[cvsnt] CVSNT- Request for U.S. Export Information
Glen Starrett
grstarrett at cox.net
Wed May 14 17:34:34 BST 2003
I Am Not A Lawyer, not an expert in matters of export regulations, and I do
not represent the CVSNT development team. However, I've researched the
export regulations regarding CVSNT and this is what I've found (since I too
need to comply with these regulations). If you are a US citizen or work for
a US company and want to export CVSNT, read the regulations yourself to be
certain. Better yet, have your lawyer read it.
>From what I've read, CVSNT has an ECCN of 5D002 and qualifies for a license
exemption TSU. This means that even though it has strong encryption, there
is no export license required according to the EAR.
Here are the characteristics of CVSNT that I have found that affect it's
status under the U.S. Export Administration Regulations (EAR):
--It is publicly available as source and object code
--It contains strong encryption (MIT's Kerberos, SSH via PuTTY, and the UNIX
crypt function)
--Each of those strong encryption products are also publicly available in
source and object form.
Here's the path of regulations to follow so maybe you won't need to take so
much time to unravel it (their FAQ is riddled with references to these
sections, so it is actually easier IMHO to go straight to the regulations):
Definition of 5D002, in the Commerce Control List Category 5 Part 2:
http://w3.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf
Defined 5D002 as being software with strong encryption. CVSNT, according to
it's author, has several strong encryption products in it: SSH (via PuTTY),
MIT Kerberos, and UNIX crypt. All the source code is available with the
application.
EAR Section 734 (refer to section 734.3(b)(3)):
http://w3.access.gpo.gov/bis/ear/pdf/734.pdf
Section 734 lists what is subject to the EAR, (b) is exceptions to that
list, and (3) lists publicly available software & technology except software
covered by 5D002.
Per 734.7, Open source code and it's associated object code that are both
publicly available are still subject to EAR if they are controlled by 5D002.
EAR Section 740 (refer to section 740.13(e)):
http://w3.access.gpo.gov/bis/ear/pdf/740.pdf
Says that software that is publicly available according to 734.3(b)(3) is
eligible for export license exemption TSU.
Note that there are still restrictions and reporting requirements that the
US company must adhere to when exporting CVSNT, consult the regulations on
the BXA website for more information. Specifically, look at the link below
and sections 740.13(e)(3) - (6).
http://www.bxa.doc.gov/encryption/PubAvailEncSourceCodeNofify.html
Encryption Policy Q&A:
http://www.bxa.doc.gov/Encryption/Q&A18oct.htm
Regards,
Glen Starrett
More information about the cvsnt
mailing list