DES software

Fri May 12 04:41:24 AEST 1989

In <1075 at altos86.UUCP> gamiddleton at math.waterloo.edu (Guy Middleton) writes:
>I need to find a copy (or, preferably, a summary written in English instead
>of legalese) of the American regulations that restrict the export of DES and
>other cryptographic software.  Does anybody know where I can find this?

Let me start with a disclaimer:  I'm speaking only for myself here, most
definitely not for my employer or anyone else I refer to below, and only
as an interested layman.

You will not be able to find a non-legalese summary.  (Hubris makes me
want to add "other than this one." :-)  You will only be able to find
legalese rules and such.  Your best bet is to hunt through a law library
and a one that has the US Federal Register.

There are two popular researched analyses on DES that were distributed on
Usenet.  One is by John Gilmore, the other is by DEC's Corporate Law
Office.  Lots of other opinion and "facts" have been offered, but almost
without exception they have been based on ignorance; unless you've done
research, or have the two primary sources, it's probably safe to ignore
everything you've read other than this.  (There's that hubris again.)

DES export is a complicated issue, and like all legal issues when you
get an opinion you should keep in mind the viewpoing of the person who
gives it.  John wants to spread open information as widely as possible,
DEC doesn't want to get hauled into court.  I agree with John.

>From his readings of the rules and regulations, John determined that
DES is technical information, and software.  This means that it is under
the control of the Department of Commerce.  As such, once it is in the
open literature, it can be passed around the world.  In terms of Usenet
and distributing source, this might mean someone would first have to
publish their code in a journal somewhere.  The only exception to this is
if you're on a small list of banned countries, and even that might not
hold.

DEC claims that John is wrong, that DES is specifically called out as
munitions, and therefore is under the control of the Department of
Defense, specifically the Munitions Control Act.  The upshot is that
you can't give it outside of the USA.  I'm not a lawyer, but the took
John's analysis apart sentence by sentence, ending with "It is imperative
that no Digital employee act in reliance on Gilmore's analysis or his
conclusions."  They even used SCREAMING all-caps.

Since neither Department is an expert, the NSA acts as the technical
advisory expert.  Based on a couple of phone calls, chats with some
former employees, and a DES-related meeting, the NSA's position is that
DES should not leave the country.

Because of this, many Unix vendors have two versions of their software,
and it depends on whether they ship the DES cryptographic stuff or not.
I remember reading a note from one of the Unix originators, that the only
reason there were two versions of Version 7 was more administrative than
legal.  Perhaps if someone back then was able to fight the red tape we'd
be spared all this mess today, perhaps not.  I've heard Amdahl got the
right permissions to export DES, but I don't know for sure; it was only
"planned" at the time I read that note, they may have backed down.

DES export has been discussed, at times, in sci.crypt, and in the Kerberos
and Internet Engineering Task Force mailing lists.

Switching from reporter to interpreter, let me say that I think the
situation is changing, and that the stupid US rules may -- applicable or
not -- may be lifted soon.  Note that soon is measured on a beaurocratic
time scale, which is similar to geologic time.  The technical community,
in particular the Internet, has a good channel into the Department of
Defense, and the right word seems to be reaching the right people.  There
is a need for DES to be used globally, and there has been world-wide
publication (in comp.sources.unix/unix-sources) of a package written in
Finland, posted from Australia.

I no longer have John's analysis at all (it was mostly private email, that
he later posted), and I do have the DEC analysis.  I don't like to
distribute it since it has the look of a DEC internal thing (even though
it was forwarded, second-hand, to sci.crypt), and especially since I don't
have John's work.  It is, however, interesting reading, and if someone is
going to take up the fight (as opposed to just idle curiousity), let me
know.

If you want to play lawyer, here are some places to start:
	Department of State
	You want sections 120-126, at least, of the International
	Traffic in Arms Regulation 22C.F.R Subch. M (I don't
	know what that last part means.)

	Office of Munitions Control, Department of State
	They're responsible for saying if something is "munitions."

	The National Security Agency
	I've heard their DES tech expert left, and they're in
	the lurch.  It's funny the way the answer their phones.

	Department of Defense
	You want Section 38 of the Arms Export Control Act.

	Department of Commerce
	You want the Commodity Control List, and
	Export Administration Regulations, Section 370.10
	and 379.3 (General License GTDA).

I like to know what's going on, and I seem to be in touch with the several
areas where this is discussed, so if you start digging around, I'd like to
know.  Yes, that means I'm offering to be a "point man" on this.

	/rich $alz

PS:  if ANYONE has a copy of John's research, please let me know; I'll
pay you for a copy.
-- 
Please send comp.sources.unix-related mail to rsalz at uunet.uu.net.