We've received from anonymous a July 25 draft of an Encryption Items Interim Rule for the Export Administration Regulations which describes Commerce Control List changes in response to public comments on the December 30, 1996 interim rule. http://jya.com/bxa-ei-rule.htm (82K) The draft is in Federal Register format but, as far as we have been able to find, has not been published there. So if this doc was published we'd like to hear. Assuming the draft is legitimate, here's its summary of provisions (much expanded in the full document): [Begin summary] Based on public comments to the December 30 interim rule, this interim rule specifically makes the following changes: - In §732.2, clarifies that BXA will consider acknowledgments and assurances in electronic form provided that they are adequate to assure legal undertakings similar to written acknowledgments and assurances. - In §734.3, clarifies that downloading or causing the downloading of encryption source code and object code in Canada is not controlled and does not require a license, and clarifies that the methods used as precautions to prevent unauthorized transfer of such code outside the United States or Canada must be approved by BXA. - In §740.6, clarifies that letters of assurance may be accepted in the form of a letter or any other written communication from the importer, including communications via facsimile. - In §740.8, adds recovery encryption technology to the list of items eligible for export under License Exception KMI, after a one-time review, and adds a paragraph to authorize exporters of non-key recovery products under License Exception KMI to service and support existing customers of those products after the two-year transition period. This section is also amended by adding a paragraph to authorize exporters of non-recovery encryption products under License Exception KMI to export additional quantities of such products to existing customers under a license after the two-year transition period. - §740.8 is also amended by adding a new paragraph to authorize, after a one-time review, exports and reexports under License Exception KMI of non-key recovery financial-specific encryption items of any key length that are restricted by design (e.g., highly field-formatted with validation procedures, and not easily diverted to other end-uses) for financial applications to secure financial transactions, for end-uses such as intra or inter-banking transfers and home banking. No business and marketing plan to develop, produce, and/or market similar encryption items with recoverable features is required. Conforming changes are also made in §742.15. - In §740.9, removes the reference to Country Group D:1. This clarifies that encryption software controlled for EI reasons under ECCN 5D002 may be pre-loaded on a laptop and exported under the tools of trade provisions of License Exception TMP or License Exception BAG. - In §740.14, clarifies existing provisions of License Exception BAG and imposes a restriction on the use of BAG for exports or reexports of EI-controlled items to terrorist supporting destinations or by other than U.S. citizens and permanent residents. - §742.15 is amended adding a new paragraph that authorizes exports under an Encryption Licensing Arrangement of general purpose non-key recovery, non-voice encryption items of any key length for use by financial institutions (such as banks) in all destinations except Cuba, Iran, Iraq, Libya, North Korea, Syria and Sudan. Applications will be reviewed on a case-by-case basis, and must be supported by a satisfactory business and marketing plan which explains in detail the steps the applicant will take during the two year transition period beginning January 1, 1997 to develop, produce, and/or market similar encryption items with recoverable features. - In Supplement No. 4 to part 742, paragraph (3), revises "reasonable frequency" to "at least once every three hours" to resolve the ambiguity on how often the output must identify the key recovery agent and material/information required to decrypt the ciphertext. - In Supplement No. 4 to part 742, paragraph (6)(i), clarifies that the U.S. government must be able to obtain the key(s) or other material/information needed to decrypt all data, without restricting the means by which the key recovery products allow this. - In Supplement No. 6 to part 742, eliminates the test vector requirement for 7-day mass-market classification requests and replaces it with a requirement to provide a copy of the encryption subsystem source code. - In Supplement No. 6 to part 742, adds 40-bit DES as being eligible for consideration for mass-market eligibility, subject to the additional criteria listed in this supplement. - In §§ 748.9 and 748.10, clarifies a long-standing policy that no support documentation is required for exports of technology or software, and it removes the requirement for such support documentation for exports of technology or software to Bulgaria, Czech Republic, Hungary, Poland, Romania, or Slovakia. This rule also exempts from support documentation requirements all encryption items controlled under ECCNs 5A002, 5B002, 5D002 and 5E002. This conforms with the practice under the ITAR prior to December 30, 1996. - In §750.7, authorizes certain specified changes to Commerce and State Encryption Licensing Arrangements by letter. - In §752.3, excludes encryption items controlled for EI reasons from eligibility for a Special Comprehensive License. - In §770.2, adds a new interpretation to clarify that encryption software controlled for EI reasons under ECCN 5D002 may be pre-loaded on a laptop and exported under the tools of trade provision of License Exception TMP or the personal use exemption under License Exception BAG, subject to the terms and conditions of such License Exceptions. - In part 772, adds new definitions for "effective control", "encryption licensing arrangement", "financial institution" and "recovery encryption products". - In Supplement No. 1 to part 774, Category 5 - Telecommunications and Information Security is amended by revising ECCN 5A002 to authorize exports of components and spare parts under License Exception LVS, provided the value of each order does not exceed $500 and to clarify that equipment for the encryption of interbanking transactions is not controlled under that entry. - Revises the phrase "up to 56-bit key length DES" where it appears to read "up to or equal to 56-bit key length DES", and makes other editorial changes. [End summary]