[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIST involvement in PKI

>        I need to check with folks down the road at NSA.  The last time I
>talked with them, crypto for authentication (which is what SPKI is for) is
>freely exportable and we don't even need to bring it to the attention of the
>Commerce Dept, much less State Dept (= NSA).

No, you must apply for a CJR -- Commerce Jurisdiction Ruling -- from

>        What I need to find out is whether NSA would applaud the export of
>source code for authentication-only applications without the crypto
>routines.  I believe they would, but I don't know what kind of approval
>process there is.

Based on my experiences at/with OSF, as long as you don't distribute the
actual crypto, and as long as you write the code such that it can't easily
be turned into a general encryption engine for user-level data, you can
get export.  But the NSA is very uneasy about source-code; they much
prefer hardware or executables that are less easily modified.

You might find it helpful to look at