PKIX and S/MIME lists:
On Thursday, December 31 the US Department of Commerce,
Bureau of Export Administration published it's awaited
revised regulations on the export of Encryption Items.
My purpose in bringing this to the attention of these
lists it that many of the Work Group documents are in
last call or near completion. The appropriate authors
should consider whether the changes made by the BXA
might impact these documents.
The most significant change is that the allowable key
lengths have been increased for export grade software.
Previously, symmetric confidentiality ciphers were limited
to 40-bits and asymmetric ciphers (such as RSA) used for
key exchange were limited to 512 bits.
The new regulations permit the following key lengths for
export:
Symmetric confidentiality algorithms RC2, RC4, RC5, DES
and CAST: 56-bits
Symmetric key exchange ciphers: 112 bits
Asymmetric key exchange ciphers: 1024 bits
This has the effect of permitting the export versions of
such products as Microsoft Internet Explorer (CryptoAPI)
and Netscape Communicator (PKCS#11) to, by default, use
56-bit DES and 1024-bit RSA.
For certificate authorities, this has the impact of permitting
browser based enrollment controls (Xenroll or KeyGen) to
default to 1024-bit RSA worldwide (except the 7 bad countries).
Between now and March 31, 1999 any manufacturer of encryption
software may upgrade their export versions to the new bit
levels by merely sending notice to the BXA. I'd like for
Microsoft and Netscape to comment as to how quickly they
expect to have crypto upgrades available for release.
The relevant BXA link for the complete text is:
http://www.bxa.doc.gov/Encryption/1231ERC.htm or
http://www.bxa.doc.gov/PDF/1231ERC.pdf
The relevant text covering mass-market software is quoted in
the postscript.
-Bill Brice, CEO
AlphaTrust Corp.
Postscript:
(iv) Mass-market encryption software that has already been
classified after a technical review and that has been released from EI
controls under the provisions of this paragraph (b)(1) will be
permitted for export and reexport under license exception TSU with
increases of 56-bits for the confidentiality algorithm, the same or
double the key length authorized for the confidentiality algorithm for
symmetric
algorithms for key exchange mechanisms and with key spaces of 512, 768
or up to and including 1024 bits for asymmetric algorithms for key
exchange without an additional technical review, provided that there is
no other change in the cryptographic functionality. Exporters must
notify BXA in writing of the increase in the key length for the
confidentiality algorithm, the asymmetric or symmetric key exchange
algorithms, and include the original authorization number issued by BXA
and the information identified in paragraphs (a)(2)(iii) through (v) of
Supplement No. 6 to part 742 of the EAR (if this information was
submitted previously, then only identify the modifications). BXA must
receive such notification by March 31, 1999.
(A) The notification should be sent to:
Office of Strategic Trade and Foreign Policy Controls, Bureau of
Export Administration, Department of Commerce, 14th Street and
Pennsylvania Ave., N.W., Room 2705, Washington, D.C. 20230, Attn:
Encryption Upgrade (B) A copy of the certification should be sent to:
Attn: ENC Encryption Request Coordinator, P.O. Box 246, Annapolis
Junction, MD 20701-0246
End Postscript.