[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Export control of SHA

I have checked with my colleague at the Security Division and the
Bureau of Export Administration (BXA) regarding SHA code
distribution. The answer is: SHA can be exported with some
NIST can not distribute SHA implementation via WWW at this time
(see later note regarding FTP release). However, NIST has obtained
a license from the Commerce Department which permits NIST to
distribute SHA and DSS to the majority of the world with a few
exceptions. People's Republic of China and the former Soviet Block
can import SHA as long as it's intended for civil end-user
applications rather than for military purpose. The following
countries are prohibited from importing SHA: Cuba, Iran, Iraq,
Libya, North Korea, Serbia, Syria, and Sudan. Please note that this
list of embargo countries changes over time.

Companies or individuals who plan to use the SHA implementation
inside their product(s) need not obtain a separate export license
for reexporting SHA as long as the same guideline on the original
license is followed. For information or clarification on this
issue, please call BXA at (202) 482-4811.

To obtain the SHA implementation from NIST, please send email to
Eduardo Chen at eduardo.chen@nist.gov. Eduardo can also be reached
at (301) 975-3367. Other than requesting the SHA implementation,
please refrain from making other requests such as technical
consultations from Eduardo (He works for a different division).

NIST FIPS publications can be downloaded from the URL:

NIST also has a plan to make SHA and DSS implementations available
over a NIST export-controlled FTP site. The plan is being evaluated
by the upper management and legal council. I'll keep you posted as
soon as it is approved.