[cvsnt] CVSNT- Request for U.S. Export Information
Glen Starrett
grstarrett at cox.net
Tue May 13 18:38:21 BST 2003
Disclaimer: I Am Not A Lawyer. I am not an export expert.
They are asking because they are required to by our (the US') export control
laws. These laws are designed to keep high-end encryption and nuclear
technology out of the hands of terrorists etc. I could have done the same
thing, but it's easier to simply point my users to the CVSNT or TortoiseCVS
(I'm hooked on that now, btw) website. However, if I wanted to redistribute
it I would need to go through this certification process that GE is doing
now. We are required to ask the originating company (or individual) first
for the ECCN. When that isn't possible||practical, our Export Compliance
Person (I call her "Carla") will ask a few questions and make a
determination.
I can tell you that for all but one of the ~6 products I asked for an ECCN
from, they had no clue what I was talking about. That tells me that there
are a lot of companies in the US likely not in compliance with our own laws.
There is more to this still (for us, internally). We not only need to
license your product to export if we intend to redistribute it internally,
but we *always* need to make sure the content of what we are sending (e.g
our source code) is licensed / authorized. My users need to go through a
authorization process where "Carla" checks them on the denied persons list
to make sure they aren't on the bad person list, and that they are operating
in a country that is not embargoed (e.g. Cuba, Iran, Syria... is Iraq still
on the list?). Then I need to keep records on who does what for 5 years.
There's more, but I think you get the highlights.
There is more information on the BXA website, here: http://www.bxa.doc.gov/
(like how ".gov" refers to the US government Tony? :)
Now: Down to what they need. They need an ECCN. An ECCN is something that
says what this is. A toaster? A nuke lab? Chemicals? Software? Perhaps
with encryption? Ahh, that's it.
http://www.bxa.doc.gov/Licensing/do_i_needaneccn.html
I believe there is some encryption technology in CVSNT over 56 bits (or is
it 512?), which prevents it from being a near-automatic NLR (no license
required) status. The exact ECCN that CVSNT will have is determined by the
type of encryption included in the product, and if it is closed or open
(that is if the user can swap out encryption algs without changing the
application). Note that this does NOT include encryption that CVSNT uses
(e.g. that which is part of the NT OS) but rather if, for example, there is
something like SSH in the product itself. This is why you see some
applications (like Putty, for example) that have separate
no-encryption-included varieties available.
http://www.bxa.doc.gov/Encryption/Q&A18oct.htm#11
Tony--What encryption is included with CVSNT? Since you didn't develop the
encryption yourself, and the ECCN is the lowest common denominator, then the
groups that did might be able to help with the ECCN number for CVSNT.
Glen Starrett
-----Original Message-----
From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
Of Tony Hoyle
Sent: Tuesday, May 13, 2003 8:51 AM
To: cvsnt at cvsnt.org
Subject: Re: [cvsnt] CVSNT- Request for U.S. Export Information
On Tue, 13 May 2003 17:48:03 +0200, "Bo Berglund" <Bo.Berglund at system3r.se>
wrote:
>Blah!
>This is Open Source software and there is unlikely that you will ever =
>get an
>'official' statemant like the one you request. There is no company =
>behind this
>product.....
>
Also, All the world isn't the US.
There is no export license because I've never exported it from the US.
Heck,
I've only been there once and that was before cvsnt was really that big a
project.
Tony
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
More information about the cvsnt
mailing list