Opened 9 years ago

Last modified 9 years ago

#5346 new defect

Assist with the preparation of encryption export-control documentation.

Reported by: mstone Owned by: jg
Priority: blocker Milestone: Future Release
Component: distro Version:
Keywords: Cc: mstone, krstic, RobertFadel, kimquirk, jg, aferti@…
Blocked By: Blocking:
Deployments affected: Action Needed:
Verified: no


Change History (6)

comment:1 Changed 9 years ago by jg

  • Milestone changed from Never Assigned to Future Release
  • Priority changed from normal to blocker

comment:2 Changed 9 years ago by mstone

  • Owner changed from jg to mstone

The first chunk of work here is to answer the Supplement 6, 742 EAR 'Encryption Questionnaire' requested by our lawyers. That will take a couple of days of concerted effort to completely nail down, but we should have a first draft tomorrow.

comment:3 Changed 9 years ago by jg

  • Owner changed from mstone to jg

comment:4 Changed 9 years ago by gnu

All of your crypto software is open source, even the firmware, so it should fall into the TSU exception. This is straightforward and doesn't require a lot of documentation sent to the government -- at least last time I looked. I think you just have to mail the top-level website address on which the software is exported, annually, to an address at BIS that (last time I looked) was bouncing anyway. You could run a cron job that mails it daily, just to be sure. This corner of the regs is something the govt won't point out to you, but was required to settle the Bernstein lawsuit which argued successfully that requiring a prior license to publish open source crypto software violated the First Amendment as a prior restraint on scientific/engineering publication.

You do have a CPU chip that does AES in hardware, but it's got so many limitations that I think we're currently ignoring it and doing it in software. It would be amusing but unlikely if you couldn't ship any Geode-based products because they implement the US government recommended crypto standard. Ask AMD for export advice on Geode-based products.

Similarly, the WiFi chip's embedded encryption support is all following global IEEE standards like every other vendor.

comment:5 Changed 9 years ago by jg

If you don't ship software loaded onto hardware, then you are correct, and I've already registered appropriately f(via snail mail) (though I don't resend it on a cron job).

However, the regs are different when you have the software installed on hardware...

This may not be sane, but then again, not much of the government's regulation on this topic is particularly noted for sanity....

comment:6 Changed 9 years ago by dsd

This is listed under "security/updates" on the Update1 roadmap but is marked as Future Release in this bug. Which is correct?

Note: See TracTickets for help on using tickets.