From Tony_Mauro@transarc.com Wed Nov 20 22:08:16 1996 Date: Wed, 17 Jul 1996 15:35:18 -0400 (EDT) From: Tony_Mauro@transarc.com To: shadow@dementia.org Cc: Ken_Ziolkowski@transarc.com, Kathleen_Rizzuti@transarc.com Subject: answer on TR-20916 Dear Derrick: Transarc's licensing coordinator, Ken Ziolkowski, asked me to write to you about TR-20916, to share what he learned at a recent IBM seminar on export controls in Washington DC. While at the seminar, he discussed with several IBM experts on US export regulations your proposed mechanisms for protecting the "DES-contaminated" parts of Rx. Unfortunately, they do not feel that your proposals are sufficient. I'm referring specifically to the possibilities you described in your mail of 6-21-96: 2) Create a patch and do one of: a) place it in a hidden directory on an ftp server, forcing users who wish to fetch it to telnet to the machine and log in as "getrx". (telnet to bitsy.mit.edu and log in as getpgp, for instance) The directory is moved every 30 minutes. b) have users send me email certifying that they are U.S. citizens, at which point they will be given a pointer to the hidden directory. The directory would be moved daily, like getting Kerberos from Cygnus. Possibility (b) is more secure than (a), but it still falls short in two respects: - email certification of US citizenship is not sufficient. It is not that hard to masquerade as someone other than your true identity, and even (I believe) to fake a US/Canada origination address when outside those countries. You need to get written certification, as I'll detail below. - in addition to certification of citizenship, requesters need to certify that they will not redistribute the software to anyone ineligible to receive it. Transarc could approve your third possibility c) I have contacted people at MIT to see if they would be interested in doing distribution; It may be possible to arrange with someone there to do distribution using their existing channels. on the assurance that MIT's channels would control access to DES as strictly as Transarc must do when it distributes software. The forms of redistribution that Transarc can approve are: First, you may redistribute the Rx source code that does not "contain any DES algorithms which can be used to encrypt data." In other words, you may implement the following part of your 6-21-96 mail: 1) Strip away anything which might possibly be export-controlled, and create a "clean" version, which will be advertised, and put in a public place. Presumably removing des and rxkad, plus possibly a bit more (I haven't looked yet) will be sufficient for this purpose. The US Government classifies such software as "GDTA" (I don't know what that stands for). Here are some guidelines that Ken picked up at the seminar about distributing it: When providing GTDA software over the network (whether by FTP, Web Site or other electronic means): 1. software must be provided on a 'no charge' basis. 2. the provider may not impose limitations or constraints on the use of the software; e.g. no 'license or use' provisions are applicable. The software is truly 'publicly' available. 3. generally, it should be made available on an anonymous basis; that is, you aren't collecting names and addresses. While we may be able to preserve the characteristics of GTDA if we collect names and addresses e.g. for future marketing purposes, I think it's much easier to reconcile when we don't collect the names. Second, for your own protection against prosecution, we must strongly recommend that you drop the idea of distributing the DES source version of Rx. The US Government classifies software that uses the DES algorithms to encrypt data as a ``munition'' and imposes strict penalties for non-authorized distribution. If you use mechanism (a) or (b) from above, you would be in violation of Federal law. To comply with the law, you would need to have requestors sign a written copy of something like the following, which is taken from the AFS License Agreement: The End-user hereby agrees and acknowledges that any technology and technical data obtained by the end-user, including the ___________________ software, are under the jurisdiction of the export control laws and regulations of the United States and that any direct or indirect export, re-export, license, sale or other transfer of such technology may require the prior authorization of the United States government. The end-user expressly warrants that in its activities under this Agreement it will comply with all applicable laws and regulations of the United States and its departments and agencies relating to the export of technical data. In the event of any breach of the foregoing warranty, the end-user hereby indemnifies _________________(the parties providing the technology/technical data/software) and agrees to hold such parties harmless from and against any loss, liability, cost, damage or expense that such parties incurs or suffers as a result in any way of the end-user's failure to comply with such United States laws and regulations. Obviously, you would need to protect the software against access by anyone who had not signed such a statement. The US Government's attitude toward this issue is serious enough that Transarc would be liable for prosecution if we were aware you were planning to (or actually did) go ahead and use one of your proposed mechanisms, and did not try to get you to stop. Therefore, Ken will be sending you a written confirmation basically repeating what I've said here. Ken and I would both like to apologize for any damper this puts on our plans. We recognize that you are trying to do a service to the software community, but unfortunately the export laws do not take good intentions into consideration. Further, we appreciate very much that you asked us about redistributing Rx before actually doing it. I'm sorry if you feel penalized for being honest. Please feel free to call or write me (mauro@transarc.com; 281-5852 x7376) or Ken (kenz@transarc.com; 338-4480) if you have any further questions. Tony Mauro Transarc AFS Support