[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How might new GAK be enforced?



Peter D. Junger writes:
> 
> Richard Coleman writes:
> 
> : I've always wondered why large companies just don't write some type of
> : standards document for crypto to interoperate, and then have each
> : foreign branch write (or contract out) their own version.  I don't see how
> : this violates export laws in any way.
> 
> The definition of ``software'' in the ITAR includes ``algortihms'' and
> ``logic flow'', so I suspect that the ODTC wouuld claim that the
> standards are software that cannot be ``exported'' without a licnese.


I suspect that if US company A sent its Swiss subsidiary B a sent
of standards and said "write this", your interpretation would be correct.
It's how I read ITAR also.

However, company A can publish standards.  Published standards
aren't covered under ITAR.  Non-US company C can read standards
and implement code to those standards.  I was going to back this up
by citing the appropriate part of the regs, but they're so vague
as to be almost useless.  However in real life this seems to
pass- i.e. Netscape's publishing of the SSL spec and Eric Young's
use of that spec to make an independent interoperable implementation.
 

-- 
Eric Murray  [email protected]  [email protected]  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF