[Greg graciously allowed me to repost this. --gnu] Date: Sat, 05 Dec 1998 15:22:53 +1000 From: Greg Taylor <gtaylor@efa.org.au> Hi John, You wrote:

I have not found a single confirmation of the Aarons statement that the 33 Wassenaar countries have agreed to change the exemption for mass market crypto software. (The NY Times and Reuters stories both quote Ambassador Aarons.)

I think Aarons must have an advanced degree in spin doctoring, but nevertheless information about new restrictions on mass market software has also come from 3 independent well-placed sources.

From the UK crypto list: ================= Just talked to Dirk Weicke, Senior Adviser to Wassenaar Organisation. Tel:+43 1 516360)

No written details will be issued until next week, but gist is: *) No alteration to question of whether Wassenaar covers intangible exports. Up to signatory states to interpret and legislate. *) mass-market software, symmetric key length limited to 56-bits *) software generally available, but with other restrictive tests on end-user re-configurability, symmetric key length limited to 64-bits *) Assymetric key lengths (not sure how relates to above) limited to: RSA & Digital logarithm: 512 bits Elliptic curve : 112 bits ===================== And here's a view from David Jones (EFC), from the GILC list: ===================== - There is "some relaxation" for restrictions on symmetric methods using key lengths of 56 bits or less. Stronger crypto would require an export license. - There is no restriction on mass-market software using symmetric methods and a key length of 64 bits or less. Stronger mass-market crypto would require an export license. - "Public Domain Software is not restricted" [If this is really true, this is still an important loophole.] - There is not yet any clear information about the status of "intangible goods", like crypto software on a web site, or sent by email, as opposed to "tangible goods", like software on a floppy disk or CD-ROM. - The restrictions on mass-market software greater than 64 bits is "for public safety" reasons and will last for 2 years, after which it will be reviewed. ============================= Yesterday I got the Australian government interpretation from Robbie Costmeyer in Canberra. Costmeyer is the Defence bureaucrat responsible for approving export licenses. I was told that Wassenaar had now agreed that the General Software Note waiver no longer applied to Category 5/2 items (i.e. crypto) on the controlled goods list. It has always been the view of Defence Signals Directorate here that it was an oversight that crypto software came under the GSN. That reason was used to justify Australia's going one step further than required under the original Wassenaar Arrangement and disallowing exemptions to the export licensing rules. A few other countries do the same (USA, New Zealand, France, Russia). Canberra thus views the latest change as the correction of an oversight. Clearly there is a difference of interpretation here regarding public domain software (compare the Canadian view above). This question needs further investigation. The Australian view is that the latest Wassenaar changes are a relaxation of the previous rules. And they're right, when compared with the previous rules applying here. Australia will now move to amend the Defence Strategic Goods List (DSGL) to allow exemptions for small key lengths as decribed above. For other countries, the effects remain to be seen. We'll just have to wait for more information to filter out. Greg