ietf-smime
[Top] [All Lists]

Impact of US Export Regulation changes on WG documents

1999-01-03 18:49:24
PKIX and S/MIME lists:

On Thursday, December 31 the US Department of Commerce,
Bureau of Export Administration published it's awaited
revised regulations on the export of Encryption Items.

My purpose in bringing this to the attention of these
lists it that many of the Work Group documents are in
last call or near completion. The appropriate authors
should consider whether the changes made by the BXA
might impact these documents.

The most significant change is that the allowable key
lengths have been increased for export grade software.
Previously, symmetric confidentiality ciphers were limited
to 40-bits and asymmetric ciphers (such as RSA) used for
key exchange were limited to 512 bits. 

The new regulations permit the following key lengths for
export:
Symmetric confidentiality algorithms RC2, RC4, RC5, DES
and CAST: 56-bits
Symmetric key exchange ciphers: 112 bits
Asymmetric key exchange ciphers: 1024 bits

This has the effect of permitting the export versions of
such products as Microsoft Internet Explorer (CryptoAPI)
and Netscape Communicator (PKCS#11) to, by default, use
56-bit DES and 1024-bit RSA.

For certificate authorities, this has the impact of permitting
browser based enrollment controls (Xenroll or KeyGen) to
default to 1024-bit RSA worldwide (except the 7 bad countries).

Between now and March 31, 1999 any manufacturer of encryption
software may upgrade their export versions to the new bit
levels by merely sending notice to the BXA. I'd like for
Microsoft and Netscape to comment as to how quickly they
expect to have crypto upgrades available for release.

The relevant BXA link for the complete text is:
http://www.bxa.doc.gov/Encryption/1231ERC.htm or
http://www.bxa.doc.gov/PDF/1231ERC.pdf

The relevant text covering mass-market software is quoted in
the postscript.

-Bill Brice, CEO
 AlphaTrust Corp.

Postscript:
    (iv) Mass-market encryption software that has already been 
classified after a technical review and that has been released from EI 
controls under the provisions of this paragraph (b)(1) will be 
permitted for export and reexport under license exception TSU with 
increases of 56-bits for the confidentiality algorithm, the same or 
double the key length authorized for the confidentiality algorithm for
symmetric
algorithms for key exchange mechanisms and with key spaces of 512, 768 
or up to and including 1024 bits for asymmetric algorithms for key 
exchange without an additional technical review, provided that there is 
no other change in the cryptographic functionality. Exporters must 
notify BXA in writing of the increase in the key length for the 
confidentiality algorithm, the asymmetric or symmetric key exchange 
algorithms, and include the original authorization number issued by BXA 
and the information identified in paragraphs (a)(2)(iii) through (v) of 
Supplement No. 6 to part 742 of the EAR (if this information was 
submitted previously, then only identify the modifications). BXA must 
receive such notification by March 31, 1999.
    (A) The notification should be sent to:
Office of Strategic Trade and Foreign Policy Controls, Bureau of 
Export Administration, Department of Commerce, 14th Street and 
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn: 
Encryption Upgrade    (B) A copy of the certification should be sent to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis 
Junction, MD 20701-0246

End Postscript.

<Prev in Thread] Current Thread [Next in Thread>