[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ITAR financial crypto exception?



At  8:25 PM 11/1/96 -0800, Greg Broiles quoted:
>According to the "United States Munitions List", 22 CFR 121.1, Category
>XIII, "Auxiliary Military Equipment":
>
>"Information Security Systems and equipment, cryptographic devices,
>software, and components specifically designed or modified therefor" are
>included in the munitions list; but not if they are 
>
>"[s]pecially designed, developed or modified for use in machines for
>banking or money transactions, and restricted to use only in such
>transactions. Machines for banking or money transactions include automatic
>teller machines, self-service statement printers, point of sale terminals
>or equipment for the encryption of interbanking transactions." (22 CFR
>121.1, Category XIII (b)(1)(ii)),
>
>or if they are 
>
>"[l]imited to access control, such as automatic teller machines,
>self-service statement printers or point of sale terminals, which protects
>password or personal identification numbers (PIN) or similar data to prevent
>unauthorized access to facilities but does not allow for encryption of
>files or
>text, except as directly related to the password of PIN protection." (22
>CFR 121.1, Category XIII (b)(1)(v)).

I don't think either of these exclusions would cover the reference
implementation of the SET protocol.  I don't think it would cover an
electronic commerce application running on a personal computer/workstation
either.  Therefore I conclude that the ITAR is contributing to the
vulnerability of our emerging electronic commerce infrastructure.


-------------------------------------------------------------------------
Bill Frantz       | Tired of Dole/Clinton?     | Periwinkle -- Consulting
(408)356-8506     | Vote 3rd party.  I'm       | 16345 Englewood Ave.
[email protected] | Voting for Harry Browne    | Los Gatos, CA 95032, USA