaken by the
                      manufacturers and use ENC without having to go
                      in themselves. Except for exports to U.S. subs,
                      tool kits, encryption chips/ic's and executable
                      or linkable modules DO NOT qualify for ENC.
                      Source code can be exported to U.S. subs under
                      ENC for "internal company proprietary use." Any
                      product previously reviewed, whether as part of
                      a 40-bit Mass Market review, a KMI review or an
                      ELA, can be exported under ENC to any
                      destination except the T-7 with increased key
                      lengths up to and including 56 bits. However,
                      the company must certify by March 31, 1999 that
                      the only change to the crypto is the increased
                      key length. Those do not make that deadline will
                      have to submit a classification request. There
                      are NO reporting requirements for exports to: -
                      U.S. subs (any key length) - any end-user of
                      "financial specific" software (any key length) -
                      banks and financial institutions (any key
                      length). However, for those countries outside
                      Supplement 3, and ELA is required. There ARE
                      reporting requirements for exports to: - 56-bit
                      products destined for all military and
                      government end-users for non-mass market
                      products - Health and medical end-users (any key
                      length) - "On-line" merchants (any key length) -
                      Distributors, resellers or other entities who
                      are not manufactures can use an ELA obtained by
                      the manufacturer to ship product to
                      destinations/end users in approved countries 

                 Unless Congress passes legislation mandating changes
                 to the U.S. crypto export rules in the next
                 Congressional session, this is the last we should see
                 in the way of major changes to the regs until this
                 time next year, at the earliest.

                 Crypto-Controls Advisory Services is already helping
                 encryption producers and consumers take advantage of
                 the new international markets afforded them under the
                 new rules. Please contact Felice Laird or Scott
                 Gearity to begin moving your crypto overseas.

                 Click here for a copy of the new regulation in Adobe
                 Acrobat format.

                 Looser U.S. Rules Won't Cool Crypto Debate in 1999
                 The Industry Standard

                 U.S. Issues Relaxed Export Limits on Encryption
                 San Jose Mercury News

                 U.S. Relaxes Encryption Restrictions
                 CNN Interactive

                                sgearity@ibek.com | c 1998
                                Crypto-Controls Advisory Services

--------------------------------- CUT -------------------------------