From owner-freebsd-security Wed Jul 26 10:43:04 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id KAA01039 for security-outgoing; Wed, 26 Jul 1995 10:43:04 -0700 Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [129.35.208.98]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id KAA01029 for ; Wed, 26 Jul 1995 10:43:02 -0700 Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.29.12]) by netmail.austin.ibm.com (8.6.11/8.6.11) with SMTP id MAA225689; Wed, 26 Jul 1995 12:42:21 -0500 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for pst@stupi.se at austin.ibm.com; id AA17868; Wed, 26 Jul 1995 12:42:02 -0500 Message-Id: <9507261742.AA17868@ozymandias.austin.ibm.com> To: "Rodney W. Grimes" Cc: sef@kithrup.com (Sean Eric Fagan), security@freebsd.org, mark@grondar.za, pst@stupi.se Subject: Re: secure/ changes... In-Reply-To: (Your message of Tue, 25 Jul 1995 22:58:54 CDT.) <199507260558.WAA24037@gndrsh.aac.dev.com> Date: Wed, 26 Jul 1995 12:42:02 -0500 From: Scott Brickner Sender: security-owner@freebsd.org Precedence: bulk "Rodney W. Grimes" writes: >> >Various import and export paper work from UPS, Federal Express, and DLH >> >all state that ``firearms'' and or ``munitions'' are regulated for import >> >and export and require special paper work. Generally this reads: >> >``We accept shipments of firearms when either the shipper or recipient >> >is a lincensed manufacturer, licensed importer, licensed dealer or licensed >> >collector who is not prohibited from such shipments by federal, state or >> >local regulations.'' >> >> UPS, Federal Express, and DLH are not the federal government. In addition, >> "firearms" are a subset of "munitions," and what all the couriers (and the >> post office) mean by "munitions" are the hardware kind, not software of any >> sort. > >No, that is why they add that final all cover sentence, they are protecting >theselves with >``who is not prohibited from such shipments by federal, state or >local regulations.'' > >I am prohibited by Federal law from exporting DES, so UPS/FedEX and all >the others have covered there ass with the above. You aren't even reading *this* correctly. In the last part of the sentence, the phrase "such shipments" obviously refers to "shipments of firearms". There's absolutely nothing in the statement you've mentioned which references munitions in general. You've clearly no idea what you're talking about. Point me to any single regulation which both applies to me as a U.S. citizen, and which prohibits me from importing DES or RSA software from a country where possession of such is legal. I can clearly show you (with web pointers, as I did in an earlier message) where *export* and *temporary* import are prohibited. The very same document explicitly disavows its authority to prohibit *permanent* import. >> >I do not have a direct reference to the State Department munitions list, >> >or the applicable ATF regulations, but I do assure you they exists, and >> >they are inforced (reference, Austin Code Works was indited in 1994 by >> >the US State Department for shipping DES software out of the US on CDROM). The munitions list is defined in the International Traffic in Arms Regulations, the full text of which may be found by retrieving: . >> It is not illegal to import DES. Or PGP. Or any other software that does >> encryption (given the caveat above). > >I disagree. You're wrong. It may be illegal to export DES or PGP from some specific countries, but the question we're really discussing here is whether it's appropriate to make the FreeBSD security release available on a server in South Africa, which has no such export control. I maintain that in eight months or so of closely following the issues related to cryptographic prohibitions, I've never heard of any U.S. regulation which prohibits its import. >> It is not illegal or forbidden to ship encryption software domesticly, via >> the US Postal Service, or any of the couriers. If I understand things >> correctly, Canada and Mexico may also be allowed, but I'm not sure. > >I didn't even mention domestic, I was quoteing chapter and verse from the >internation shippers guide of Fed Ex. My UPS internation guide has very >similiar statements in it. Canada and Mexico still go through customs, >so though it may be allowed, it will be regulated. The ITAR also does not cover shipments to Canada. >> I verified all of this today with someone who's had to deal with the >> regulations. Have you? > >See above. And no, but I do deal with US customs paper work on a weekly >basis, just ask a few of my international customers. And if you want to >make a real point, go get the AFT and State department's import/export >stuff, and talk with _THEM_ about imports. Not some one who has done >DES exporting, I know that can be done, it just takes paper work (on a >per copy basis, I know all about it, been there done that, is what >_NO_ one has done is go try to find out exactly what paper work customs >want to allow the stuff accross the boarder if you clearly point them >at the fact this stuff _is_ on the munitions list). You might just be >in for a very big suprize, or I might be all wet. But I am not willing >to risk Grand Jury indictment on this here say information. The broad consensus here seems to be that import of cryptographic equipment is not prohibited. By all means --- prove us wrong, if you can. In general, as I understand the process, to *export* cryptographic equipment, one must first get a "Commodities Jurisdiction" ruling from the Department of Justice which basically says, "this isn't a munition." Typically, a 40 bit keyspace will get one. Once you have the CJ, it's entirely up to the Department of Commerce as to whether your equipment is exportable, and their regulations don't prohibit cryptographic equipment. Since permanent imports are not covered by DoJ's ITAR, you can skip the CJ step for them. This means you only have to deal with DoC, which doesn't prohibit crypto. The only question becomes whether the material is *generally* importable. It wouldn't surprise me if the DoC *generally* prohibits the import of goods which are prohibited from export in the country of origin, but restrictions beyond this would be curious. Now, to cover my own butt, I have to add that I'm not a lawyer, nor do I play one on TV or the net. I *can* read, though, and have read a lot on this subject: often by people who *do* play lawyers on the net.