[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NIST involvement in PKI
> I need to check with folks down the road at NSA. The last time I
>talked with them, crypto for authentication (which is what SPKI is for) is
>freely exportable and we don't even need to bring it to the attention of the
>Commerce Dept, much less State Dept (= NSA).
No, you must apply for a CJR -- Commerce Jurisdiction Ruling -- from
state/NSA.
> What I need to find out is whether NSA would applaud the export of
>source code for authentication-only applications without the crypto
>routines. I believe they would, but I don't know what kind of approval
>process there is.
Based on my experiences at/with OSF, as long as you don't distribute the
actual crypto, and as long as you write the code such that it can't easily
be turned into a general encryption engine for user-level data, you can
get export. But the NSA is very uneasy about source-code; they much
prefer hardware or executables that are less easily modified.
You might find it helpful to look at
http://www.osf.org/~rsalz/crypto-export.html
Follow-Ups: