At 8:25 PM 11/1/96 -0800, Greg Broiles quoted:
According to the "United States Munitions List", 22 CFR 121.1, Category XIII, "Auxiliary Military Equipment":
"Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefor" are included in the munitions list; but not if they are
"[s]pecially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions." (22 CFR 121.1, Category XIII (b)(1)(ii)),
or if they are
"[l]imited to access control, such as automatic teller machines, self-service statement printers or point of sale terminals, which protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password of PIN protection." (22 CFR 121.1, Category XIII (b)(1)(v)).
I don't think either of these exclusions would cover the reference implementation of the SET protocol. I don't think it would cover an electronic commerce application running on a personal computer/workstation either. Therefore I conclude that the ITAR is contributing to the vulnerability of our emerging electronic commerce infrastructure. ------------------------------------------------------------------------- Bill Frantz | Tired of Dole/Clinton? | Periwinkle -- Consulting (408)356-8506 | Vote 3rd party. I'm | 16345 Englewood Ave. frantz@netcom.com | Voting for Harry Browne | Los Gatos, CA 95032, USA