Obeying UK crypto export restrictions on the Internet

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Mon, 3 Sep 2001 08:44:50 +0100 

From: "Mark RISON" <mrison@hotmail.com>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Sunday, September 02, 2001 11:01 PM
Subject: Obeying UK crypto export restrictions on the Internet


> I wish to release source code implementing (triple) DES on the Z80.
>
> I wrote to the Department of Trade and Industry, Export Control
> Organisation, using their rating enquiry service.  About a month and a
> couple of time-wasting questions later, they've replied as follows:
>
> <<
> It appears to us that the Triple DES Cryptographic Source Code for
> Z80, intended for free download over the Internet, does not require an
> export licence, unless you find the end-use of your intended export
> described within the enclosed Notice to Exporters on Current Strategic
> Export Control Legislation.  In particular, you are referred to the
> sections relating to the End Use Control and to Trade Sanctions.
> >>
>
> What does this mean?  I think I'm OK on the End Use Control (in that
> I'm reasonably confident that the source code won't be used in
> connection with the chem/bio/nuc weapons they seem to be obsessed
> with), but how am I supposed to ensure that the source code doesn't
> get downloaded from countries with Trade Sanctions?
>
>
> Is saying "you may not download this if you're in Iraq, Angola, or
> Yugoslavia" enough?  If not, how am I supposed to implement "free
> download over the Internet"?  I see that OpenSSL has a UK mirror --
> how did they arrange to jump through all the legal hoops?
>
> [I assume that in this forum there is no need for me to state my
> opinions regarding restrictions on source code for an algorithm which
> is freely available on the same Internet...]
>
> Mark

IANAL but if its any help, you might wish to note that I have a lot of
cryptographic source code on my site at:

  http://www.gladman.uk.net

I have made no effort to restrict its acessibility because it is impractical
to do this without seriously restricting its availability for legitimate
use.

I informed UK government authorities of the existence of this site and the
code it makes available in 1998 (strictly an older site with the same sort
of content) . Some of the cryptographic code has been continuously available
since that date.

I might also add that some of it has been downloaded by UK government
organisations. Also my AES code is being used in a number of US government
sponsored projects.

I believe that Ross also has crypto code on his web pages.

  Brian