Förderverein Informationstechnik und Gesellschaft

BXA meets end of the year deadline

Crypto-Controls Advisory Service - a MK Technology Affiliate schreibt:

BXA meets end of the year deadline by publishing major crypto changes

BXA just barely met its commitment to publishing by year-end the regulation implementing the September 1998 announcement to decontrol 56-bit encryption hardware and software. The reg appeared in the New Year's Eve edition of the Federal Register.

Generally, exporters of 56-bit crypto products will see some relief, yet, as always, certain items are excepted from license exception treatment, like tool kits and chips. BXA listened closely to industry groups with which it consulted during the drafting process and the resulting reg, while complicated, makes more sense then it seemed to in initial drafts. For example, BXA yielded to industry pressure to make non-recoverable products formerly eligible for KMI (September 22, 1998 rule) eligible for the new license exception ENC. In addition, BXA won a victory for industry by permitting key exchange sizes for 56-bit products up to 1024 bits.

Products using 56-bit DES or equivalent algorithms will now be generally exportable to all destinations except the T-7 under the new license exception ENC. "Strong crypto" will be allowed for U.S. subs, banks, financial institutions and insurance companies, health service providers and on-line merchants under ENC. The key thing here is that there are different reporting requirements depending on the type of end-user.

Here are a few highlights of the new regs:

All products have to undergo a one time review to qualify for ENC. (If an item has been classified or licensed by BXA then it is not necessary to go in again) The reg makes it clear that distributors and resellers can use take advantage of product reviews undertaken by the manufacturers and use ENC without having to go in themselves. Except for exports to U.S. subs, tool kits, encryption chips/ic's and executable or linkable modules DO NOT qualify for ENC. Source code can be exported to U.S. subs under ENC for "internal company proprietary use." Any product previously reviewed, whether as part of a 40-bit Mass Market review, a KMI review or an ELA, can be exported under ENC to any destination except the T-7 with increased key lengths up to and including 56 bits. However, the company must certify by March 31, 1999 that the only change to the crypto is the increased key length. Those do not make that deadline will have to submit a classification request. There are NO reporting requirements for exports to: - U.S. subs (any key length) - any end-user of "financial specific" software (any key length) - banks and financial institutions (any key length). However, for those countries outside Supplement 3, and ELA is required. There ARE reporting requirements for exports to: - 56-bit products destined for all military and government end-users for non-mass market products - Health and medical end-users (any key length) - "On-line" merchants (any key length) - Distributors, resellers or other entities who are not manufactures can use an ELA obtained by the manufacturer to ship product to destinations/end users in approved countries

Unless Congress passes legislation mandating changes to the U.S. crypto export rules in the next Congressional session, this is the last we should see in the way of major changes to the regs until this time next year, at the earliest.

Crypto-Controls Advisory Services is already helping encryption producers and consumers take advantage of the new international markets afforded them under the new rules. Please contact Felice Laird or Scott Gearity to begin moving your crypto overseas.

Click here for a copy of the new regulation in Adobe Acrobat format.

Looser U.S. Rules Won't Cool Crypto Debate in 1999 The Industry Standard

U.S. Issues Relaxed Export Limits on Encryption San Jose Mercury News

U.S. Relaxes Encryption Restrictions CNN Interactive | c 1998 Crypto-Controls Advisory Services