Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jul 1995 12:42:02 -0500
From:      Scott Brickner <sjb@austin.ibm.com>
To:        "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
Cc:        sef@kithrup.com (Sean Eric Fagan), security@freebsd.org, mark@grondar.za, pst@stupi.se
Subject:   Re: secure/ changes... 
Message-ID:  <9507261742.AA17868@ozymandias.austin.ibm.com>
In-Reply-To: (Your message of Tue, 25 Jul 1995 22:58:54 CDT.) <199507260558.WAA24037@gndrsh.aac.dev.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" writes:
>> >Various import and export paper work from UPS, Federal Express, and DLH
>> >all state that ``firearms'' and or ``munitions'' are regulated for import
>> >and export and require special paper work.  Generally this reads:
>> >``We accept shipments of firearms when either the shipper or recipient
>> >is a lincensed manufacturer, licensed importer, licensed dealer or licensed
>> >collector who is not prohibited from such shipments by federal, state or
>> >local regulations.''
>> 
>> UPS, Federal Express, and DLH are not the federal government.  In addition,
>> "firearms" are a subset of "munitions," and what all the couriers (and the
>> post office) mean by "munitions" are the hardware kind, not software of any
>> sort.
>
>No, that is why they add that final all cover sentence, they are protecting
>theselves with
>``who is not prohibited from such shipments by federal, state or
>local regulations.''
>
>I am prohibited by Federal law from exporting DES, so UPS/FedEX and all
>the others have covered there ass with the above.

You aren't even reading *this* correctly.  In the last part of the sentence,
the phrase "such shipments" obviously refers to "shipments of firearms".
There's absolutely nothing in the statement you've mentioned which references
munitions in general.  You've clearly no idea what you're talking about.

Point me to any single regulation which both applies to me as a U.S. citizen,
and which prohibits me from importing DES or RSA software from a country
where possession of such is legal.

I can clearly show you (with web pointers, as I did in an earlier message)
where *export* and *temporary* import are prohibited.  The very same document
explicitly disavows its authority to prohibit *permanent* import.

>> >I do not have a direct reference to the State Department munitions list,
>> >or the applicable ATF regulations, but I do assure you they exists, and
>> >they are inforced (reference, Austin Code Works was indited in 1994 by
>> >the US State Department for shipping DES software out of the US on CDROM).

The munitions list is defined in the International Traffic in Arms Regulations,
the full text of which may be found by retrieving:
<URL:ftp://ftp.cygnus.com/pub/export/itar.in.full>.

>> It is not illegal to import DES.  Or PGP.  Or any other software that does
>> encryption (given the caveat above).
>
>I disagree.

You're wrong.  It may be illegal to export DES or PGP from some specific
countries, but the question we're really discussing here is whether it's
appropriate to make the FreeBSD security release available on a server
in South Africa, which has no such export control.  I maintain that in
eight months or so of closely following the issues related to cryptographic
prohibitions, I've never heard of any U.S. regulation which prohibits its
import.

>> It is not illegal or forbidden to ship encryption software domesticly, via
>> the US Postal Service, or any of the couriers.  If I understand things
>> correctly, Canada and Mexico may also be allowed, but I'm not sure.
>
>I didn't even mention domestic, I was quoteing chapter and verse from the
>internation shippers guide of Fed Ex.  My UPS internation guide has very
>similiar statements in it.  Canada and Mexico still go through customs,
>so though it may be allowed, it will be regulated.

The ITAR also does not cover shipments to Canada.

>> I verified all of this today with someone who's had to deal with the
>> regulations.  Have you?
>
>See above.  And no, but I do deal with US customs paper work on a weekly
>basis, just ask a few of my international customers.  And if you want to
>make a real point, go get the AFT and State department's import/export
>stuff, and talk with _THEM_ about imports.  Not some one who has done
>DES exporting, I know that can be done, it just takes paper work (on a
>per copy basis, I know all about it, been there done that, is what 
>_NO_ one has done is go try to find out exactly what paper work customs
>want to allow the stuff accross the boarder if you clearly point them
>at the fact this stuff _is_ on the munitions list).  You might just be
>in for a very big suprize, or I might be all wet.  But I am not willing
>to risk Grand Jury indictment on this here say information.

The broad consensus here seems to be that import of cryptographic
equipment is not prohibited.  By all means --- prove us wrong, if
you can.

In general, as I understand the process, to *export* cryptographic
equipment, one must first get a "Commodities Jurisdiction" ruling
from the Department of Justice which basically says, "this isn't
a munition."  Typically, a 40 bit keyspace will get one.  Once you
have the CJ, it's entirely up to the Department of Commerce as to
whether your equipment is exportable, and their regulations don't
prohibit cryptographic equipment.

Since permanent imports are not covered by DoJ's ITAR, you can
skip the CJ step for them.  This means you only have to deal with
DoC, which doesn't prohibit crypto.  The only question becomes
whether the material is *generally* importable.  It wouldn't
surprise me if the DoC *generally* prohibits the import of goods
which are prohibited from export in the country of origin, but
restrictions beyond this would be curious.

Now, to cover my own butt, I have to add that I'm not a lawyer,
nor do I play one on TV or the net.  I *can* read, though, and
have read a lot on this subject: often by people who *do* play
lawyers on the net.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9507261742.AA17868>